--- ippersonality.v1.27.sgml Mon Jul 23 18:19:36 2001 +++ ippersonality.v1.28.sgml Sun Nov 25 19:03:35 2001 @@ -3,7 +3,7 @@
IP Personality <author>Gaël Roualland - Jean-Marc Saffroy -<date>$Id: ippersonality.sgml,v 1.27 2001/07/23 22:19:36 g_roualland Exp $ +<date>$Id: ippersonality.sgml,v 1.28 2001/11/25 15:36:00 g_roualland Exp $ <abstract> <fr>Documentation IP Personality</fr> <en>IP Personality Documentation</en> @@ -48,11 +48,11 @@ <en>Except for the regular behavior specified in RFCs, every IP stack has some specific ways (due to coding policies, bugs, optimizations...) of responding to incoming traffic, especially when handling abnormal -packets that do not strictly follow the RFC. +packets that do not strictly follow the RFCs. These specificities are used by network analysis software to guess what OS a remote host is running. They probe the OS by sending the -host a bunch of abnormal packets (mangling parametres such as +host a bunch of abnormal packets (mangling parameters such as fragmentation, TCP flags, unused/reserved fields, size of packets, ...) and comparing the results with a signatures database of known operating systems. @@ -65,10 +65,10 @@ <em>IP Personality</em> is a <em>netfilter</em> module designed to be able to have different 'personalities' network wise, that is to change some characteristics of the network traffic, depending on -different parameters. This especially enables fooling such tools in +different parameters. This especially enables fooling such tools into thinking a remote host is running a specific system when it is actually running another one, so as to hide or protect hosts that -would otherwise vulnerable, or to build "honey pots".</en> +would otherwise be vulnerable or to build "honey pots".</en> <sect> <fr>Problèmes</fr> @@ -97,7 +97,7 @@ différents processeurs, ce qui peut éventuellement poser des problèmes de performances ;</fr> <en>some characteristics of OS are related to the host architecture -(for instance page sizes on various CPU) which could lead to +(for instance page sizes on various CPUs) which could lead to performance issues;</en> </item> <item><fr>certaines des modifications reposent sur des choix "politiques" lors @@ -110,7 +110,7 @@ inférieure à celle de la machine l'émulant.</fr> <en>some of these changes are more "political" choices of the IP stack (initial sequence numbers, window sizes, TCP options -available...). Tweaking those allow to fool a scanner but might break +available...). Tweaking those allow us to fool a scanner but might break regular connectivity by changing network parameters. It could also make the system weaker if the emulated IP stack is not as strong as the initial one.</en> @@ -143,8 +143,8 @@ restituée par la machine locale (à moins de conserver tout le traffic, ce qui n'est pas réalisable) ;</fr> <en>any piece of information discarded on the remote hosts cannot -be "restored" on the gateway (except by keeping the whole -traffic...);</en> +be "restored" on the gateway (unless we keep all the traffic, which is +not realistic...);</en> </item> <item><fr>la machine locale ne doit pas inventer des informations. Par exemple, si l'on prend le cadre d'un test auquel les machines ne @@ -232,7 +232,7 @@ <en> Some of the operations intended to deceive nmap (not all of them, though) can also be applied to packets that are routed by the -host. Even though we lose the capacity to completeley lure nmap, our +host. Even though we lose the capacity to completeley fool nmap, our modifications are efficient enough to prevent it from detecting the OS running on its target. The operations we can apply to routed packets are TCP sequence numbers and options rewriting. @@ -259,7 +259,7 @@ thanks to the versatility offered by the syntax of the configuration file, the possibilities for emulation are not limited to existing network fingerprinting tools: it becomes very easy to fool, or at -least disturb any tool that relies on the same tricks as nmap, since +least disturb, any tool that relies on the same tricks as nmap, since we can control the elements that make a packet typical. </en> @@ -317,7 +317,7 @@ paquets. </fr> <en> -The PERS target can modifiy the packets it receives from the +The PERS target can modify the packets it receives from the <em>netfilter</em> architecture. Therefore it is used in the mangle table, which is meant to enable packet modification. </en> @@ -427,7 +427,7 @@ <en> <bf>sequence numbers rewriting:</bf> we want to be able to simulate initial sequence number generators, and at the same time we -want that steps following the establishment of a connection work +want the steps following the establishment of a connection to work properly. Therefore we need to rewrite the sequence and acknowledgement numbers in all packets of a connection for which the ISN has been modified. The first rewriting is done when the ISN is chosen by @@ -435,8 +435,8 @@ generator and its parameters); at this time, the difference between the original ISN and the one generated by PERS is saved. As this difference between the sequence numbers used by both sides remains -constant, we can simply add it to the sequence numbers in one way and -subtract it from acknowledgement numbers in the other way; +constant, we can simply add it to the sequence numbers in one direction and +subtract it from acknowledgement numbers in the other direction; </en> </item> @@ -472,7 +472,7 @@ <en> <bf>options rewriting:</bf> when a connection is established, both IP stacks exchange useful information by the use of options: they -are optionnal fields in the TCP header, that lie between the regular +are optional fields in the TCP header that lie between the regular header and the payload of the packet. The supported options and the order in which they appear is a characteristic we can tweak: this is done by interpreting the pseudo-code from the tcp_options subsection of @@ -553,16 +553,17 @@ très librement choisir d'émuler un système particulier en fonction d'adresses sources et destinations, de l'interface, et autres critères de sélection dans les règles. -</fr><en> +</fr> +<en> The configuration of the PERS target is done in userspace with the <em>iptables</em> command and an associated dynamic library for specific parameters. This library adds new options for setting up the PERS target; one of the options allows the user to specify a configuration file containing all the parameters needed to emulate a -particular operating system. Hence by using different +particular operating system. Hence, by using different configuration files for each different netfilter rule, one can easily choose to look like a particular OS for some sources or destination -addresses, for a specific interface, and/or for other matching criterias. +addresses, for a specific interface, and/or for other matching criteria. </en> <sect1> @@ -643,7 +644,7 @@ to named.conf, inspired from C. Options are grouped together in logical blocks (delimited with { and }), each block corresponding to a different kind of packet rewriting operation. Each option is composed of an identifier -followed by one or more arguments, and ended by a ;. +followed by one or more arguments, and ends with a ;. Options and blocks can be specified in any order. </en> @@ -715,7 +716,7 @@ <sect2> <fr>Paramètres de générateur de numéros de séquence</fr> -<en>Sequence Numbers Generator Parameters</en> +<en>Sequence Number Generator Parameters</en> <p> <fr>Ces paramètres sont regroupés au sein d'une section nommée <em>tcp_isn</em>. @@ -747,9 +748,9 @@ incrément permet d'émuler les systèmes utilisant des numéros de séquence initiaux constants.</fr> <en>: That's the simplest generator. The initial sequence number -is simply increased of a fixed value (specified as +is simply increased by a fixed value (specified as argument) at each new connection. Using 0 as the increment value -allows one to emulated systems using fixed initial sequence numbers.</en> +allows one to emulate systems using fixed initial sequence numbers.</en> </item> <item><em>random-inc <number></em> <fr> : Il s'agit d'un générateur @@ -788,7 +789,7 @@ le numéro de séquence initial est alors incrémenté de 1 toutes les 4 micro-secondes. (la granularité du générateur dépend toutefois de la précsion des "ticks" du système, 100 Hz par défaut sous linux/x86)</fr> -<en>: This is a time dependant generator. The passes number specifies +<en>: This is a time dependant generator. The passed number specifies the frequency of the generator (in Hz). For instance, using 25000 for the value allows one to implement the generator recommended in RFC 793: the ISN is then incremented by 1 every 4 @@ -887,7 +888,7 @@ programme de réécriture, doivent être rajoutées à la fin du buffer final afin d'être présentes dans le paquet final. Ce paramètre peut prendre les valeurs <em>yes</em> ou <em>no</em>.</fr> -<en>The <em>keep-unknown</em> parameter specifies if "unknown" options +<en>The <em>keep-unknown</em> parameter specifies whether "unknown" options in the original packet (hence that can't be handled in the code) should be added at the end of the new options buffer so they are kept. It can be set to either <em>yes</em> or <em>no</em>.</en> @@ -904,13 +905,13 @@ should be added at the end of the new options buffer so they are kept. It can be set to either <em>yes</em> or <em>no</em>. This allows one to use a very simple code to reorder a few options while keeping -the other ones functionnal.</en> +the other ones functional.</en> <fr>Le paramètre <em>isolated-packets</em> spécifie si la réécriture des options doit être appliquée aux paquets n'appartenant à aucune connexion connue. Ce paramètre peut prendre les valeurs <em>yes</em> ou <em>no</em> (valeur par défaut).</fr> -<en>The <em>isolated-packets</em> parameter specifies if options +<en>The <em>isolated-packets</em> parameter specifies whether options reordering should be performed for packets that do not belong to any known connection. It can be set to either <em>yes</em> or <em>no</em>. (defaults to no).</en> @@ -922,8 +923,8 @@ fréquence nominale, l'option est ignorée).</fr> <en>The <em>timestamp-scale</em> parameter specifies if the timestamp options of TCP packets related to the local machine should be changed -to a new frequency. Its argument is the new frequency to use. (if it -is null or equal to the base frequency it is ignored).</en> +to a new frequency. Its argument is the new frequency to use. If it +is null or equal to the base frequency it is ignored.</en> <sect2> <fr>Paramètres du leurre TCP</fr> @@ -992,7 +993,7 @@ <en>The <em>reply</em> parameter sets if you want an ICMP "port unreachable" message to be sent when receiving an UDP datagram for a port not listening. It can be set to either <em>yes</em> or -<em>no</em>. The other parametres of this block only apply if this is enabled.</en> +<em>no</em>. The other parameters of this block only apply if this is enabled.</en> <fr>Le paramètre <em>df</em> spécifie si le bit "Don't Fragment" de l'entête IP du paquet ICMP doit être activé ou non.</fr> @@ -1037,7 +1038,7 @@ </fr> <en>: sets the changes to apply to the id field of the original packet IP header. It can be set to <em>same</em>, <em>zero</em> (then it is -set to zero), <em>mangle</em> (it is changed for a different value). +set to zero), or <em>mangle</em> (it is changed to a different value). </en> </item> <item><em>ip-csum {same|mangle|zero}</em> @@ -1045,7 +1046,7 @@ à apporter au champ checksum de l'entête IP du paquet initial. Peut valoir <em>same</em>, <em>zero</em>, <em>mangle</em>.</fr> <en>: sets the changes to apply to the checksum of the original -packet IP header. It can be set to <em>same</em>, <em>zero</em>, <em>mangle</em>. +packet IP header. It can be set to <em>same</em>, <em>zero</em>, or <em>mangle</em>. </en> </item> <item><em>udp-len {same|<number>}</em> @@ -1062,7 +1063,7 @@ valoir <em>same</em>, <em>zero</em>, <em>mangle</em>.</fr> <en>: sets the changes to apply to the checksum of the original packet UDP header. It can be set to <em>same</em>, <em>zero</em>, -<em>mangle</em>. +or <em>mangle</em>. </en> </item> <item><em>udp-data {same|mangle|zero}</em> @@ -1072,7 +1073,7 @@ <em>mangle</em>.</fr> <en>: sets changes to apply to the first byte of the original UDP datagram payload. It can be set to <em>same</em>, <em>zero</em>, -<em>mangle</em>. +or <em>mangle</em>. </en> </item> </itemize> @@ -1262,8 +1263,8 @@ machine virtuelle. L'action par défaut en fin de programme est <em>accept</em>.</fr> <en><em>drop</em>, <em>accept</em>, and <em>reply</em>: These instructions stop execution of the program by respectively dropping -the packet, let it pass it to next rule, and build an answer from the -virtual machine state and send it back. The default action is +the packet, letting it pass it to next rule, or building an answer from the +virtual machine state and sending it back. The default action is <em>accept</em> at the end of the code.</en> </item> </itemize> @@ -1290,7 +1291,7 @@ applies to options reordering, only the options buffer from the state of the virtual machine is used after running the program. Hence the <em>listen</em> and <em>ack</em> tests, and the <em>insert</em>, <em>set</em>, <em>drop</em>, -<em>reply</em> instructions have little interest in this case.</en> +and <em>reply</em> instructions have little interest in this case.</en> </item> <item> <fr>Les options supportées par les différents tests et conditions @@ -1376,7 +1377,7 @@ générateur de numéro de séquence initial utiliser. Le paramètre important en est la classe du générateur. On peut rencontrer les classes suivantes :</fr> -<en>The <em>TSeq</em> line in nmap signature defines the ISN generator +<en>The <em>TSeq</em> line in the nmap signature defines the ISN generator to use. The important parameter is the <em>class</em> one. The various possible classes are:</en> <itemize> @@ -1445,7 +1446,7 @@ </item> <item><em>DF</em> <fr> : Indique si le bit "Don't Fragment" est positionné dans la réponse</fr> -<en>: Specify whether the "Don't Fragment" bit is enabled in the anwser</en> +<en>: Specify whether the "Don't Fragment" bit is enabled in the answer</en> </item> <item><em>W</em> <fr> : Indique la ou les tailles de fenêtres (séparées par des @@ -1458,7 +1459,7 @@ réponse. Peut valoir une valeur numérique ou <em>S</em> pour indiquer le numéro de séquence du test, ou <em>S++</em> pour indiquer le numéro de séquence du test plus un.</fr> -<en>: Specify the expected acquittement value for the answer. Can be +<en>: Specify the expected acknowledgement value for the answer. Can be set to a numeric value, or <em>S</em> to mean the test initial sequence number, or <em>S++</em> for the test initial sequence number plus one.</en> @@ -1491,7 +1492,7 @@ est assez simple :</fr> <en>If we want to emulate the system accurately, we need to guess the options reordering scheme from the various tests results and their -matching tests packets. Here, only one option is supported, so the +matching test packets. Here, only one option is supported, so the corresponding section is quite simple:</en> <tscreen><verb> @@ -1516,7 +1517,7 @@ answers will not fool nmap for really precise tests. In order to completely fool it locally, we can extract appropriate answers to return in <em>decoy</em> mode from its TCP test results. For that we -can use a code "squeleton" that fits its tests and fill it to get +can use a code "skeleton" that fits its tests and fill it in to get the expected answers:</en> <tscreen><verb> @@ -1624,14 +1625,14 @@ <em>E</em> (égal). Ces paramètres correspondent aux options suivantes (même ordre) <em>ip-id</em>, <em>ip-csum</em>, <em>udp-csum</em>, <em>udp-data</em> qui peuvent prendre une des valeurs suivantes : </fr> -<en>: These fields describe the change of respectively -the original IP ID, the original IP checksum, the original UDP checksum, +<en>: These fields, respectively, describe the change of +the original IP ID, the original IP checksum, the original UDP checksum, and the original data block. They can have one of 3 values: 0 (zeroed), F -(fucked), E (equal). Those fields are "mapped" to the following +(fucked), or E (equal). Those fields are "mapped" to the following ippersonality parameters (same order) : <em>ip-id</em>, <em>ip-csum</em>, <em>udp-csum</em>, -<em>udp-data</em> which can have one of the three following values +and <em>udp-data</em> which can have one of the three following values (same order too): </en> -<em>zero</em>, <em>mangle</em>, <em>same</em>. +<em>zero</em>, <em>mangle</em>, or <em>same</em>. </item> <item><em>RIPLEN, ULEN</em> <fr> : Ces paramètres décrivent les longeurs initiales des paquets IP @@ -1879,7 +1880,7 @@ peut complètement tromper nmap. En revanche en mode "routeur", les paramètres sur lesquels on joue le perturbent, mais ne suffisent pas à lui faire détecter un autre système.</fr> -<en>We can notice how dse2 completely fools nmap locally. However, +<en>Notice how dse2 completely fools nmap locally. However, when trying to hide routed hosts, the changed parameters make it unable to recognize the real operating system but are not sufficient to completely fool it.</en> @@ -1922,8 +1923,8 @@ 32 bits (en ordre de la machine) regroupant un mnémonique (sur 8 bits), une option (sur 4 bits) et un opérande (sur 20 bits), comme visible ci après.</fr> -<en>The code understood by the virtual machine is made of intruction -on 32 bits (in the machine's endian) composed of a mnemonic (8 +<en>The code understood by the virtual machine is made up of 32 bit +intructions (in the machine's endian) composed of a mnemonic (8 bits), an option (4 bits) and an operand (20 bits), like below:</en> <tscreen><verb> @@ -1996,7 +1997,7 @@ <fr>Continue l'exécution à l'instruction dont le numéro est l'opérande.</fr> -<en>Program continues running at the instruction which address is the operand.</en> +<en>Program continues running at the instruction whose address is the operand.</en> <sect2>PUT <p> @@ -2051,37 +2052,37 @@ <fr> : Définit le registre <em>flags</em> à la valeur de l'opérande. </fr> -<en>: Sets the <em>flag</em> registers to the operand value. +<en>: Sets the <em>flag</em> register to the operand value. </en></item> <item><em>ack</em> (1) <fr> : Définit le registre <em>ack</em> (acquittement) à la valeur de l'opérande. </fr> -<en>: Sets the <em>ack</em> registers to the operand value. +<en>: Sets the <em>ack</em> register to the operand value. </en></item> <item><em>df</em> (2) <fr> : Définit le registre <em>df</em> (bit "Don't Fragment" de l'entête IP) à la valeur de l'opérande. </fr> -<en>: Sets the <em>df</em> ("Don't Fragment") registers to the operand value. +<en>: Sets the <em>df</em> ("Don't Fragment") register to the operand value. </en></item> <item><em>win</em> (3) <fr> : Définit le registre <em>win</em> (taille de fenêtre) à la valeur de l'opérande. </fr> -<en>: Sets the <em>win</em> registers to the operand value. +<en>: Sets the <em>win</em> register to the operand value. </en></item> <item><em>mss</em> (4) <fr> : Définit le registre <em>mss</em> (taille de segment TCP maximale) à la valeur de l'opérande. </fr> -<en>: Sets the <em>mss</em> registers to the operand value. +<en>: Sets the <em>mss</em> register to the operand value. </en></item> <item><em>wscale</em> (5) <fr> : Définit le registre <em>wscale</em> (mise à l'échelle de la fenêtre) à la valeur de l'opérande. </fr> -<en>: Sets the <em>wscale</em> registers to the operand value. +<en>: Sets the <em>wscale</em> register to the operand value. </en></item> <item><em>timestamp</em> (6) <fr> : Définit le registre <em>timestamp</em> (valeur locale du @@ -2094,7 +2095,7 @@ (acquittement) à la valeur de l'opérande ajoutée au numéro de séquence du paquet initial. </fr> -<en>: Sets the <em>ack</em> registers to the operand value added to +<en>: Sets the <em>ack</em> register to the operand value added to the original packet value. </en></item> <item><em>relative df</em> (10) @@ -2102,7 +2103,7 @@ Fragment" de l'entête IP) à la valeur de l'opérande ajoutée à celle de la valeur de ce champ dans le paquet initial. </fr> -<en>: Sets the <em>df</em> ("Don't Fragment") registers to the operand value added to +<en>: Sets the <em>df</em> ("Don't Fragment") register to the operand value added to the original packet value. </en></item> <item><em>relative win</em> (11) @@ -2110,7 +2111,7 @@ fenêtre) à la valeur de l'opérande ajoutée à la taille de fenêtre du paquet initial. </fr> -<en>: Sets the <em>win</em> registers to the operand value added to +<en>: Sets the <em>win</em> register to the operand value added to the original packet value. </en></item> <item><em>relative mss</em> (12) @@ -2118,7 +2119,7 @@ segment TCP maximale) à la valeur de l'opérande ajoutée à la valeur mss du paquet initial (si définie). </fr> -<en>: Sets the <em>mss</em> registers to the operand value added to +<en>: Sets the <em>mss</em> register to the operand value added to the original packet value. </en></item> <item><em>relative wscale</em> (13) @@ -2126,7 +2127,7 @@ à l'échelle de la fenêtre) à la valeur de l'opérande ajoutée à la valeur wscale du paquet initial (si définie). </fr> -<en>: Sets the <em>wscale</em> registers to the operand value added to +<en>: Sets the <em>wscale</em> register to the operand value added to the original packet value. </en></item> <item><em>relative timestamp</em> (14) @@ -2155,20 +2156,20 @@ <fr> : Termine l'exécution et demande l'acceptation du paquet pour continuer son traitement. </fr> -<en>: Terminates execution and make the packet continue its path. +<en>: Terminates execution and makes the packet continue its path. </en></item> <item><em>Drop</em> (2) <fr> : Termine l'exécution et demande l'abandon du paquet. </fr> -<en>: Terminates execution and drop packet. +<en>: Terminates execution and drops the packet. </en></item> <item><em>Reply</em> (3) <fr> : Termine l'exécution et demande l'envoi d'une réponse basée sur l'état de la machine virtuelle. </fr> -<en>: Terminates execution, build a reply TCP packet from the virtual -machine state and send it. +<en>: Terminates execution, builds a reply TCP packet from the virtual +machine state and sends it. </en></item> </itemize> @@ -2228,8 +2229,8 @@ permet de sélectionner finement les messages à afficher en combinant les bits voulus comme ci après :</fr> <en>The debug level is defined by the value of this parameter: -individual bits are associated to submodules, allowing to select -precisely debugging messages by combining wanted bits as follows:</en> +individual bits are associated to submodules, allowing one to precisely +select debugging messages by combining wanted bits as follows:</en> <itemize> <item><em>1</em> @@ -2254,7 +2255,7 @@ </item> <item><em>32</em> <fr> : Machine virtuelle</fr> -<en>: Virutal Machine</en> +<en>: Virtual Machine</en> </item> <item><em>64</em> <fr> : Leurres UDP locaux</fr> @@ -2283,7 +2284,7 @@ la réponse éventuelle reçue (code adapté de tcpdump). Ceci permet d'analyser finemement le comportement de la pile IP et de constater le bon fonctionnement ou non du code noyau produit.</fr> -<en>Osdet is a test tool trying to guess the OS of a remote host. It +<en>Osdet is a test tool which tries to guess the OS of a remote host. It is based on nmap sources and uses the same tests, but it performs them sequentially while displaying replies it receives (with code from tcpdump). This allows one to see how the reply was potentially changed.</en>