I am developing an emulator for a closed source embedded device that includes a webserver. I'm building the emulator in embedded angstrom linux 2.6.34 using Python, and so far, I've functionally implemented the webserver to the point that it looks visually identical to the original device from the browser. Now, I'm trying to make it look identical to an Nmap OS and services scan, which has turned out to be much more difficult.
The Nmap scans have proved very different initially (the source device with no exact matches, and my emulator dead-on as Linux 2.6.32 - 2.6.39). After doing the obvious things of turning off services and closing ports on the emulator, I starting comparing the wireshark packets from the source device including IP and TCP headers, and the embedded device to determine what protocol level changes I need to make. Some of the parameters such as TCP window scaling were easy, using the sysctl.config file in Linux, but others are proving harder. For instance, when packets are fragmented on the source device, the PSH flag is set in the TCP header, and not on my device, an obvious difference to even "the most casual observer." The goal here is not to simply obfuscate my device, but to make it look convincingly similar to the source device from the packet view (specifically the two types nmap scans)
In my quest, I've come across several solutions that seem promising, but I am afraid of wasting more time on solutions that should work, when I know there are easier solutions out there.
Here is a list of things I've tried, and what caused me to research another approach. The problem for most of them is lack of documentation. If anyone knows a particular approach should work, and could point me to decent documentation to help me with my configuration, I would greatly appreciate it. Being a lazy engineer, I am looking for the easiest solution. I'm not afraid of C, but if there are programs or modules out I can start or interface through python, I would prefer that.
IP personality: only for 2.4 kernels, and my emulator (being an embedded ARM architeture) does not have ported kernels available that go back that far.
Ethercap filters: got these to work on my emulator (installed on emulator, not mitm) for outgoing packets, but not for TCP and IP headers, as far as I can tell, you can only change the data fields in packets, which is inadequate. Man page gives the impression that it could work, but have not found anyone using it to change the headers, which makes me think it cannot be done.
Divert Sockets: cannot get this to work despite patches that are apparently designed for the 2.6 kernel. This works with IPtables to create filters where you can modify outgoing packets (headers and all) before they go through the firewall. I cannot find enough documentation for me to put the pieces together.
TAP/TUN: From what I've learned so far, this software based network interface should work, but I am not convinced this is the easiet way. The examples I've seen are for <2.6.36 kernels since "later kernels behave differently," which includes my emulator version.
libpcap: I believe lippacp only gives you the raw packets and you cannot modify packets. I belive I could copy packets, kill them, modify the copy, and send them back out, but again, I think there is an easier way.
Using userland TCP/IP stack: cannot find good documentation or examples on how to use, for example, the lwIP stack in Linux 2.4.34, and disable the native kernel stack.
Opening up the kernel and mucking witht he native TCP/IP stack: I know this would work, but I'm affraid the time the dev cycle of change-compile-test would take, let alone diciphering the pointer mess in the .c files. I've never done this I don't know where to being as far as do I have to compile the entire kernel, or specific modules, or how to compile for my ARM device using openembedded. I know there are other ways to do this, so I'm leary of spending time learning how to open the kernel, when I still have a lot of work to do.
Out of all of these, I've run down the ettercap and divert sockets the furthest because I thought they would be the easiest. Got any examples of any of these (or others) working to arbitrarily tweak the headers? Thanks for the help!
In recent kernels you can use NFQUEUE to modify packets without any kernel patches. There are even python bindings for the userspace part. You can check here: https://www.wzdftpd.net/redmine/projects/nfqueue-bindings/wiki/Examples, which includes a rewrite.py example that rewrites packets.
For the iptables part you need a rule like this:
iptables -A OUTPUT -p tcp -m tcp --sport 80 -j NFQUEUE --queue-num 0
where the parameter at the end is the queue number which must match the one in the code.
If simple packet editing isn't enough you can also try lwIP. lwIP on a tap device in Linux works out of the box. To do that get both the lwIP and the contrib packages. Then in contrib/ports/unix/proj/unixsim there is an example which uses lwIP to implement several things, including a web server through a tap device.
The easiest way to have the lwIP stack accessible from the actual network interface is to setup NAT for the tap device and forward ports from the actual interface to the tap interface. That will still involve the kernel though, so it may reveal more than you want. Some possible options around that could be combining this with NFQUEUE or modifying lwIP to use raw sockets instead of the tap interface (I don't think it does that out of the box).
For information on how nmap fingerprints work you can look here: http://nmap.org/book/osdetect-methods.html. To get the raw fingerprint from nmap use the "-vv" option. Also, you probably want to use the latest version of nmap since it will have the most up-to-date fingerprinting.