#!/bin/sh ####### ### # # Tweak various sysctl values in a 2.4 linux kernel to # thwart OS detection, make other peoples live's difficult, etc. # # jhart (warchild@spoofed.org) # # #warchild@cuba #[/usr/src/linux]$ sudo nmap -O localhost # #Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) #Interesting ports on localhost (127.0.0.1): #(The 1548 ports scanned but not shown below are in state: closed) #Port State Service #22/tcp open ssh # #No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). #TCP/IP fingerprint: #SInfo(V=2.54BETA30%P=i686-pc-linux-gnu%D=11/26%Time=3C022877%O=22%C=1) #TSeq(Class=RI%gcd=1%SI=362E8D%IPID=Z%TS=U) #TSeq(Class=RI%gcd=1%SI=362B90%IPID=Z%TS=U) #TSeq(Class=RI%gcd=1%SI=362A8F%IPID=Z%TS=U) #T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNW) #T2(Resp=N) #T3(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNW) #T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) #T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) #T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=) #T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) #PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) # # # # #Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds # # ..... w/o nethacks # Remote operating system guess: Linux 2.4.7 (X86) # ### ####### IP_FORWARD=/proc/sys/net/ipv4/ip_forward IP_DEFAULT_TTL=/proc/sys/net/ipv4/ip_default_ttl IP_LOCAL_PORT_RANGE=/proc/sys/net/ipv4/ip_local_port_range ICMP_ECHO_IGNORE_ALL=/proc/sys/net/ipv4/icmp_echo_ignore_all ICMP_ECHO_IGNORE_BROADCASTS=/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts TCP_TIMESTAMPS=/proc/sys/net/ipv4/tcp_timestamps #### # Turn on ip forwarding (for things like dnsspoof, etc # must set this first (it sets all others to their default) #### if [ -f $IP_FORWARD ]; then echo "Turning on packet forwarding" echo 1 > $IP_FORWARD else echo "Couldn't find $IP_FORWARD" echo "...packet forwarding is OFF" fi #### # change default ttl. # The default ttl for the 2.4 kernel is 64. Make this different. Lower is bad # because it could potentially hinder system performance -- set it to < 2 # and try to use the 'net (hint: it won't happen). 255 is a happy medium. #### if [ -f $IP_DEFAULT_TTL ]; then echo "Changing default TTL (fsck nmap)" echo 255 > $IP_DEFAULT_TTL else echo "Couldn't find $IP_DEFAULT_TTL" echo "...using default TTL" fi #### # ignore icmp echos # The poor-mans firewall. Ignore _all_ incoming echo requests on all # interfaces. #### if [ -f $ICMP_ECHO_IGNORE_ALL ]; then echo "Ignoring icmp echos" echo 1 > $ICMP_ECHO_IGNORE_ALL else echo "Couldn't find $ICMP_ECHO_IGNORE_ALL" echo "...Can't ignore icmp echos" fi #### # ignore icmp echo broadcasts #### if [ -f $ICMP_ECHO_IGNORE_BROADCASTS ]; then echo "Ignoring icmp echo broadcasts" echo 1 > $ICMP_ECHO_IGNORE_BROADCASTS else echo "Couldn't find $ICMP_ECHO_IGNORE_BROADCASTS" echo "...Can't ignore icmp echo broadcasts" fi #### # ignore timestamp requests. # These can be used to determine system time, and, # as a result, system uptime. #### if [ -f $TCP_TIMESTAMPS ]; then echo "Ignoring timestamp requests (fsck nmap -O)" echo 0 > $TCP_TIMESTAMPS else echo "Couldn't find $TCP_TIMESTAMPS" echo "...timestamps allowed" fi #### # change local port range. # different OSs use different ranges of ports for locally initiated # connections. This trait can be used to narrow down selections # in OS detection. Pick something that is not specific to the 2.4 kernel. #### if [ -f $IP_LOCAL_PORT_RANGE ]; then echo "Changing local port range" echo 50000 65000 > $IP_LOCAL_PORT_RANGE else echo "Couldn't find $IP_LOCAL_PORT_RANGE" fi