« NIkto Webserver and CGI scanner
Turn your Linux box into a PDF-making machine »

Passive OS fingerprinting with P0f

By Pavs on July 8th, 2007

Here is p0f “sales pitch” from it’s website.

What is p0f v2?

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.

P0f can also do many other tricks, and can detect or measure the following:

- firewall presence, NAT use (useful for policy enforcement),
- existence of a load balancer setup,
- the distance to the remote system and its uptime,
- other guy’s network hookup (DSL, OC3, avian carriers) and his ISP.

All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can’t do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. How? It’s simple: magic. Find out more here.

—————————————–

Personally I don’t think p0f is as good as ettercap and fingerprinting tools. But it does work, sometimes…

In my personal test it couldn’t identify most website server ie, google.com, yahoo.com, microsoft.com, and such. It did work on couple of them which I have posted here:

In linux you have to be root to run it. I used the commands “p0f -A -r”

For other options as ussual type “man p0f” or just read the readme files.

Screenshot

Than we crank up a second window and run elinks www.freebsd.com it works! There is no active connection from p0f to the website so no IDS will give any warning signal. On the downside informations are not always as reliable as active fingerprinting like nmap and such. Freebsd.com obviously running FreeBSD 4.6-4.8 and with uptime (up: 3719 hrs)

Screenshot-1

Here is some more from geeksquad.com (running Linux 2.4 kernel, with uptime 9182) and irongeek.com (running also Linux 2.4, with uptime 35 hrs)

Screenshot-2

Screenshot-3

Remember it doesn’t work most of the time, it gives fingerprint of the OS that it can’t identify which you can submit to the p0f database for future update. You can submit fingerprints here: http://lcamtuf.coredump.cx/p0f-help/

There is also a windows port from here: http://lcamtuf.coredump.cx/p0f-win32.zip

Thats all.

pavs


Related Posts:

  • ErikHjNo Gravatar
    August 15th, 2007 23:11

    Well you have to know what you are comparing when you say that:

    “Personally I don’t think p0f is as good as ettercap and fingerprinting tools. But it does work, sometimes…”

    The thing is that p0f has a long list of OS fingerprints for SYN packets and a small one for SYN+ACK. Ettercap on the other hand is best at using SYN+ACK. So it really depends on what you wanna do. So use p0f to fingerprint incoming connections and Ettercap for outgoing.

    Another solution is to try NetworkMiner (available at sourceforge.net) which has combined the OS fingerprints from both p0f and Ettercap.


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.