From: dtk@all.net Reply-to: dtk@all.net Organization: Deception ToolKit Mailing List Subject: DTK Mailing List 19990102 
---------------------------------------------
Date: Fri, 1 Jan 1999 21:16:11 -0700 (MST)
From: mea culpa 

Have the DTK developers done any testing to see if they can foil remote OS
fingerprinting software such as NMAP, SS, and Queso?

[I have tested against NMAP and several other utilities but only very
briefly and not against SS or Queso.  I would be interested in results
if anybody has them - as well as ideas about how to make deceptions good
enough to fool them.]

---------------------------------------------
Subject: Re: dtk on sco [success]
In reference to the following view expressed by root6:
> 
> here is a funky uri---
> 
> http://www.whitefang.com/rin/rawfaq.html
> 
> everybody and their brother tells me we can't packet sniff on SCO
>
> makes me sick
> 
> i bet we can, but i just don't know how yet

The packets are there, but you can't modify the OS to do what you want
because you don't have the source.  Doing it with binaries only is too
painful and non-portable.  I haven't used SCO since 1984, so I have no
idea of what would be involved in getting it to do anything, but my
limited experience - and the reason I moved on - was that it is real
incompatable with the rest of the world. 

> these same dudes told me that dtk only sees nmap at the application layer...
> 
> i would like to hear your take on that

Sort of...  DTK - in the listen.pl calls - picks up everything but FIN
scans.  The results are shown in one of the FAQs somewhere.  Half-opened
sockets are no problem, and it even reports them as PortScan in the log
file.  FIN scans never hit the half-opened stage, so DTK ignores them. 
In addition, FIN scans against DTK ports will (deceptively) indicate
that those ports are open, thus having the desired effect of forcing the
attacker to (probabilistically) be detected before differentiating
legitimate services from deceptions.
FC
---------------------------------------------