Table of Contents

OS fingerprint spoofing

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

OS fingerprint spoofing

DECNET spoofs the TCP/IP stack fingerprint that nmap (and similar tools) use to identify the remote operating system. Each archetype declares an nmap_os OS family; the composer applies the matching sysctl set to the decky's base container network namespace.

Source of truth: decnet/os_fingerprint.py. Injection site: decnet/composer.py.

INI snippet

The OS family is chosen by the archetype, so simply picking an archetype is enough:

[windows-hosts]
archetype=windows-workstation   ; implies nmap_os=windows
amount=3

[ics]
archetype=industrial-control    ; implies nmap_os=embedded
amount=1

See INI format and Archetypes for the full mapping.

Supported OS families

Slug	Default TTL	TCP timestamps	Window scaling	SACK	ECN	DF (pmtu)
`linux`	64	on	on	on	on (2)	off
`windows`	128	off	on	on	off	off
`bsd`	64	on	on	on	off	off
`embedded`	255	off	off	off	off	on
`cisco`	255	off	off	off	off	on

Unknown slugs fall back to linux.

How injection works

In decnet/composer.py the base (IP-holder) container of every decky receives:

base["sysctls"] = get_os_sysctls(decky.nmap_os)
base["cap_add"] = ["NET_ADMIN"]

Service containers attach with network_mode: service:<base>, so they share the base container's network namespace and inherit the same fingerprint — no --privileged required.

What gets tuned

All sysctls in OS_SYSCTLS are network-namespace-scoped so they work per container:

net.ipv4.ip_default_ttl — primary TTL discriminator (Linux 64, Windows 128, embedded/Cisco 255).
net.ipv4.tcp_syn_retries — SYN retransmit count (nmap T2–T6 timing group).
net.ipv4.tcp_timestamps — TCP timestamp option (nmap OPS group).
net.ipv4.tcp_window_scaling — window scale option; off on embedded/Cisco.
net.ipv4.tcp_sack — selective ACK option.
net.ipv4.tcp_ecn — ECN negotiation; Linux offers (2), Windows off.
net.ipv4.ip_no_pmtu_disc — DF bit on ICMP replies (nmap IE group).
net.ipv4.tcp_fin_timeout — FIN_WAIT_2 duration.
net.ipv4.icmp_ratelimit / net.ipv4.icmp_ratemask — ICMP reply pacing (nmap IE / U1 groups).

Limitations

net.core.rmem_default is a global (non-namespaced) sysctl and is not set per container; the kernel default window size (64240) already matches Windows, so this is mostly fine in practice.
Only TCP/IP stack behaviour is tuned. Banner grabs, TCP option order outside the listed set, and application-layer artefacts are handled by the individual service implementations — see Services catalog.
The host kernel is still Linux, so nmap's deepest OS-detection probes can sometimes correctly identify the underlying stack; the goal is to defeat the common-case fingerprint, not to be indistinguishable.

DECNET

Home

User docs

Developer docs

Project meta

DECNET — honeypot deception-network framework. Pre-1.0, active development — use with caution. See Sponsors to support the project. Contact: samuel@securejump.cl