# TCP/IP Fingerprinting



## MindKmS (May 12, 2017)

Hello!
I'm using FreeBsd 10.3/11 with 3proxy and multiple ip's. The problem is services such as whoer.net or browserleaks.com see my TCP/IP (FreeBSD 9.x or newer). Ive tried to google my problem for a long time but haven't seen a solution. I need to change(better) or hide my TCP/IP. Is it possible on FreeBsd?
Thank you.


----------



## ShelLuser (May 12, 2017)

No offense intended but you're not making any sense what so ever. I get a rough idea of what you might be trying to say here, but with these things you really need to make sure that you understand what you're talking about and that you're precise about it.

TCP/IP is a whole collection of protocols and services which are used to set up a communication between computers. Other computers can't "see your TCP/IP" because that sentence by itself makes no sense at all. Those websites you listed can indeed pick up your IP address. That's simply how this whole thing works.

If you don't want that to happen you'll need to either set up a (remote) proxy server, or configure a routing entry so that your server knows that it should use another one of those IP addresses. Both options are easily possible on FreeBSD.


----------



## MindKmS (May 12, 2017)

I was trying to say when i use my proxies and check them on services that i mentioned, TCP/IP in OS section is FreeBSD 9.x or newer. Goal is to hide it or change on Win7/Win10 and so on. Is it possible?


----------



## ShelLuser (May 12, 2017)

MindKmS said:


> I was trying to say when i use my proxies and check them on services that i mentioned, TCP/IP in OS section is FreeBSD 9.x or newer. Goal is to hide it or change on Win7/Win10 and so on. Is it possible?


Depends on the software being used, I'm not familiar with 3proxy myself so can't really say. But that's the place to look here, this isn't directly related to FreeBSD.

Also: depending on your setup another possibility is that they're getting this information from other services. For example: Apache also leaves a small fingerprint which allows clients to determine what OS is being used. It's also something which can be hidden by configuring Apache accordingly.


----------



## MindKmS (May 12, 2017)

I don't use any software on server but 3proxy. In 3proxy documentation i also didn't see any information of how can i hide my OS


----------



## aht0 (May 12, 2017)

Websites you mentioned appear to be 'producing' the name of the OS you are using, by the simple method of parsing it out from the user agent string of your browser.

If you are using Firefox, just install some appropriate addon that would fake it. Something like http://mybrowseraddon.com/useragent-switcher.html

I tested it and it seems to work. Just manually edit the Firefox version in the strings provided by the add-on to more recent. At the moment it seems to combine Windows 8.1 with Firefox 36.0. You can make it to be whatever you want. I edited to it to Firefox 53.





EDIT: yeah, I am convinced now that the site is doing nothing more than user agent parsing. I did a bit of creative user agent editing for testing.

Browsing with a MSIE11 in a SunOS machine would be pretty unlikely in reality..




Can't see much point in messing with proxies, user agents and "hiding" oneself like this, truth to tell..


----------



## MindKmS (May 12, 2017)

Click use extended version and you will see something like this if you use 3proxy on FreeBsd


----------



## SirDice (May 12, 2017)

Whoer detects the TCP/IP stack of the proxy, not the proxy client.


```
[You] -----TCP/IP-----> [proxy] ----TCP/IP-----> [Whoer]
```


----------



## OlivierW (May 12, 2017)

The two websites indicated by MindKmS displays the user-agent (which can more or less easily be changed in the browser) but they are also fingerprinting his connection (his desktop if direct internet connection or more certainly his modem/router/proxy/vpn/whatever has his public IP address).
Similar to what can be done with NMAP: https://nmap.org/book/man-os-detection.html

So, yes, his question makes perfect sense.

MindKmS if you really want to try to hide your TCP fingerprints, have a look at: https://nmap.org/misc/defeat-nmap-osdetect.html for some general informations.


----------



## aht0 (May 12, 2017)

my initial post was done using cellular link (private 10.x.x.x IP assigned to modem by ISP). Said cellular link is also being firewalled for incoming connections by ISP. Only outgoing traffic is allowed.

Now I tried performing remote `nmap` scan against my broadband link which has fully open ports by ISP, receives public WAN address (but is firewalled by FreeBSD/PF machine of my own) and ended up with

```
Starting Nmap ( http://nmap.org ) at 2017-05-12 17:30 EEST
NSE: Loaded 17 scripts for scanning.
Initiating SYN Stealth Scan at 17:30
Scanning 61-173-191-90.dyn.estpak.ee (90.191.173.61) [100 ports]
Completed SYN Stealth Scan at 17:30, 5.09s elapsed (100 total ports)
Initiating Service scan at 17:30
Initiating OS detection (try #1) against 61-173-191-90.dyn.estpak.ee (90.191.173.61)
Retrying OS detection (try #2) against 61-173-191-90.dyn.estpak.ee (90.191.173.61)
Initiating Traceroute at 17:30
Completed Traceroute at 17:30, 4.12s elapsed
NSE: Script scanning 90.191.173.61.

[+] Nmap scan report for 61-173-191-90.dyn.estpak.ee (90.191.173.61)
Host is up.
All 100 scanned ports on 61-173-191-90.dyn.estpak.ee (90.191.173.61) are filtered

Too many fingerprints match this host to give specific OS details
```

I tried playing around with SYN flags in firewall, could not block the fingerprinting, unless it also blocked the site itself. I also tried randomizing the packet's identification field for passing traffic in PF, no results. browserleaks.com remains able to detect actual OS. Out of ideas.


----------



## MindKmS (May 18, 2017)

So, no way to do it?


----------



## ronaldlees (May 21, 2017)

There is a discussion about this in another thread:  https://forums.freebsd.org/threads/47345/page-5


If you don't want to search thru the posts, here is the relevant part (posted originally by surv):



> _I tried to play with net.inet.tcp.* options, until the results of such: p0f signatures   changed     from
> 
> 4:64+0:0:1460:65535,6:mss,nop,ws,sok,ts:df:0
> to
> ...



Note I *have not*  tried this myself, and don't know if it works, or  if it  works against *some* OS interrogation techniques, but it might be worth your effort (or not). I think the window is also an issue, but maybe some interrogation techniques are less capable than others.  Could be just a false sense of security, except for casual OS fingerprints.  At one time there was a patch available for the FreeBSD TCP/IP stack, but for very old version of the OS, so not relevant any more.

Edit: just looked up the page I was trying to remember, and recalled the initial TTL issue:

http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting


----------



## ronaldlees (May 21, 2017)

> I wondered how they manage to detect the DNS Servers used, but wonder why this is gone too.



Me too.  Very strange about the second test not showing DNS.   I suspect they normally do timestamp comparison for the DNS detection?  That plus a GUID-style URL sent to the resolver would do it. Basically the same technique used for DNS tracking.


----------



## ronaldlees (May 21, 2017)

getopt said:


> My testing above was with
> 
> ```
> net.inet.tcp.rfc1323=1 (TCP timestamps)
> ...



 The TCP timestamp would work on the webpage side.  How does DNSSEC work with recursion?  Anyway, it looks like a lot of fingerprinting software is very "narrow niche" and will pick up this or that nuance, but not necessarily everything.


----------



## MindKmS (May 25, 2017)

With net.inet.tcp.sack.enable=0 they didnt detect OS for 1-2 times, but after 3-4 page refresh somehow it appears again


----------



## ronaldlees (May 26, 2017)

MindKmS said:


> With net.inet.tcp.sack.enable=0 they didnt detect OS for 1-2 times, but after 3-4 page refresh somehow it appears again



I get this a half dozen times in a row ...


```
TCP/IP OS Fingerprinting
Passive, SYN    | Language: Unknown | Link: Ethernet or modem | MTU: 1500 | Distance: 17 Hops
DNS Leak Test
Your DNS Servers    n/a
```


----------



## MindKmS (May 27, 2017)

ronaldlees said:


> I get this a half dozen times in a row ...
> 
> 
> ```
> ...


My apologies, with
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
they didnt detect OS for 1-2 times
With net.inet.tcp.sack.enable=0
Passive, SYN | Linux 2.2.x-3.x (barebone)


----------

