Pavel Piatruk’ tech & personal blog

How to Change OS TCP/IP Fingerprint

Some useful info & tips on OS TCP/IP Fingerprint.

Passive OS TCP/IP Fingerprinting, how it works

Client opens a connection, sends TCP SYN, and somebody inbetween analyzes it. This technique is named p0f. Only TCP SYN is unique for each OS, so OS name & version & even uptime can be extracted from it. In particular:

  • ip ttl (p0f3: ittl)
  • tcp mss (p0f3: mss)
  • tcp options sequence (p0f3: olayout)
  • tcp window size (p0f3: wsize)
  • tcp window scaling (p0f3: scale)
  • tcp quirks

More read: https://github.com/laoshaw/p0f3 => scroll down to “== TCP signatures ==”

All subsequent packets from client to the server are not unique: TCP ACK,RST,FIN etc.

Uptime is detected by a TS (timestamp) option in tcp options sequence, which contains 2 values, and TSval correlates with uptime.

Active OS TCP/IP Fingerprinting, how it works

Attacker (well, it is not an attack, but anyways) sends a TCP SYN to the object, connection established, TCP SYN+ACK is sent back & analyzed by the attacker. The same factors do matter as for TCP SYN, but signatures do differ.

Software used for p0f (CLI)

WEB services for p0f

Those use p0f3 or very similar:

Uses its own set of signatures:

  • https://tcpip.incolumitas.com/classify?by_ip=1

Databases of signatures

https://raw.githubusercontent.com/laoshaw/p0f3/master/p0f.fp p0f3 , TCP:request + TCP:response

https://raw.githubusercontent.com/xnih/satori/master/fingerprints/tcp.xml p0f1 , TCP:request

https://raw.githubusercontent.com/NikolaiT/zardaxt/master/database/combinedJune2022.json kind of p0f1 format , used in Incolumitas checker.

Problem:

  • p0f3 database (not mentioning the p0f which is even more old!) is very outdated and don’t reflect modern situation with modern devices. For example, if you want to spoof TCP/IP fingerprint to pretent iOS, then even if you grab proper set of TCP options from real iOS, you still be recognized as MAC OSX generic. There is only 1 entry for iOS in p0f3, and when you start emulating it, yes, you will be seeing iPad or iPhone but it has a poor Wscale, so your connection will be starting too slowly.

  • the same is for Android. There are just 2 records in p0f3 for Android. While real Androids are visible as Linux generic or similar.

  • For Windows. p0f3 doesn’t have records for modern Windows versions, they are detected as Windows 7 or 8.

Solution

You have 2 solutions

  1. Grab real TCP signatures from real devices and use them for TCP/IP OS spoofing. Pro: it will be real & genuine. Con: those public detectors will detect you as a wrong OS.

  2. Use OS TCP signatures from p0f3. Pro: those public detectors will detect you as a target OS. Con: some private detectors still may detect you as a spoofer :-) And expect some speed losses because of non-optimal Wscale.

How to spoof OS TCP/IP Fingerprint? Theory.

  • Linux Iptables firewall diverts outgoing TCP SYN packets to a local NFQUEUE
  • A software opens a Netfilter Queue, which accepts TCP packets.
  • unpacks them, adjusts mandatory TCP options, re-packs & sends

The software is scapy, a python module.

How to spoof OS TCP/IP Fingerprint? Practically.

There is a good easy to use software called OSfooler-ng + its many forks. It is abandoned now. Also it uses ancient p0fv1 database. Also it simply can’t process TS options which are VERY important for simulating MAC/iOS. In fact it is only useful for simulating Windows.

There is a python module scapy-p0f, which uses p0f3 database, but still can’t process TS options. Yet it doesn’t have a ready to use program.

So the solution would be to take OSfooler-ng, modify it, so it works with scapy-p0f. I have done it, please DM me!

Result

original screenshot