Keynote SSTIC 2009 – IpMorph: Unifying fingerprinting deception

Presentation : Guillaume PRIGENT, Fabrice HARROUET

Active fingerprint detection:
Stimuli are emitted, and the responses are analyzed to find a known pattern.

Passive fingerprint detection:
Network listening can also be sufficient to identify patterns (presence of a probe on a network, or on a host).

The tool presented allows to hide these patterns, by modifying them to reflect a different identity. It is placed in a disconnect on a physical or virtual network.

Three categories of mystification are identified:

1. The filtering
2. TCP/IP stack configuration and modification (host based)
3. TCP/IP stack substitution (proxy behavior)

IpMorph falls into the 3rd category. Coded in C++, used in "userland" and portable Linux / BSD / Mac OS, and under GPLv3.

It is capable of working from Ethernet to TCP.

The goal being tobreak fingerprinters with a rate of 100%, It was therefore necessary to understand all their systems, and to use them (the product incorporates all the signatures to combine them in the desired way, in order to reflect another identity).

The tool, although detectable, works on all fingerprinters, thus hiding the real information from potential attackers.