1

We need to change our OSX fingerprint in order to impersonate the Android OS against "passive OS fingerprinting" attacks.

For Windows machines there are tools/guides for doing that, but can't find any for Mac OSX machines :(

This attack works even if I browse a website using Tor browser!

Jeroen
  • 5,783
  • 2
  • 18
  • 26
user91343
  • 19
  • 1
  • 3
  • 1
    And what's your exact question? – Jeroen Nov 07 '15 at 09:24
  • @Jeroen-ITNerdbox in windows guides they explain how to do it in registry. can you tell me how to do that in OSX? I'm sure it is possible – user91343 Nov 07 '15 at 09:32
  • What's the scenario? Is this a server or are you just browsing the web and want the server to think you're an Android phone? – Beat Nov 07 '15 at 12:12
  • @Beat yes I'm just browsing the web and want server to think that I'm an Android phone. in my case i do this because if hackers realize that I'm using OSX they load an exploit and I'm hacked but when they think I'm Android they try offer me a malicious app to download! – user91343 Nov 07 '15 at 20:29
  • I'm not sure how it would work if you use Tor. The network uses a series of TCP proxies, so the website you connect to only sees the TCP/IP fingerprint of the exit node you are using. – forest Nov 05 '18 at 04:06

2 Answers2

1

This attack works even if I browse a website using Tor browser!

I think you are wrong here.

You are talking about fingerprinting the TCP/IP stack and you claim that the original OS can be even detected this way if you use Tor. But Tor nodes do not simply forward packets like a router does but instead the data are re-packaged in user space and you have each time a new TCP/IP connection. Thus what you should see with fingerprinting at the TCP/IP level is at most the OS of the exit node. This also means that any changes on the TCP settings of your OS should have no effect regarding fingerprinting when you are using Tor.

Since you have probably checked against some site which claimed to detected your OS even through Tor I recommend that you share a link to this site so one can find out how the detection is really done there.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • i don' care about Tor. how do i manipulate OSX to simulate Linux? – user91343 Nov 08 '15 at 08:47
  • @user91343: I don't know of a specific tool who does all this for you on a click but see http://superuser.com/questions/421036/mac-os-x-tcp-ip-fingerprint-obfuscator. Based on comment in the answer it helped to hide OS X successfully against the detection in nmap. – Steffen Ullrich Nov 08 '15 at 09:04
1

Short answer: I'm not an expert and i don't know a tool on MacOSX that does what you want on a few clicks, impersonate a different OS.

Long answer:
Blocking/confusing OSFP might be possible with PF on MacOSX(not tested). OpenBSD's Packet Filter has been ported by Apple (Yosemite and up). In the link's example it's on OpenBSD.

Before:

# nmap -O puffy

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-02 19:14 MST
Interesting ports on puffy (192.168.0.42):
(The 1653 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
13/tcp  open  daytime
22/tcp  open  ssh
37/tcp  open  time
113/tcp open  auth
Device type: general purpose
Running: OpenBSD 3.X
OS details: OpenBSD 3.0 or 3.3

Nmap run completed -- 1 IP address (1 host up) scanned in 24.873 seconds


After:

# nmap -O puffy 

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2003-12-02 22:56 MST
Interesting ports on puffy (192.168.0.42):
(The 1653 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
13/tcp  open  daytime
22/tcp  open  ssh
37/tcp  open  time
113/tcp open  auth
No exact OS matches for host (If you know what OS is running on it, see 
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.48%P=i686-pc-linux-gnu%D=12/2%Time=3FCD7B3F%O=13%C=1)
TSeq(Class=TR%IPID=RD%TS=2HZ)
T1(Resp=Y%DF=Y%W=403D%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=0%ACK=O%Flags=AR%Ops=)
T4(Resp=Y%DF=Y%W=4000%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=134%RID=E%RIPCK=F%UCK=E%ULEN=134%DAT=E)

Nmap run completed -- 1 IP address (1 host up) scanned in 27.028 seconds

Config file: /etc/pf.conf
Rules:

set block-policy  return

block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF


Seb B.
  • 401
  • 2
  • 5