I want to evade nmap
's TCP/IP fingerprinting, which it uses to detect the OS on a machine. I read A practical approach for defeating Nmap OS-Fingerprinting which explains how this can be done. It also suggests a few programs which can do this. Most of them manipulate the TCP/IP implementation in the kernel. But they're are all outdated and not maintained anymore.
So I would like to ask if anyone knows another way of achieving this. Can I configure the responses to nmap
's os-probing packets manually?
You can try and detect when Nmap is probing your machine to send a different kind of response but the only real way is indeed to change the kernel to send respond with a different kind of pre-formatted structure than the one recognized by Nmap.
I don't know of any available patches that do that since I don't really mind and most services that run on the server will actually provide evidence to what they are running on but you can always search GitHub for such patches.
No, that article is the most complete coverage of defeating network scan OS detection that I've seen. And the tools it mentions that fool nmap scans already do so by changing the response to probe packets.
The cost of implementing such a thing likely will be either a kernel programmer porting this to modern OS, or perhaps an advanced firewall or IDS, or hide behind a load balancer or proxy. Many of these are likely to be expensive.