How to Change OS TCP/IP Fingerprint
Some useful info & tips on OS TCP/IP Fingerprint.
Passive OS TCP/IP Fingerprinting, how it works
Client opens a connection, sends TCP SYN, and somebody inbetween analyzes it. This technique is named p0f. Only TCP SYN is unique for each OS, so OS name & version & even uptime can be extracted from it. In particular:
- ip ttl (p0f3: ittl)
- tcp mss (p0f3: mss)
- tcp options sequence (p0f3: olayout)
- tcp window size (p0f3: wsize)
- tcp window scaling (p0f3: scale)
- tcp quirks
More read: https://github.com/laoshaw/p0f3 => scroll down to “== TCP signatures ==”
All subsequent packets from client to the server are not unique: TCP ACK,RST,FIN etc.
Uptime is detected by a TS (timestamp) option in tcp options sequence, which contains 2 values, and TSval correlates with uptime.
Active OS TCP/IP Fingerprinting, how it works
Attacker (well, it is not an attack, but anyways) sends a TCP SYN to the object, connection established, TCP SYN+ACK is sent back & analyzed by the attacker. The same factors do matter as for TCP SYN, but signatures do differ.
Software used for p0f (CLI)
- https://github.com/MOL0ToK/sp0ky
- https://github.com/cesarghali/OS-Fingerprinting
- https://github.com/laoshaw/p0f3
- https://github.com/NikolaiT/zardaxt
- tcpdump / tshark (for checking raw signatures)
WEB services for p0f
Those use p0f3 or very similar:
http://witch.valdikss.org.ru/
- https://browserleaks.com/ip
- https://whoer.net - click “Extended version”
Uses its own set of signatures:
https://tcpip.incolumitas.com/classify?by_ip=1
Databases of signatures
https://raw.githubusercontent.com/laoshaw/p0f3/master/p0f.fp p0f3 , TCP:request + TCP:response
https://raw.githubusercontent.com/xnih/satori/master/fingerprints/tcp.xml p0f1 , TCP:request
https://raw.githubusercontent.com/NikolaiT/zardaxt/master/database/combinedJune2022.json kind of p0f1 format , used in Incolumitas checker.
Problem:
-
p0f3 database (not mentioning the p0f which is even more old!) is very outdated and don’t reflect modern situation with modern devices. For example, if you want to spoof TCP/IP fingerprint to pretent iOS, then even if you grab proper set of TCP options from real iOS, you still be recognized as
MAC OSX generic
. There is only 1 entry for iOS in p0f3, and when you start emulating it, yes, you will be seeingiPad or iPhone
but it has a poor Wscale, so your connection will be starting too slowly. -
the same is for Android. There are just 2 records in p0f3 for Android. While real Androids are visible as
Linux generic
or similar. -
For Windows. p0f3 doesn’t have records for modern Windows versions, they are detected as
Windows 7 or 8
.
Solution
You have 2 solutions
-
Grab real TCP signatures from real devices and use them for TCP/IP OS spoofing. Pro: it will be real & genuine. Con: those public detectors will detect you as a wrong OS.
-
Use OS TCP signatures from p0f3. Pro: those public detectors will detect you as a target OS. Con: some private detectors still may detect you as a spoofer :-) And expect some speed losses because of non-optimal Wscale.
How to spoof OS TCP/IP Fingerprint? Theory.
- Linux Iptables firewall diverts outgoing TCP SYN packets to a local NFQUEUE
- A software opens a Netfilter Queue, which accepts TCP packets.
- unpacks them, adjusts mandatory TCP options, re-packs & sends
The software is scapy, a python module.
How to spoof OS TCP/IP Fingerprint? Practically.
There is a good easy to use software called OSfooler-ng + its many forks. It is abandoned now. Also it uses ancient p0fv1 database. Also it simply can’t process TS options which are VERY important for simulating MAC/iOS. In fact it is only useful for simulating Windows.
There is a python module scapy-p0f, which uses p0f3 database, but still can’t process TS options. Yet it doesn’t have a ready to use program.
So the solution would be to take OSfooler-ng, modify it, so it works with scapy-p0f. I have done it, please DM me!