Home page logo
/

Nmap Announce mailing list archives

p0f 2.0.1 passive fingerprinting tool
From: Fyodor <fyodor () insecure org>
Date: Tue, 30 Sep 2003 15:21:54 -0700

Hello everyone!  Boy have I ever been busy integrating the THOUSANDS
of service fingerprints you have been submitting!  I hope to do a new
release in a few days that should at least double the initial DB
size.

I noticed that Michal Zalewski has released a new version of P0f to
include many more passive OS detection techniques.  Although this is
very different than the active Nmap approach, many of the techniques
can easily apply to active probing.  I have been discussing them with
Michal and will probably add several to Nmap along with a list of
other OS detection tests I have been keeping.  In particular, the
closed-TCP-port reset tests would be valuable against hosts that have
no reachable open ports. The use of the URG pointer and the WSS to
MSS/MTU correlation also have strong potential.  This probably won't
happen until 2004 though, after version detection has stabilized and
some other Nmap-related projects are finished.

For those of you who are interested in passive fingerprinting, here is
further information about P0f from a recent announcement sent by
Michal:

I am proud to announce the new stable version of p0f, 2.0.1, a complete
rewrite of the original open-source tool released back in 2000, and a
major step for the utility.

------------
What is p0f?
------------

   P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify
   the system on machines that connect to your box, machines you connect
   to, and even machines that merely go thru or near your box. All this
   even if the device is behind a fascist packet firewall.

   P0f will also detect what the remote system is hooked up to (be it
   Ethernet, DSL, OC3, or avian carriers), how far it is located, what's
   its uptime, and will often detect NAT, firewall presence, and even
   the name of the other guy's ISP - all this without sending a single
   packet.

What do you need it for?
------------------------

   P0f is quite useful for gathering all kinds of profiling information
   about your users, customers or attackers (IDS, honeypot, firewall),
   tech espionage (laugh...), active or passive policy enforcement
   (restricting access for certain systems or otherwise handling them
   differently), content optimization, pen-testing, thru-firewall
   fingerprinting... plus all the tasks active fingerprinting is suitable
   for. And, of course, it has a high coolness factor, even if you are
   not a sysadmin.

-----------
What's new?
-----------

  Almost everything. Please upgrade and encourage your vendor to
  update his packages. P0f v2 is far superior to the old code
  and its clones (such as the Ettercap passive OS fingerprinting
  functionality, based on the p0f v1 concepts). It is faster,
  more secure, reliable, precise, accurate, feature-loaded
  (including easy service integration). It also introduces many
  new metrics, some of them "invented" for p0f v2.

  NEW CORE CHECKS:

    - Option layout and count check,
    - EOL presence and trailing data [*],
    - Unrecognized options handling (TTCP, etc),
    - WSS to MSS/MTU correlation checks [*],
    - Zero timestamp check,
    - Non-zero ACK in initial SYN [*],
    - Non-zero "unused" TCP fields [*],
    - Non-zero urgent pointer in SYN [*],
    - Non-zero second timestamp [*],
    - Zero IP ID in initial packet,
    - Unusual auxilinary flags,
    - Data payload in control packets [*],
    - Non-empty IP options.

    [*] Metrics "invented" for p0f, as far as I know. Other metrics
    were discussed before, although usually not implemented anywhere.

  IMPROVEMENTS:

    - Major performance improvements - no more runtime signature parsing,
      added BPF pre-filtering, signature hash lookups - to make p0f suitable
      for high-throughput devices,

    - Modulo and wildcard operators for certain TCP/IP parameters to make
      it easier to come up with generic last chance signatures for
      systems that tweak settings notoriously (think Windows),

    - Auto-detection of DF-zeroing firewalls,

    - Auto-detection of MSS-tweaking NAT and router devices,

    - Media type detection based on MSS, with a database of common
      link types,

    - Origin network detection based on unusual ToS / precedence bits,

    - Ability to detect and skip ECN option when examining flags,

    - Better fingerprint file structure and contents - all fingerprints
      are rigorously reviewed before being added.

    - Generic last-chance signatures to cover general OS characteristics,

    - Query mode to enable easy integration with third party software -
      p0f caches recent fingerprints and answer queries for src-dst
      combinations on a local stream socket in a easy to parse
      form,

    - Usability features: greppable output option, daemon mode, host
      name resolution option, promiscuous mode switch, built-in signature
      collision detector, ToS reporting, etc,

    - "Officially unsupported" SYN+ACK fingerprinting mode for silent
      identifications of systems you connect to the usual way (web
      browser, MTA),

    - Fixed WSCALE handling in general, and WSS passing on little-endian,
      many other bug-fixes and improvements of the packet parser
      (including some sanity checks).

--------------------
Download, demo, etc.
--------------------

  P0f home page is:
  http://lcamtuf.coredump.cx/p0f.shtml

  Download:
  http://lcamtuf.coredump.cx/p0f.tgz

  Contribute / see it in action:
  http://lcamtuf.coredump.cx/p0f-help/

  P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD,
  OpenBSD, MacOS X, Solaris and AIX.

  Please consider contributing to the project if you liked it.



--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).


  By Date           By Thread  

Current thread:
  • p0f 2.0.1 passive fingerprinting tool Fyodor (Sep 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]