feat(os_fingerprint): Phase 1 — extend OS sysctls with 6 new fingerprint knobs
Add tcp_timestamps, tcp_window_scaling, tcp_sack, tcp_ecn, ip_no_pmtu_disc, and tcp_fin_timeout to every OS profile in OS_SYSCTLS. All 6 are network-namespace-scoped and safe to set per-container without --privileged. They directly influence nmap's OPS, WIN, ECN, and T2-T6 probe groups, making OS family detection significantly more convincing. Key changes: - tcp_timestamps=0 for windows/embedded/cisco (strongest Windows discriminator) - tcp_ecn=2 for linux (ECN offer), 0 for all others - tcp_sack=0 / tcp_window_scaling=0 for embedded/cisco - ip_no_pmtu_disc=1 for embedded/cisco (DF bit ICMP behaviour) - Expose _REQUIRED_SYSCTLS frozenset for completeness assertions Tests: 88 new test cases across all OS families and composer integration. Total suite: 812 passed.
This commit is contained in:
@@ -5,17 +5,27 @@ Maps an nmap OS family slug to a dict of Linux kernel sysctls that, when applied
|
||||
to a container's network namespace, make its TCP/IP stack behaviour resemble the
|
||||
claimed OS as closely as possible within the Linux kernel's constraints.
|
||||
|
||||
All sysctls listed here are network-namespace-scoped and safe to set per-container
|
||||
without --privileged (beyond the NET_ADMIN capability already granted).
|
||||
|
||||
Primary discriminator leveraged by nmap: net.ipv4.ip_default_ttl (TTL)
|
||||
Linux → 64
|
||||
Windows → 128
|
||||
BSD (FreeBSD/macOS)→ 64 (different TCP options, but same TTL as Linux)
|
||||
Embedded / network → 255
|
||||
|
||||
Secondary tuning (TCP behaviour):
|
||||
net.ipv4.tcp_syn_retries – SYN retransmits before giving up
|
||||
Secondary discriminators (nmap OPS / WIN / ECN / T2–T6 probe groups):
|
||||
net.ipv4.tcp_syn_retries – SYN retransmits before giving up
|
||||
net.ipv4.tcp_timestamps – TCP timestamp option (OPS probes); Windows = off
|
||||
net.ipv4.tcp_window_scaling – Window scale option; embedded/Cisco typically off
|
||||
net.ipv4.tcp_sack – Selective ACK option; absent on most embedded stacks
|
||||
net.ipv4.tcp_ecn – ECN negotiation; Linux offers (2), Windows off (0)
|
||||
net.ipv4.ip_no_pmtu_disc – DF bit in ICMP replies (IE probes); embedded on
|
||||
net.ipv4.tcp_fin_timeout – FIN_WAIT_2 seconds (T2–T6 timing); Windows shorter
|
||||
|
||||
Note: net.core.rmem_default is a global (non-namespaced) sysctl and cannot be
|
||||
set per-container without --privileged; it is intentionally excluded.
|
||||
set per-container without --privileged; TCP window size mangling is deferred to
|
||||
Phase 2 (iptables entrypoint).
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
@@ -24,27 +34,59 @@ OS_SYSCTLS: dict[str, dict[str, str]] = {
|
||||
"linux": {
|
||||
"net.ipv4.ip_default_ttl": "64",
|
||||
"net.ipv4.tcp_syn_retries": "6",
|
||||
"net.ipv4.tcp_timestamps": "1",
|
||||
"net.ipv4.tcp_window_scaling": "1",
|
||||
"net.ipv4.tcp_sack": "1",
|
||||
"net.ipv4.tcp_ecn": "2",
|
||||
"net.ipv4.ip_no_pmtu_disc": "0",
|
||||
"net.ipv4.tcp_fin_timeout": "60",
|
||||
},
|
||||
"windows": {
|
||||
"net.ipv4.ip_default_ttl": "128",
|
||||
"net.ipv4.tcp_syn_retries": "2",
|
||||
"net.ipv4.tcp_timestamps": "0",
|
||||
"net.ipv4.tcp_window_scaling": "1",
|
||||
"net.ipv4.tcp_sack": "1",
|
||||
"net.ipv4.tcp_ecn": "0",
|
||||
"net.ipv4.ip_no_pmtu_disc": "0",
|
||||
"net.ipv4.tcp_fin_timeout": "30",
|
||||
},
|
||||
"bsd": {
|
||||
"net.ipv4.ip_default_ttl": "64",
|
||||
"net.ipv4.tcp_syn_retries": "6",
|
||||
"net.ipv4.tcp_timestamps": "1",
|
||||
"net.ipv4.tcp_window_scaling": "1",
|
||||
"net.ipv4.tcp_sack": "1",
|
||||
"net.ipv4.tcp_ecn": "0",
|
||||
"net.ipv4.ip_no_pmtu_disc": "0",
|
||||
"net.ipv4.tcp_fin_timeout": "60",
|
||||
},
|
||||
"embedded": {
|
||||
"net.ipv4.ip_default_ttl": "255",
|
||||
"net.ipv4.tcp_syn_retries": "3",
|
||||
"net.ipv4.tcp_timestamps": "0",
|
||||
"net.ipv4.tcp_window_scaling": "0",
|
||||
"net.ipv4.tcp_sack": "0",
|
||||
"net.ipv4.tcp_ecn": "0",
|
||||
"net.ipv4.ip_no_pmtu_disc": "1",
|
||||
"net.ipv4.tcp_fin_timeout": "15",
|
||||
},
|
||||
"cisco": {
|
||||
"net.ipv4.ip_default_ttl": "255",
|
||||
"net.ipv4.tcp_syn_retries": "2",
|
||||
"net.ipv4.tcp_timestamps": "0",
|
||||
"net.ipv4.tcp_window_scaling": "0",
|
||||
"net.ipv4.tcp_sack": "0",
|
||||
"net.ipv4.tcp_ecn": "0",
|
||||
"net.ipv4.ip_no_pmtu_disc": "1",
|
||||
"net.ipv4.tcp_fin_timeout": "15",
|
||||
},
|
||||
}
|
||||
|
||||
_DEFAULT_OS = "linux"
|
||||
|
||||
_REQUIRED_SYSCTLS: frozenset[str] = frozenset(OS_SYSCTLS["linux"].keys())
|
||||
|
||||
|
||||
def get_os_sysctls(nmap_os: str) -> dict[str, str]:
|
||||
"""Return the sysctl dict for *nmap_os*. Falls back to Linux on unknown slugs."""
|
||||
@@ -54,3 +96,4 @@ def get_os_sysctls(nmap_os: str) -> dict[str, str]:
|
||||
def all_os_families() -> list[str]:
|
||||
"""Return all registered nmap OS family slugs."""
|
||||
return list(OS_SYSCTLS.keys())
|
||||
|
||||
|
||||
Reference in New Issue
Block a user