Using IPFilter to Alter nmap OS Detection Results

Posted February 1, 2004 by Michilimackinac in IPFilter

nmap is often used to perform OS detection on remote systems if it cannot be determined by other means. It sends tcp packets which have problems and detects how each handles the errors. By tweaking things in IPFilter, we can trick nmap into thinking it is dealing with some other OS or be less certain about its guess. Some additional resources are usually available in the OS sysctl variables (FreeBSD) and ndd settings (solaris) to help control things also.


These examples were designed for FreeBSD, but these (or variations) may work on other OS’s as well.

For those who are unfamiliar with IPFilter syntax:


block in log quick on fxp0 proto tcp from any to any flags FUP


block – not allow the packet to proceed on through ipfilter
in – incoming from outside of the system
log – write any matches of this rule to the logfile
quick – if this rule matches immediately apply it do not drop through the rest of the rules
on fxp0 – the interface from ifconfig that this rules applies to
proto tcp – the tcp protocol (other valid values udp,icmp,esp,ah,etc.)
from any – source of packet
to any – destination of packet
flags FUP – matches any packet where the tcp flags set are FIN and URG and PUSH

another alternative for flags is this:

flags SF/SFRA – Match SYN and FIN in any packet as long as RST and ACK are not set. (We do not care what URG and PUSH are set to.)

The first example is a Christmas tree scan. FIN and URG and PUSH flags are set.
In this case, we return a tcp reset to the system that sent this packet (source).
A packet like this never occurs as every tcp packet except the initial one has
the ACK flag set. The initial one has SYN and no other flags set.


block return-rst in log quick on fxp0 proto tcp from any to any flags FUP

The second example matches SYN FIN scans, and we also return a reset
to the source system. This packet also never occurs in nature as SYN is
used to start a tcp connect, and FIN is used close one down, never used
in conjunction.


block return-rst in log quick on fxp0 proto tcp from any to any flags SF/SFRA

The last example is a NULL scan. No tcp flags are set which is another example
of a bogus packet. As in the first example, a packet must have at least the
SYN (initial connection) or the ACK (persists throughout the rest of the connection)
flags set. We again send a reset to the source system.


block return-rst in log quick on fxp0 proto tcp from any to any flags /SFRA

It would be interesting to hear how effective this is using OS’s other than FreeBSD.
Please leave comments if you try this.

The Conversation

Follow the reactions below and share your own thoughts.