We're looking for the ability to set a required passive network fingerprint for the desired traffic by iptables rule(s).
We imagine the result as a dynamically loaded kernel module. Then we are able to create iptables rule(s) for desired traffic with an action like -j SETPNF --windows10. Based on preliminary created signature file(s) for specified OS version, the rule modify network packets to match chosen fingerprint. As a result the remote host detect (by p0f-like analysis) such traffic as originated from the specified spoofed OS (Windows 10 in the example above).
Signature files can be added/modified later to add support for other OS versions.
I will share an example of TCP traffic signatures with selected person.
Right now we need it only for TCP traffic and to be able to emulate Windows 10 and Android 5+. The same OS but different version may match different signatures.
Similar approach was introduced in ippersonality (for both passive and active traffic analysis) but for old linux kernels (v2.4). We need it for modern kernels (specifically 4.14.70+ for sunxi64/aarch64, and/or 4.19.38+ for sunxi/armv7l). Protection from active probes are not required yet (usually analysed by nmap), the resulting traffic must spoof only passive analysis (usually analysed by p0f).
While we'd prefer to have native linux kernel module it's possible to implement it in user space using NFQUEUE if it's way easier and faster to implement.
Such userspace solution can be treated as proof-of-concept or even final solution if performance will be acceptable for our purposes.
The result will be tested by services ('TCP/IP Fingerprint' section) and others.
Please share your experience in similar field and approximate ETA.
About the recuiterMember since Mar 14, 2020 Harpreet Singh
from Paraiba, Brazil