P0f
Encyclopedia
p0f is a versatile passive OS fingerprinting tool. p0f can identify the system on machines that connect to your box, machines you connect to, and even machines that merely go through or near your box even if the device is behind a packet firewall
.
p0f will also detect what the remote system is hooked up to (be it Ethernet
, DSL, OC3), how far it is located, what's its uptime. The latest beta can also detect masquerade or illegal network hook-ups (useful for ISPs
and corporate networks). p0f can detect certain types of packet filters and NAT setups, and sometimes can determine the name of the other guy's ISP. It's still passive. It does not generate any network traffic
. No name lookups, no traffic to the victim, no ARIN
queries, no trace route.
But checking the system is not all p0f can do, p0f will also check the following:
(TTL), Win, Don't Fragment and TOS are some of the fields used for OS fingerprinting by p0f. Values of these fields are compared with the signatures in a fingerprint file, which is stored in /etc/p0f/p0f.fp in most implementations of p0f. The user is allowed to use a different fingerprinting file by running p0f in a suitable mode.
Usage: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]
[ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-w file - save packets to tcpdump snapshot
-u user - chroot and setuid to this user
-Q sock - listen on local socket for queries
-0 - make src port 0 a wildcard (in query mode)
-e ms - pcap capture timeout in milliseconds (default: 1)
-c size - cache size for -Q and -M options
-M - run masquerade detection
-T nn - set masquerade detection threshold (1-200)
-V - verbose masquerade flags reporting
-F - use fuzzy matching (do not combine with -R)
-N - do not report distances and link media
-D - do not report OS details (just genre)
-U - do not display unknown signatures
-K - do not display known signatures (for tests)
-S - report signatures even for known systems
-A - go into SYN+ACK mode (semi-supported)
-R - go into RST/RST+ACK mode (semi-supported)
-O - go into stray ACK mode (barely supported)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-l - use single-line output (easier to grep)
-x - include full packet dump (for debugging)
-X - display payload string (useful in RST mode)
-C - run signature collision check
-t - add timestamps to every entry
'Filter rule' is an optional pcap-style BPF expression (man tcpdump).
source :http://nsmwiki.org/P0f
Firewall (computing)
A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass....
.
p0f will also detect what the remote system is hooked up to (be it Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....
, DSL, OC3), how far it is located, what's its uptime. The latest beta can also detect masquerade or illegal network hook-ups (useful for ISPs
Internet service provider
An Internet service provider is a company that provides access to the Internet. Access ISPs directly connect customers to the Internet using copper wires, wireless or fiber-optic connections. Hosting ISPs lease server space for smaller businesses and host other people servers...
and corporate networks). p0f can detect certain types of packet filters and NAT setups, and sometimes can determine the name of the other guy's ISP. It's still passive. It does not generate any network traffic
Network traffic
Network traffic is data in a network. In computer networks, the data is encapsulated in packets.*Network traffic control*Network traffic measurement*Network traffic simulation...
. No name lookups, no traffic to the victim, no ARIN
American Registry for Internet Numbers
The American Registry for Internet Numbers is the Regional Internet Registry for Canada, many Caribbean and North Atlantic islands, and the United States. ARIN manages the distribution of Internet number resources, including IPv4 and IPv6 address space and AS numbers. ARIN opened its doors for...
queries, no trace route.
Features
p0f can identify the system on:- machines that connect to your box (SYN mode)
- machines you connect to (SYN+ACK mode)
- machines you cannot connect to (RST+ mode)
- machines that talk through or near your box
But checking the system is not all p0f can do, p0f will also check the following:
- masquerading and firewall presence (useful for policy enforcement)
- the distance to the remote system and its uptime
- other guys' network hookup (DSL, OC3, avian carriers) and his ISP
Advantage over other fingerprinting tools
The passive nature of p0f is what sets it apart from the other fingerprinting tools. p0f passively listens to the network traffic without creating any extra packets. It determines the operating system of the remote host by analyzing certain fields in the captured packets. Due to this passive analysis, the remote system will not be able to detect the packet capture.How it works
As mentioned above, p0f captures packets, and analyses it on the basis of certain fields. Time to liveTime to live
Time to live is a mechanism that limits the lifespan of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data. Once the prescribed event count or timespan has elapsed, data is discarded. In computer networking, TTL prevents a data...
(TTL), Win, Don't Fragment and TOS are some of the fields used for OS fingerprinting by p0f. Values of these fields are compared with the signatures in a fingerprint file, which is stored in /etc/p0f/p0f.fp in most implementations of p0f. The user is allowed to use a different fingerprinting file by running p0f in a suitable mode.
Usage
p0f lacks a graphical user interface. It commands can be run from the terminal and a comprehensive list of p0f utility options is given belowUsage: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]
[ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-w file - save packets to tcpdump snapshot
-u user - chroot and setuid to this user
-Q sock - listen on local socket for queries
-0 - make src port 0 a wildcard (in query mode)
-e ms - pcap capture timeout in milliseconds (default: 1)
-c size - cache size for -Q and -M options
-M - run masquerade detection
-T nn - set masquerade detection threshold (1-200)
-V - verbose masquerade flags reporting
-F - use fuzzy matching (do not combine with -R)
-N - do not report distances and link media
-D - do not report OS details (just genre)
-U - do not display unknown signatures
-K - do not display known signatures (for tests)
-S - report signatures even for known systems
-A - go into SYN+ACK mode (semi-supported)
-R - go into RST/RST+ACK mode (semi-supported)
-O - go into stray ACK mode (barely supported)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-l - use single-line output (easier to grep)
-x - include full packet dump (for debugging)
-X - display payload string (useful in RST mode)
-C - run signature collision check
-t - add timestamps to every entry
'Filter rule' is an optional pcap-style BPF expression (man tcpdump).
source :http://nsmwiki.org/P0f