p0f

p0f
Developer(s) Michal Zalewski
Stable release
3.09b / 2016-04-18
Written in C
Operating system Linux, Macintosh, Windows
Type OS fingerprinting
Website lcamtuf.coredump.cx/p0f.shtml

p0f is a versatile passive OS fingerprinting tool. p0f can identify the system on machines that connect to your box, machines you connect to, and even machines that merely go through or near your box even if the device is behind a packet firewall.

p0f will also detect what the remote system is hooked up to (be it Ethernet, DSL, OC3), how far it is located, and its uptime. The latest beta can also detect masquerade or illegal network hook-ups (useful for ISPs and corporate networks). p0f can detect certain types of packet filters and NAT setups, and sometimes can determine the name of the other guy's ISP. It's still passive. It does not generate any network traffic. No name lookups, no traffic to the victim, no ARIN queries, no trace route.

Features

p0f can identify the system on:

But checking the system is not all p0f can do, p0f will also check the following:

[1] [2]

Advantage over other fingerprinting tools

The passive nature of p0f is what sets it apart from the other fingerprinting tools. p0f passively listens to the network traffic without creating any extra packets. It determines the operating system of the remote host by analyzing certain fields in the captured packets. Due to this passive analysis, the remote system will not be able to detect the packet capture.

How it works

As mentioned above, p0f captures packets, and analyses them on the basis of certain fields. Time to live (TTL), Win, Don't Fragment and TOS are some of the fields used for OS fingerprinting by p0f. Values of these fields are compared with the signatures in a fingerprint file, which is stored in /etc/p0f/p0f.fp in most implementations of p0f. The user is allowed to use a different fingerprinting file by running p0f with the -f command line option.

Usage

p0f does not have a graphical user interface. It can be run from the command line prompt. A comprehensive list of p0f options for version 3 is given below.

Usage: p0f [ -f file ] [ -i iface ] [ -L ] [ -r file ] [ -o file ]
       [ -s file ] [ -d ] [ -u user ] [ -p ] [ -S num ] [ -m c,h ] [ -t c,h ]
  -f file  - reads fingerprint database (p0f.fp) from file
  -i iface - listen on specific network interface
  -L       - list all available network interfaces
  -r file  - read pcap packet file instead of listening to an interface
  -o file  - append output to file in grep-friendly format
  -s file  - output to a socket
  -d       - go into daemon mode
  -u user  - switch to specified user and drop privileges, use with -d
  
  -p       - put the selected interface into promiscuous mode
  -S num   - set maximum number of API client connections, default is 20
  -m c,h   - set maximum number of clients and hosts to be tracked
  -t c,h   - set timeouts for any connection(c) and for purging idle hosts (h)

source : http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.07b.tgz README

References

  1. Jon Mark Allen, OS and Application Fingerprinting Techniques
  2. http://lcamtuf.coredump.cx/p0f.shtml
This article is issued from Wikipedia - version of the 8/29/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.