iEntry 10th Anniversary LinuxHaxor WH MH

Passive OS fingerprinting with P0f

By Peter on July 8th, 2007

Here is p0f “sales pitch” from it’s website.

What is p0f v2?

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.

P0f can also do many other tricks, and can detect or measure the following:

- firewall presence, NAT use (useful for policy enforcement),
- existence of a load balancer setup,
- the distance to the remote system and its uptime,
- other guy’s network hookup (DSL, OC3, avian carriers) and his ISP.

All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can’t do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. How? It’s simple: magic. Find out more here.

—————————————–

Personally I don’t think p0f is as good as ettercap and fingerprinting tools. But it does work, sometimes…

In my personal test it couldn’t identify most website server ie, google.com, yahoo.com, microsoft.com, and such. It did work on couple of them which I have posted here:

In linux you have to be root to run it. I used the commands “p0f -A -r”

For other options as ussual type “man p0f” or just read the readme files.

Screenshot

Than we crank up a second window and run elinks www.freebsd.com it works! There is no active connection from p0f to the website so no IDS will give any warning signal. On the downside informations are not always as reliable as active fingerprinting like nmap and such. Freebsd.com obviously running FreeBSD 4.6-4.8 and with uptime (up: 3719 hrs)

Screenshot-1

Here is some more from geeksquad.com (running Linux 2.4 kernel, with uptime 9182) and irongeek.com (running also Linux 2.4, with uptime 35 hrs)

Screenshot-2

Screenshot-3

Remember it doesn’t work most of the time, it gives fingerprint of the OS that it can’t identify which you can submit to the p0f database for future update. You can submit fingerprints here: http://lcamtuf.coredump.cx/p0f-help/

There is also a windows port from here: http://lcamtuf.coredump.cx/p0f-win32.zip

Thats all.

pavs



Related Posts

Comments are closed.