TUPTUNE - asac's tcp uptime spoof patches

With TUPTUNE (Tcp UPtime TUNE) you can easily spoof your uptime detected by network scanners like nmap or netcraft. Patches are available for FreeBSD 5.3, Linux (2.4.29, 2.6.11!!) and NetBSD 2.0. The patches can be found below, but please read below first:

Why does it exist?

It merely exists because of fun. I had this idea long ago and found it somehow funny. So at some point, being overwhelmed by energy from unknown sources, I decided to implement these patches for a few kernels.

Is it useful?

Probably not. It might even be dangerous to use. I am just a one-time kernel hacker that produced this ugly hack. It just consumes performance and might create other hazords. So don't use it for production environments that are ment to be stable. In general, I doubt that anyone will have a real long-time merit from using a patched kernel like this. If someone has some real life purpose for this, please let me know.

Should I use it?

In short: No! In long: Maybe there is some chance that you find it funny to apply those patches just to see how it works or for educational reasons.

So how to do it?

First be sure that you are using a box that is ready to be completely destroyed. No data on it should be sensitive or in any way mission-critical for you, since in a few milli-seconds all might gone forever. Thus, I explicitly warn you and take no guarantee and of course abolutely no responsibility for any breakage or other bad things that you might encounter due to a patch from my site. Just keep in mind, that if something breaks that you will be all alone in the world. I won't help you with what is left of your system afterwards. If you can't live with this, don't use my patches. In addition, if you don't think that you can deal with problems that might arise from applying crazy patches, please don't go ahead. Now, if you are still crazy enough to go ahaed and download the patch ... just do it!

So finally you have arrived in the download section for my patches. My patches are listed below with short annotations:

FreeBSD 5.3

Patches

TUPTUNE v0.1 patch - FreeBSD 5.3

Description

The FreeBSD patch is a moderate intrusive patch. It rewrites all usages of the ticks in the netinet/tcp_* files to a new define called TCP_TIMESTAMP that makes the needed adjustments of the timestamp. FreeBSD runs a tick speed of 100 Hz. In consequence 500+ days are not possible :(.

License

New BSD-License

Patching

Hey, if you don't know how to patch this, just don't use it.

Usage

To see the current offset use:

    sysctl -r  net.inet.tcp.asac_spoof_offset

To disable, enable the spoof use:

    sysctl net.inet.tcp.asac_spoof=0  # disable
    sysctl net.inet.tcp.asac_spoof=1  # enable

Setting setting a new offset is:

     sysctl net.inet.tcp.asac_spoof_offset=300 # offset: 300 days

Running nmap to verify your uptime:

    --> See Linux!

Note: Changing your offset might lead to instant timeouts of all currently existing tcp connections, so be aware of that and don't report this behaviour unless you learned that this is really a bug.

Linux 2.6.11.x, 2.4.29

Patches

TUPTUNE v0.1 patch - Linux 2.6.11.2,
TUPTUNE v0.1 patch - Linux 2.4.29

Description

The 2.6.11.x patch is the most intrusive one in this patch series. It patches the complete HZ constant for the full tcp stack to 100 Hz (instead of 1000 Hz originally). Thus, somehow large uptime values can be reached even with 2.6.x kernels. The bad, nmap now detects your system as running 2.4, which is identified because of the 100 Hz trick. Note, I cannot guarantee if I did all conversions in a proper fashion. I strictly replaced HZ with ASAC_HZ that defines the new and adjusted 100 Hz counter. If you encounter problems with some special tcp feature something (e.g. timeouts, etc.) and you know what you are talking about, please let me know.

The 2.4.29 patch is a simple one. Basically it just patches the tcp_time_stamp define in tcp.h. Almost everything else in the patch is overhead for the sysctl entries that configure the actual behaviour.

License

GPL

Patching

Hey, if you don't know how to patch this, just don't use it.

Usage

To see the current offset use:

    cat /proc/sys/net/ipv4/tcp_asac_spoof_offset # prints offset in days

To disable, enable the spoof use:

    echo 0 > /proc/sys/net/ipv4/tcp_asac_spoof # disable
    echo 1 > /proc/sys/net/ipv4/tcp_asac_spoof # enable

Setting setting a new offset is:

    echo 200 > /proc/sys/net/ipv4/tcp_asac_spoof_offset # offset: 200 days

Running nmap to verify your uptime:

    hanson:/home/alex/# nmap -O somehost.somedomain.com

    Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-03-10 23:47 CET
    Interesting ports on somehost.somedomain.com (10.0.1.5):
    PORT   STATE  SERVICE
      <snip>
    Device type: general purpose
    Running: Linux 2.4.X|2.5.X
    OS details: Linux 2.4.0 - 2.5.20
    Uptime 430.048 days (since Mon Jan  5 22:38:18 2004)

Patches

Description

The NetBSD patch is again a simple patch. It just adjusts the TCP_TIMESTAMP(c) define to do what we want. The same is done for the SYN_CACHE_TIMESTAMP. The good of NetBSD is that the 2 Hz timestamp ticker is able to produce really great values like 5 years or something. The bad is, that NetBSDs default behaviour uses timestamps that start counting at 0 when a connection is started. This is generally a good solution to prevent the exposure of uptime at all. Hence, enabling this patch makes your uptime again more predictable.

License

Patching

Usage

Misc

If you want default after boot adding them to /etc/sysctl.conf might be am easy option. Examples for all platforms can be found here: sysctl.conf.example

What's TUPTUNE

Why does it exist?

Is it useful?

Should I use it?

So how to do it?

Downloads

FreeBSD 5.3

Patches

Description

License

Patching

Usage

Linux 2.6.11.x, 2.4.29

Patches

Description

License

Patching

Usage

NetBSD 2.0

Patches

Description

License

Patching

Usage

Misc

Me