
Bugtraq mailing list archives
p0f - passive os fingerprinting tool
From: lcamtuf () TPI PL (Michal Zalewski)
Date: Sat, 10 Jun 2000 00:50:02 +0200
I'd like to announce beta release of p0f - passive OS fingerprinting utility. I decided to publish it now, because I believe discussion will help in process of debugging and developing next, stable version - and, what's probably the most important - in collecting many different fingerprints to include in database. In the meantime, please be polite. Any information about successful / unsuccessful attempts of launching p0f on platforms different than Linux. Bugfixes, suggestions, flames and database entries will be appreciated. GPL and standard disclaimer applies. Newest version is available always at http://lcamtuf.hack.pl/p0f.tgz :) Here's brief discussion and description of p0f's functionality, from README file: --=-- p.0.f --=-- passive OS fingerprinting tool version 1.0 <lcamtuf () tpi pl> http://lcamtuf.hack.pl/p0f.tgz Special thanks to: tf8 for initial piece of libpcap support and packet parsing teso/security.is/b0f/#hax for ideas and testing and other people involved (or not) in this project Background What is passive OS fingerprinting? This technique bases on information delivered by remote host to our system, without active scanning. It means, remote host should connect to our network in order to collect operating system fingerprint. How it works? Well, there are some TCP/IP flags specific for given systems. Usually, initial TTL, window size, maximum segment size, don't fragment flag, sackOK option (or sack_permitted), nop option and window scaling option combined together gives unique, 63-bit signature for every system. What are main advantages? Well, passive OS fingerprinting can be done on huge portions of input data - eg. information gathered on firewall, proxy or Internet server, without sending anything suspected. You can launch passive OS detection software on such machine and leave it for days, weeks or months, collecting really interesting statistical, and, erm, just interesting information. What's really funny - packet filtering firewalls, network address translation and so on are transparent to this technique, so you're able to obtain information about systems behind the firewall. Also, such software is able to determine distance between remote host and your systems, allowing you to generate network structure maps for firewalled networks. Sample output line: A.B.C.D [nn hops]: TopSecret OS version 2.3 | | +------ system description | +---------------- approximated distance from our system +------------------------- IP address Limitations Proxy firewalls (that do full proxying, not packet checking and basic rewriting) are usually not transparent. This limitation is common for every tcp fingerprinting technique. In order to obtain information required for fingerprinting, you have to receive at least one SYN packet initializing TCP connection to your machine or network. Note, you don't have to respond to particular SYN. It is possible to perform fingerprinting on alive TCP connection or even when connection is initialized from your network. But these techniques are less realible - and what we have nmap for, anyway?:) Why our bubble gum is better? This idea isn't nothing new. There is another passive OS detection utility, called 'siphon'. It's proof-of-concept software, and it isn't perfect. Well, p0f isn't perfect for sure, but has several improvements: - p0f is single-threaded application - it works properly on Linuxes (siphon has a problem with bpf on 2.2). - it has pretty large and detailed database (well, currently not so large, but we're doing active researchs, and expecting feedback from BUGTRAQ / packetstorm people), - uses more information for fingerprinting (4 additional fields), - it's more accurate, - you can define your own filtering rules in the tcpdump flavour: p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80' What more? Dunno :) Simply, check it out. Not working! Probably p0f isn't working well on every platform in the world; first of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in /usr/include/pcap instead of /usr/include/. In this case, please change #include line in p0f.h, I have no time to write ./configure stuff :) Or simply, do: ln -s /usr/include/pcap/pcap.h /usr/include/ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/ I believe there will be no problem with little/big endian, but if so, please drop me an e-mail, or simply fix it with #defines and send diff back to me :) NOTE: if p0f recognized system incorrectly or cannot recognize it at all, please send OS signature and system description to author. Thanks :) Files: /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described inside: # Valid entry describes the way server starts TCP handshake (first SYN). # Important options are: window size (wss), maximum segment size (mss), # don't fragment flag (DF), window scaling (wscale), sackOK flag, nop # flag, and initial time to live (TTL) ;) # # How can you determine initial ttl? Well, usually it's first power of 2 # bigger than TTL returned in scan. So, for example, if you get TTL 55 in # fingerprint returned by p0f, initial TTL will be usually 64... NOTE: # it's better to overestimate initial TTL than underestimate it ;) # # There are some brain-damaged devices, like network printers etc, that # have stupid initial TTLs like 60, but who cares, if HP LaserJet wants to # visit your server, you have to think again about your life ;) # # Format: # # wwww:ttt:mmm:D:W:S:N:OS Description # # wwww - window size # ttt - time to live # mmm - maximum segment size # D - don't fragment flag (0=unset, 1=set) # W - window scaling (-1=not present, anything else=value) # S - sackOK flag (0=unset, 1=set) # N - nop flag (0=unset, 1=set) Note: there's one bugward-compatibility(R) workaround. If entry has window scaling set to 0, even if remote system has no window scaling option at all (-1), fingerprint will be match. It's necessary due to recently-fixed bug in packet parsing code - older fingerprints have to be fixed, I'll do that. What to do? - ability to read tcpdump logs (first versions of p0f were cooperating with tcpdump, but this functionality has been replaced, I have to add it), - testing, testing, testing - portability tests, - better database, - some command-line options, - COLORFUL INTERFACE :)))) -- Michal Zalewski <lcamtuf () tpi pl> _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= <HR NOSHADE> <UL> <LI>APPLICATION/octet-stream attachment: p0f.tgz </UL>
Current thread:
- p0f - passive os fingerprinting tool Michal Zalewski (Jun 09)