P0f

From aldeid
Jump to navigation Jump to search
This article is also available in one or more other languages
To view this article in French, click here

Description

p0f uses a fingerprinting technique based on analyzing the structure of a TCP/IP packet to determine the operating system and other configuration properties of a remote host. The process is completely passive and does not generate any suspicious network traffic. The other host has to either:

  • connect to your network - either spontaneously or in an induced manner, for example when trying to establish a ftp data stream, returning a bounced mail, performing auth lookup, using IRC DCC, external html mail image reference and so on,
  • or be contacted by some entity on your network using some standard means (such as a web browsing); it can either accept or refuse the connection.

The method can see thru packet firewalls and does not have the restrictions of an active fingerprinting. The main uses of passive OS fingerprinting are attacker profiling (IDS and honeypots), visitor profiling (content optimization), customer/user profiling (policy enforcement), pen-testing, etc.

Installation

From the packages

The following will install p0f v2.0.8-2:

$ sudo apt-get install p0f

From sources

If you prefer to install p0f from sources, here is how to proceed:

$ cd /data/src/
$ wget http://lcamtuf.coredump.cx/p0f.tgz
$ tar xf p0f.tgz
$ cd p0f
$ cp mk/Linux Makefile
$ make
$ sudo make install

Usage

Basic syntax

$ p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]
      [ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]
      [ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]

Options

-f <file>
Read fingerprints from file
By default, p0f reads signatures from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems only). You can use this to load custom fingerprint data. Specifying multiple -f values will NOT combine several signature files together.
-i <device>
Listen on this device
p0f defaults to whatever device libpcap considers to be the best (and which often isn't). On some newer systems you might be able to specify 'any' to listen on all devices, but don't rely on this.
Specifying multiple -i values will NOT cause p0f to listen on several interfaces at once.
-s <file>
read packets from tcpdump snapshot
-o <file>
write to this logfile (implies -t)
-w <file>
save packets to tcpdump snapshot
-u <user>
chroot and setuid to this user
-Q <sock>
listen on local socket for queries
-0
make src port 0 a wildcard (in query mode)
-e <ms>
pcap capture timeout in milliseconds (default: 1)
-c <size>
cache size for -Q and -M options
-M
run masquerade detection
-T <nn>
set masquerade detection threshold (1-200)
-V
verbose masquerade flags reporting
-F
use fuzzy matching (do not combine with -R)
-N
do not report distances and link media
-D
do not report OS details (just genre)
-U
do not display unknown signatures
-K
do not display known signatures (for tests)
-S
report signatures even for known systems
-A
go into SYN+ACK mode (semi-supported)
-R
go into RST/RST+ACK mode (semi-supported)
-O
go into stray ACK mode (barely supported)
-r
resolve host names (not recommended)
-q
be quiet
no banner
-v
enable support for 802.1Q VLAN frames
-p
switch card to promiscuous mode
-d
daemon mode (fork into background)
-l
use single-line output (easier to grep)
-x
include full packet dump (for debugging)
-X
display payload string (useful in RST mode)
-C
run signature collision check
-t
add timestamps to every entry

Example