I wonder, how I can change Time To Live field for icmp packet in Redhat 7.1, kernel 2.4.2-2? I looked up in /proc/sys/net/ipv4 and did find this field in there.
There should be a way to change TTL. If it's in header file, in which one?
Let's say when someone pings my host, he/she sees different TTL field. I've heard that lots of netscan applications uses this field to determine the type of the system. And for security reasons if you change that field for ping replies comming from your host it eliminates this possibility.
Offhand I can't think of any (none routing) reason to hack the TTL field or any tools that use the TTL field to scan with the exception of traceroute .
If you can post the exact "netscan application" that uses TTL and why it uses it, then we can give a more accurate reply.
It is certainly possible to return bogus values of processes, including TTL. I'm more interested in understanding why you think you need to do this... thanks.
how can u define a type of system remotely? Conidering closed ports for telnet, ssh, ftp, http, etc. One way to determin the type of the system is to just ping it and and TTL of the returned packet is gonna define system coz it goes basically fixed for different systems. Here what i mean:
#pingfoo1.com
64 bytes from 65.30.119.70: icmp_seq=0 ttl=255 time=209 usec
...
#pingfoo2.com
64 bytes from 192.168.0.3: icmp_seq=0 ttl=128 time=1.011 msec
...
In those three examples i can say that foo1.com runs RedHat Linux 7.1 (ttl=255), foo2.com - Windows(ME)(ttl=128), foo3.com - OpenBSD2.8 (maybe 2.9)(ttl=243).
So, if you hack and change TTL for your system some of the scanning software will be cofnfused. So my question still is in what file this field is defined???
OK. Now I understand what you are saying. Some systems, for better or for worse, set the TTL differently and this can be exploited to guess the system kernel, as discussed here:
This can be used to help defeat OS guessing in tools like queso and nmap. It's one of the easiest changes you can make to mess with the results. I recall that there were a few such hints/hacks in Hacking Linux Exposed...
The best part, however, is that the 2.4.* series kernels are able to obfuscate the OS completely. Any nmap scan will report that you are whoever you choose to be - for example, you can make yourself appear to the casual scanner to be a MacOS 7.1 machine, or a HP LaserJet Printer!
BTW: If anyone changes MAXTTL in linux ip.h and rebuilds the kernel, please post and let everyone know that, indeed, this is one possible solution for linux. Thanks!!
Or, if you find that it can be changed another way, please post.
Or. if you find a clever way to do it for any other system, please post.
U know, people, while reading all those replies, I came up with an idea. What if to create an application making TTL appear all the time randomly let's say in some range from 100 - 255. It would make lots of scanners confused. I wanna create a project on SourceForge. What do you think about the idea itself?
Check out this page: http://project.honeynet.org/papers/finger/
Farther down, it'll tell you how to change the TTL for Solaris, Linux, and NT... An overall good read, as well.