How to Change OS TCP/IP Fingerprint
Some useful info & tips on OS TCP/IP Fingerprint.
Passive OS TCP/IP Fingerprinting, how it works
Client opens a connection, sends TCP SYN, and somebody inbetween analyzes it. This technique is named p0f. Only TCP SYN is unique for each OS, so OS name & version & even uptime can be extracted from it. In particular:
- ip ttl (p0f3: ittl)
- tcp mss (p0f3: mss)
- tcp options sequence (p0f3: olayout)
- tcp window size (p0f3: wsize)
- tcp window scaling (p0f3: scale)
- tcp quirks
More read: https://github.com/laoshaw/p0f3 => scroll down to “== TCP signatures ==”
All subsequent packets from client to the server are not unique: TCP ACK,RST,FIN etc.
Uptime is detected by a TS (timestamp) option in tcp options sequence, which contains 2 values, and TSval correlates with uptime.
Active OS TCP/IP Fingerprinting, how it works
Attacker (well, it is not an attack, but anyways) sends a TCP SYN to the object, connection established, TCP SYN+ACK is sent back & analyzed by the attacker. The same factors do matter as for TCP SYN, but signatures do differ.
Software used for p0f (CLI)
- tcpdump / tshark (for checking raw signatures)
WEB services for p0f
Those use p0f3 or very similar:
- https://whoer.net - click “Extended version”
Uses its own set of signatures:
Databases of signatures
https://raw.githubusercontent.com/laoshaw/p0f3/master/p0f.fp p0f3 , TCP:request + TCP:response
https://raw.githubusercontent.com/xnih/satori/master/fingerprints/tcp.xml p0f1 , TCP:request
https://raw.githubusercontent.com/NikolaiT/zardaxt/master/database/combinedJune2022.json kind of p0f1 format , used in Incolumitas checker.
p0f3 database (not mentioning the p0f which is even more old!) is very outdated and don’t reflect modern situation with modern devices. For example, if you want to spoof TCP/IP fingerprint to pretent iOS, then even if you grab proper set of TCP options from real iOS, you still be recognized as
MAC OSX generic. There is only 1 entry for iOS in p0f3, and when you start emulating it, yes, you will be seeing
iPad or iPhonebut it has a poor Wscale, so your connection will be starting too slowly.
the same is for Android. There are just 2 records in p0f3 for Android. While real Androids are visible as
Linux genericor similar.
For Windows. p0f3 doesn’t have records for modern Windows versions, they are detected as
Windows 7 or 8.
You have 2 solutions
Grab real TCP signatures from real devices and use them for TCP/IP OS spoofing. Pro: it will be real & genuine. Con: those public detectors will detect you as a wrong OS.
Use OS TCP signatures from p0f3. Pro: those public detectors will detect you as a target OS. Con: some private detectors still may detect you as a spoofer :-) And expect some speed losses because of non-optimal Wscale.
How to spoof OS TCP/IP Fingerprint? Theory.
- Linux Iptables firewall diverts outgoing TCP SYN packets to a local NFQUEUE
- A software opens a Netfilter Queue, which accepts TCP packets.
- unpacks them, adjusts mandatory TCP options, re-packs & sends
The software is scapy, a python module.
How to spoof OS TCP/IP Fingerprint? Practically.
There is a good easy to use software called OSfooler-ng + its many forks. It is abandoned now. Also it uses ancient p0fv1 database. Also it simply can’t process TS options which are VERY important for simulating MAC/iOS. In fact it is only useful for simulating Windows.
There is a python module scapy-p0f, which uses p0f3 database, but still can’t process TS options. Yet it doesn’t have a ready to use program.
So the solution would be to take OSfooler-ng, modify it, so it works with scapy-p0f. I have done it, please DM me!