Hackszine.com: HOWTO: spoof Windows TCP/IP stack and IIS server headers

HOWTO: spoof Windows TCP/IP stack and IIS server headers

Pavs sent in a link to a program for Windows XP called Security Cloak, which can be used to tweak your machine's TCP/IP fingerprint to look like something else:

Security Cloak is designed to protect against TCP/IP stack fingerprinting and computer identification/information leakage via timestamp and window options by modifying relevant registry keys. The settings used are based on the results of SYN packet analysis by p0f. While the OS reported by other OS detection scanners were not identical to those of p0f, testing against Nmap, xprobe2, queso and cheops showed that they were unable to identify the correct operating system/version after Security Cloak settings had been applied.

Another way to detect a server type is to look at the HTTP "Server:" header, which will report the type and version of the OS and web server software that is running. MS has a support article about using a tool called URLScan to change your system's server header. You could change this to something completely bogus, or maybe impersonate the header from another system. Presumably, you'd want to match the OS fingerprint that you tweaked with Security Cloak.

The exact utility of all this? It could be slightly useful for deterring some types of automated cracking tools, namely those that use OS fingerprinting to guess the possible ways to compromize a machine. It might also be a nice way to trick your Linux hacker buddies so they stop teasing you about those Windows boxes that corporate is forcing you to keep running.

Security Cloak (overview and instructions) - Link
Download Security Cloak - Link
Mask IIS Version Information - Link

Posted by Jason Striegel | Jul 25, 2007 10:00 PM
Windows, Windows Server | Permalink | Comments (0)