Home page logo

bugtraq logo Bugtraq mailing list archives

p0f - passive os fingerprinting tool
From: lcamtuf () TPI PL (Michal Zalewski)
Date: Sat, 10 Jun 2000 00:50:02 +0200

I'd like to announce beta release of p0f - passive OS fingerprinting
utility. I decided to publish it now, because I believe discussion will
help in process of debugging and developing next, stable version - and,
what's probably the most important - in collecting many different
fingerprints to include in database.

In the meantime, please be polite. Any information about successful /
unsuccessful attempts of launching p0f on platforms different than Linux.
Bugfixes, suggestions, flames and database entries will be appreciated.
GPL and standard disclaimer applies. Newest version is available always at
http://lcamtuf.hack.pl/p0f.tgz :)

Here's brief discussion and description of p0f's functionality, from
README file:

                      passive OS fingerprinting tool
                       version 1.0 <lcamtuf () tpi pl>

Special thanks to:

  tf8 for initial piece of libpcap support and packet parsing
  teso/security.is/b0f/#hax for ideas and testing
  and other people involved (or not) in this project


  What is passive OS fingerprinting? This technique bases on information
  delivered by remote host to our system, without active scanning. It
  means, remote host should connect to our network in order to collect
  operating system fingerprint.

  How it works? Well, there are some TCP/IP flags specific for given
  systems. Usually, initial TTL, window size, maximum segment size, don't
  fragment flag, sackOK option (or sack_permitted), nop option and window
  scaling option combined together gives unique, 63-bit signature for
  every system.

  What are main advantages? Well, passive OS fingerprinting can be done
  on huge portions of input data - eg. information gathered on firewall,
  proxy or Internet server, without sending anything suspected. You can
  launch passive OS detection software on such machine and leave it for
  days, weeks or months, collecting really interesting statistical, and,
  erm, just interesting information. What's really funny - packet filtering
  firewalls, network address translation and so on are transparent to this
  technique, so you're able to obtain information about systems behind the
  firewall. Also, such software is able to determine distance between remote
  host and your systems, allowing you to generate network structure maps
  for firewalled networks.

  Sample output line:

  A.B.C.D [nn hops]: TopSecret OS version 2.3
  |        |         +------ system description
  |        +---------------- approximated distance from our system
  +------------------------- IP address


  Proxy firewalls (that do full proxying, not packet checking and basic
  rewriting) are usually not transparent. This limitation is common for
  every tcp fingerprinting technique.

  In order to obtain information required for fingerprinting, you have to
  receive at least one SYN packet initializing TCP connection to your
  machine or network. Note, you don't have to respond to particular SYN.

  It is possible to perform fingerprinting on alive TCP connection or
  even when connection is initialized from your network. But these techniques
  are less realible - and what we have nmap for, anyway?:)

Why our bubble gum is better?

  This idea isn't nothing new.
  There is another passive OS detection utility, called 'siphon'. It's
  proof-of-concept software, and it isn't perfect. Well, p0f isn't perfect
  for sure, but has several improvements:

  - p0f is single-threaded application

  - it works properly on Linuxes (siphon has a problem with bpf on 2.2).

  - it has pretty large and detailed database (well, currently not so large,
    but we're doing active researchs, and expecting feedback from BUGTRAQ
    / packetstorm people),

  - uses more information for fingerprinting (4 additional fields),

  - it's more accurate,

  - you can define your own filtering rules in the tcpdump flavour:
    p0f 'src host' or p0f 'gateway and port 80'

  What more? Dunno :) Simply, check it out.

Not working!

  Probably p0f isn't working well on every platform in the world; first
  of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
  /usr/include/pcap instead of /usr/include/. In this case, please change
  #include line in p0f.h, I have no time to write ./configure stuff :)

  Or simply, do:

  ln -s /usr/include/pcap/pcap.h /usr/include/
  ln -s /usr/include/pcap/net/bpf.h /usr/include/net/

  I believe there will be no problem with little/big endian, but if so,
  please drop me an e-mail, or simply fix it with #defines and send
  diff back to me :)

  NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
  please send OS signature and system description to author. Thanks :)


  /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described

  # Valid entry describes the way server starts TCP handshake (first SYN).
  # Important options are: window size (wss), maximum segment size (mss),
  # don't fragment flag (DF), window scaling (wscale), sackOK flag, nop
  # flag, and initial time to live (TTL) ;)
  # How can you determine initial ttl? Well, usually it's first power of 2
  # bigger than TTL returned in scan. So, for example, if you get TTL 55 in
  # fingerprint returned by p0f, initial TTL will be usually 64... NOTE:
  # it's better to overestimate initial TTL than underestimate it ;)
  # There are some brain-damaged devices, like network printers etc, that
  # have stupid initial TTLs like 60, but who cares, if HP LaserJet wants to
  # visit your server, you have to think again about your life ;)
  # Format:
  # wwww:ttt:mmm:D:W:S:N:OS Description
  # wwww - window size
  # ttt  - time to live
  # mmm  - maximum segment size
  # D    - don't fragment flag  (0=unset, 1=set)
  # W    - window scaling (-1=not present, anything else=value)
  # S    - sackOK flag (0=unset, 1=set)
  # N    - nop flag (0=unset, 1=set)

  Note: there's one bugward-compatibility(R) workaround. If entry has
  window scaling set to 0, even if remote system has no window scaling
  option at all (-1), fingerprint will be match. It's necessary due to
  recently-fixed bug in packet parsing code - older fingerprints have
  to be fixed, I'll do that.

What to do?

  - ability to read tcpdump logs (first versions of p0f were cooperating
    with tcpdump, but this functionality has been replaced, I have to
    add it),

  - testing, testing, testing - portability tests,

  - better database,

  - some command-line options,


-- Michal Zalewski <lcamtuf () tpi pl>

Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

<LI>APPLICATION/octet-stream attachment: p0f.tgz

  By Date           By Thread  

Current thread:
  • p0f - passive os fingerprinting tool Michal Zalewski (Jun 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]