Sealing Wafter – Defend Against OS Fingerprinting for OpenBSD


One way to defend against OS fingerprinting from tools such as nmap, queso, p0f, xprobe etc is to change the metrics that they base their analysis on.

One way to do this with OpenBSD is to use Sealing Wafter.

Goals of Sealing Wafter:
1. To reduce OS detection based on well known fingerprints network stack behavior.
2. To have the ability to load custom rules into the stack.
3. To unload, modify, reload the kernel module with on the fly rules. (great feature at packet parties)
4. To learn how the magic of tcpip stacks work.

What Sealing Wafter currently provides:
1. Hide from Nmap Syn/Xmas/Null scans, as well as the specific fingerprinting packets.
2. Ability to see what your stack is receiving without the need to drop your network device into promisc mode.
3. Complete control over rules that you can load on the fly todeal with specific incoming packets.
4. Initial support for several OS passive detection has been added for SYNs.

Weaknesses in current Sealing Wafter:
1. Full connection scans. e.g. nmap -sT will still find open ports. this is because I have yet to find anything that seperates a real tcp connection vs an nmap full connection. (most likely isn’t one.)
2. Can be very verbose when under heavy load. I have run this on my heaviest web servers, and have not noticed any major overhead.

Download the c code for the LKM here: Sealing Wafter

Posted in: Countermeasures, Networking Hacking Tools, UNIX Hacking

, ,


Latest Posts:


GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc
GKE Auditor - Detect Google Kubernetes Engine Misconfigurations GKE Auditor – Detect Google Kubernetes Engine Misconfigurations
GKE Auditor is a Java-based tool to detect Google Kubernetes Engine misconfigurations, it aims to help security & dev teams streamline the configuration process
zANTI - Android Wireless Hacking Tool Free Download zANTI – Android Wireless Hacking Tool Free Download
zANTI is an Android Wireless Hacking Tool that functions as a mobile penetration testing toolkit that lets you assess the risk level of a network using mobile.
HELK - Open Source Threat Hunting Platform HELK – Open Source Threat Hunting Platform
The Hunting ELK or simply the HELK is an Open-Source Threat Hunting Platform with advanced analytics capabilities such as SQL declarative language, graphing etc
trape - OSINT Analysis Tool For People Tracking Trape – OSINT Analysis Tool For People Tracking
Trape is an OSINT analysis tool, which allows people to track and execute intelligent social engineering attacks in real-time.
Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.


Comments are closed.