[15282] in bugtraq
p0f - passive os fingerprinting tool
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sat Jun 10 02:06:47 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-1463811583-1328626481-960588707=:7418"
Content-Id: <Pine.LNX.4.10.10006100037020.7752@squirrel.tpi.pl>
Message-Id: <Pine.LNX.4.10.10006092345560.7418-101000@squirrel.tpi.pl>
Date: Sat, 10 Jun 2000 00:50:02 +0200
Reply-To: Michal Zalewski <lcamtuf@TPI.PL>
From: Michal Zalewski <lcamtuf@TPI.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
---1463811583-1328626481-960588707=:7418
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.4.10.10006100037021.7752@squirrel.tpi.pl>
I'd like to announce beta release of p0f - passive OS fingerprinting
utility. I decided to publish it now, because I believe discussion will
help in process of debugging and developing next, stable version - and,
what's probably the most important - in collecting many different
fingerprints to include in database.
In the meantime, please be polite. Any information about successful /
unsuccessful attempts of launching p0f on platforms different than Linux.
Bugfixes, suggestions, flames and database entries will be appreciated.
GPL and standard disclaimer applies. Newest version is available always at
http://lcamtuf.hack.pl/p0f.tgz :)
Here's brief discussion and description of p0f's functionality, from
README file:
--=--
p.0.f
--=--
passive OS fingerprinting tool
version 1.0 <lcamtuf@tpi.pl>
http://lcamtuf.hack.pl/p0f.tgz
Special thanks to:
tf8 for initial piece of libpcap support and packet parsing
teso/security.is/b0f/#hax for ideas and testing
and other people involved (or not) in this project
Background
What is passive OS fingerprinting? This technique bases on information
delivered by remote host to our system, without active scanning. It
means, remote host should connect to our network in order to collect
operating system fingerprint.
How it works? Well, there are some TCP/IP flags specific for given
systems. Usually, initial TTL, window size, maximum segment size, don't
fragment flag, sackOK option (or sack_permitted), nop option and window
scaling option combined together gives unique, 63-bit signature for
every system.
What are main advantages? Well, passive OS fingerprinting can be done
on huge portions of input data - eg. information gathered on firewall,
proxy or Internet server, without sending anything suspected. You can
launch passive OS detection software on such machine and leave it for
days, weeks or months, collecting really interesting statistical, and,
erm, just interesting information. What's really funny - packet filtering
firewalls, network address translation and so on are transparent to this
technique, so you're able to obtain information about systems behind the
firewall. Also, such software is able to determine distance between remote
host and your systems, allowing you to generate network structure maps
for firewalled networks.
Sample output line:
A.B.C.D [nn hops]: TopSecret OS version 2.3
| | +------ system description
| +---------------- approximated distance from our system
+------------------------- IP address
Limitations
Proxy firewalls (that do full proxying, not packet checking and basic
rewriting) are usually not transparent. This limitation is common for
every tcp fingerprinting technique.
In order to obtain information required for fingerprinting, you have to
receive at least one SYN packet initializing TCP connection to your
machine or network. Note, you don't have to respond to particular SYN.
It is possible to perform fingerprinting on alive TCP connection or
even when connection is initialized from your network. But these techniques
are less realible - and what we have nmap for, anyway?:)
Why our bubble gum is better?
This idea isn't nothing new.
There is another passive OS detection utility, called 'siphon'. It's
proof-of-concept software, and it isn't perfect. Well, p0f isn't perfect
for sure, but has several improvements:
- p0f is single-threaded application
- it works properly on Linuxes (siphon has a problem with bpf on 2.2).
- it has pretty large and detailed database (well, currently not so large,
but we're doing active researchs, and expecting feedback from BUGTRAQ
/ packetstorm people),
- uses more information for fingerprinting (4 additional fields),
- it's more accurate,
- you can define your own filtering rules in the tcpdump flavour:
p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80'
What more? Dunno :) Simply, check it out.
Not working!
Probably p0f isn't working well on every platform in the world; first
of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
/usr/include/pcap instead of /usr/include/. In this case, please change
#include line in p0f.h, I have no time to write ./configure stuff :)
Or simply, do:
ln -s /usr/include/pcap/pcap.h /usr/include/
ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
I believe there will be no problem with little/big endian, but if so,
please drop me an e-mail, or simply fix it with #defines and send
diff back to me :)
NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
please send OS signature and system description to author. Thanks :)
Files:
/etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
inside:
# Valid entry describes the way server starts TCP handshake (first SYN).
# Important options are: window size (wss), maximum segment size (mss),
# don't fragment flag (DF), window scaling (wscale), sackOK flag, nop
# flag, and initial time to live (TTL) ;)
#
# How can you determine initial ttl? Well, usually it's first power of 2
# bigger than TTL returned in scan. So, for example, if you get TTL 55 in
# fingerprint returned by p0f, initial TTL will be usually 64... NOTE:
# it's better to overestimate initial TTL than underestimate it ;)
#
# There are some brain-damaged devices, like network printers etc, that
# have stupid initial TTLs like 60, but who cares, if HP LaserJet wants to
# visit your server, you have to think again about your life ;)
#
# Format:
#
# wwww:ttt:mmm:D:W:S:N:OS Description
#
# wwww - window size
# ttt - time to live
# mmm - maximum segment size
# D - don't fragment flag (0=unset, 1=set)
# W - window scaling (-1=not present, anything else=value)
# S - sackOK flag (0=unset, 1=set)
# N - nop flag (0=unset, 1=set)
Note: there's one bugward-compatibility(R) workaround. If entry has
window scaling set to 0, even if remote system has no window scaling
option at all (-1), fingerprint will be match. It's necessary due to
recently-fixed bug in packet parsing code - older fingerprints have
to be fixed, I'll do that.
What to do?
- ability to read tcpdump logs (first versions of p0f were cooperating
with tcpdump, but this functionality has been replaced, I have to
add it),
- testing, testing, testing - portability tests,
- better database,
- some command-line options,
- COLORFUL INTERFACE :))))
-- Michal Zalewski <lcamtuf@tpi.pl>
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
---1463811583-1328626481-960588707=:7418
Content-Type: APPLICATION/octet-stream; name="p0f.tgz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.10006100050022.7752@squirrel.tpi.pl>
Content-Description:
Content-Disposition: attachment; filename="p0f.tgz"
H4sIACtzQTkAA+1be3fbNrLvv+KnQOy2Fm09KFl2XClK1vGj0daxfWznpt00
R4ciIYlrimQJ0o9u893vbwYkRdlymtubpGfPMfIQBQwGg3kPQL22L+XY8+U3
X7BZLcva7nS+sXS7+2l12lvfWE9bbau13WptbgK+1W5Z3wjrSxKVt1QldizE
N3EYJh+D+7Px/9K2aqyKyBo/efLEWDWMvT3BrS8mjmPsHQ1enlf6ou5Hjh0Z
5xdng1N8VUnsRcbe4dHuj+cEWj/ZFPW3tu8bh4OjAwAAn2EY6OiKb6vUZ+o5
FcPIvncJpuEYlW+re3smoDQ2U9RD8e0/xLfPqItWNw2Dp3aNCn/mCA3D8aUd
oDueifpYOGEsxXojnI8nk9+7goGMCknYGV/9LprZcAOjYt2oONNZ6Aro5sKI
8XcL5Su2s4Pd/dcHX3YNtv/7dp99kq0/1fbffmpttbYInlzCo/1/hWaIP231
er9e/wS4qGE1xp+Mr4ImxAPgka2UdyXFybkYe8FExlHsBQmeRBKG/kNrXMlY
eWEgWg1LPPMde5ak438kkdeI/OcGrcbtgdnTJIm6zWY2rTG1nUvMa5KfIpdg
nEfS8WxfJFM7uFSgo2sAUzLeEeMwFl7gJTQaedKRIhwL3xuR0xQqjaIwToQd
uNiVcykTfIDMYEKzpQqbSjpp7CW3DU81R9a4uTq1bzROV9qKJwIu0TPoW5hM
ZSwiGUa+xMJXoX8lXVHFjCBMTPSARk+JKA7/LZ0Ek4yXWHgSh2ngEs1vp3Yi
COAhJr8QF4Qgkc408H5LpRjZSioBznoBCJvZCbgMRK70MT/G4qNbEctZmEgx
DVUC5ogwjYW6VYmc1cS1l0zDFDxwElpPOXYQYJmGGBB1M7hoVVuYrwDuu3Dq
QYAd5OgCmVyH8SVtMIxdsAD9Tuj7epOhKu+iYbCgX4XXwksETVMvxFvp+zVB
3JPCxj8VzqS42DttDk7F2LcnSigS8thzmP8TEBtkm1CE8I1KEdRua4W0Ly6O
aHeBi2WU97usiZl9483SmVByMpNBkvW6YbCWiHFs605aqwZ8CmI5+UmEEfGT
BUg9w0jGMy9JpGvWINEoHyfR52s5tk/GoEeAyQlnIy+AIJJwIlk9iHglUpZf
TWxv1kceUTMJ7CTF1ml/ErK7zfaX8YtVg1gzs8Fl272yg8SeyIJ3D9slZCpG
knYqSRiBmKYTKUj1QaEii/CCCDrg2okt6kJC+iVlEhObxeLSzLEXy2swmlgE
Jb65hbjFIEhkDA0AZ2PQPVcqJQOXCLCDW6g9HlRKUgT7GuKXMCXCgMe308CZ
lul3JfSb11bhOLmmTdNzCqiZ7QCTZI4jgQA8eAdaSeXtW+jqtZRwAaBqFgbJ
FB2ZGtLysSQdweZArzZbJD/YJB4hNcJJ+4KIa+LfiD0LgCWONFgWayrHN06D
4BaMy3wIUnZM0z4h5xfoyE3Edl3ghAnHsC3fLvRHhbRJ2iuPwBORPsKOyGOw
Q8pMvkagt2G6RqYygp8hGxwlpBVlsdkjFoE2EcgfbHPJwEpUNcSur8Ka5mzB
ariXHC0JAgoPfrtgkh3Af46wDQnb0z4ByNgr0AZu534F2wX68JoYh25CNZGB
jG14kZwPyBlThxV+Zke0QdL7nDJoWwbH1m0ceTA73pfS1nDKylewV1QTMg83
hDB8X6smFicjTXK5OFPpXGp1dMlteg7wYD4cPHpNZn2q3QhPK4mhob2uX1BB
TIJhz8gkWPm0wSZOdC8o5mLLzHhQ8pBLpBbL31KPjE1zo4yqxqycks4nIZPu
SDIY7BuWACHAvsX5L8f5fjNP6P1OZMCV5j6blklYg4jw3KDCwok3xDEkq1fT
3jFbEyuqKCQtCilQwmhSH/kZlsz3pmNXCEPOFAj+kvZ2lymknhSf7pKVszIQ
11P8VxoB3mI/xJ04nGmFK4h+CW2Heis5ZznpCknVJ3sjY2Wy6tpdk75cS723
ACpIHK+Rq7q2b190TdrR2+ktR7dROqKJEwQPj0wJASB+QeH6guMVGUyQRf5l
TixNPB9JBFyR1uw15UVTMJaC7JrSnjQc1/EXG3ZklBS2WGNSPWIryYG4CZyN
3ONb48WBzIhUSjNHKQkOcZNUE97Nm2GZK0lRTnW1vOpADTdGGY8v68kULHJB
nx1FPhxiFr8Yji2R6MRKMA9s6sgL0huEsareDC9lEwQ4NeMIIEbRmCDbjbbZ
yBERWBSDg7fw+/FEO3KwyvaIMxSBKKERVeRDYKcL2v0w4sjcM3McKWU8M6oq
y5Zz32BEtUPe1qNhMGDsSd9V5sLWGYvtIMuDayqIvNWxCcuPyTRYz8LrYO7Z
RZxCp3Q6J8nq3XQWUe5wBdAuZ7EknDUVO9o/thrtxmajs0ZmxiMIqvBct/mA
zkEpGd2x1soBnwh8IfYRYULRNcU5pEhZDvsyUgz4+IZhwGBZRCDtiaG94wg+
/LakItkwVB7+EezSDitCAGIDzbYCKN/tkV9VnLiNyY+zK1jDtEBCRnn2bIFq
dhrXMu5xvpZ4MzCFBhtTdgS+7WCCR1rUTFXc9ALHT13Z5PlegEhhu7TGwmCD
XCRnyQ40AVpOzk1ixzZkC0yrGSAICUgD+LhiWhODzJQRMEEHOR/y7FI0mrCq
sTehSKNQPoxFN9OBAUzZ9yT5Nrbjaw97HDGKBT2G8Sa+bI68iaCExg60cXlj
7JoTIU2hC+tAxgxRCllHkga+kTGyxMDRG852Cd+q1itdP1CORMmLB8JGcNxE
OJAwjUzl8cnFQZcWI1nC54eTgF2gjrRggBPG6E58zsUof4cyFHC0KOWNWcqm
KaU1yUXNc06mRCN0pXJiL8rDhJ0il4spAHJtpXl3CGtVXGQ1ZeJwITaOaPlG
/ly/k4eqwrYb4pBtljRErzWSxAHoA6qqzDOtiv+Bt3bB7wRamoMpraMwG51p
UvYWAzVFEZDnqql9Cd/B2kthid3OqhjMyLKQLmdJuaKg0C0XB6J6rZS5vEQQ
1RmNMaYlxYKo7h+atbvZP/DhSWIgKyS4rqCSgfHob+zbs3Il11mOilUUL6Z2
eKsMT7USOSQOyUVOVsxN/LwIyPMXdm6aD1EIAyUrazMqaPGEsg/wi2okaAoU
IGAz5eqvIc6REXINcmNDdWGB0D1aGNULz9ja0ia9WpbvHM+Ivc5CIVZYVk7e
dqfRaGjNZkRMro6rnBdd6bR7RvliGQ9TzaFhPpyUGXWxWECOYuRXddeeoVCi
MHPlORK5qe9dzvNQJl/GSkCTqQK1E8bEzgT+IvLcMglKT962tA+4nqLOxXKK
ufTqVBxBw+N/glPXNik9J2qr4spToFMnyFmNVMrlyNsFKAwmXNhx2s6gvjeW
5c1pu+kW36/RukmSdGezWXe/+7Z73j3uwuz25xa8AEtxfK7z3I3ZFPDK2sf9
wEj9y+yBx/f5sGipPYiq1U8DJZOaaPXxwfSLt3rCXTOpt/qcoYODQFCbV4rS
V7J/Zfup1PPP9fySNS1f51jDUW2+HMjgsEq1TcgpHLLBEadnOsFFQMrDuR9O
VO5MsuMrLpbJD1+TmjkhpUN2dvwjtHPPZmv14DCG8tDRKQitQgnQSBdQOj4W
kYt1RVDGAqVmh5OlI3snRydnh2+OxOD44uDscHfvAG4YzTCMel289hAaffEv
uJtrdendP137u48xH9tfbHwP84XX+JP7v6eddic//291Ovr8v/X08fz/a7Tm
uiHW2d3UHz7dA0jTMIqk+JlKXC9sTJ8vdFHNcqfvVjWT20iqxW4ERWQWCZLx
xX6d1Jd77DiymwRL3fP+Ffi/xnQFPVnx9Hr358PTcwE1s4q+w9OXbw6FgFYV
XYNj3WW1O0Ufwu0+4samZRhwcajuIvVOo3v/jlG87xmUeiB3QwLGCRdSOPoC
91+jtKgm3DEdl13WErjkKZW38dCXQb/VqblpZPcMfQqFCD+kczkEuKjoQ/k6
RB0wie0ZYknSM4gJw0SsR3g2rkIkBn4YXqZRlZ7NvI+uEGQ1HTLJ6yMfdZhd
y067uDgaRpfJFGutRxHKlhxQH9qY4j90+JwRFTEYPnrzTvCXe+mzx2kzAGlL
yEim+jMcj2mENti3ejqhRnZSxXr15wARz8ScFRsU08NxtbymeadTr2lq4kSW
6hHiDxRBMaW/MH3dxFq8nY35OmYvo6LqERne1H/+vGM+6XfEH38I7gKvk9AJ
/Sf9wenp2cnFyRB5/QNrQrZ9noSHnsGV6rgfJOFUafT4ygu64361ii/fD06H
yNOf9C3uhpgbiiWusSh6ZAKJg6IqCiK/t26ssSlMXkQhwjtTDNJ+MsKoSBVb
XdFcp7oxLzBgk/rqiljXr96RnUnoN1pMCrUR8o5L/QWqb6d+wvhYk8Cbe0iZ
jSURMkHPnrUflNtzkcueyK7MmUntw8dJvSfJ+XL3N/AhlwXNh3SmQ768yWX/
hGVx8WpIxZlZEirvKBvb3fupNIZBbdr9eosgYd9aqWHj+gHmTQ90FE3SqxZL
kxKsd3hEy4rsc51kNIySWNPu6apQf8lG+mzQ6yYhWs5RDX49BSNElezs2bSk
EoyoXwVqs7qeeQIwMsO+QfBz1tG3jX47/6pVjGDn2DIlgzWcnF4MD06OukYl
M+8WR+leLoBKGRCu8vzgRyoXKpptBz9fnO3uXQxb2y8HF+eL9PQ0WEFNZUEr
79JwfHKa4SUptMrgCyS8Pd/bPTrIQDMxfpyK5TQsIL0YvD44v9h9fdotaMsn
7Tw46RxadfITZlS0whDNha0t7FSbwwdW5lXo5XD48peLg+HJ2f7Bmej38f1o
gMh0MDw43h/sHrN+qv40gYXOVQ91DjazSlVMBlAeopHA9ehCPosgzP9c5WFE
98MLawM7e3j4SZjgf1RSgTYBDiGjdPyOw+j72jqiWIQqhDjUbIqLkIpvurGh
22gV0hXWXjiLULro2qeRnRxXM5T08YzDLz9ubOTK6On1wEPOP8ZVLFpb+c7t
3v+7UqO4DP+8QShqFJcRjLMwTSEZqrNoSBTfvffvrPdz1WenAdsLnFnEawkN
xAEVJkd9plk2FWJNa661UR+AsTONM+y1te6auVECyFcgECQNa78Gaya/E+XY
CXWs/BqsmCV8etsr3ynx7jtXTMNIve+K79RKjXKhIUKQTSfiJgtno1WLSnOX
qBnW39joGfMOImdCrwqUXGpGJHfTU2ZIcIjYeG5WcAIACAWJvXdn0pzornhz
/NPxydtjov6+0N43sNtayaxI5Ra2pZMtTq0406L8Kk+9SKgil+p47KdqWqV4
W9Jn2x2O9XlgSavp5S6xftObK3ih06TIQtz0x6i0g+qKPlxcgVTilSKheHJj
ziFK55FLwLSajDN+IFWWcQyo4/BOXl26iNC4TJhHGrgNsZ/ORmIWunQj3Zir
Rjk9mevzRGKfmd5xwlpv1W4KbeWYx/pZVs9VqJ9ZWY9yQyOokmFk6kKr3NvG
UcjXN1DL8sEri9Sr62xj7PghstObTCq0VXqdgGKVsOOJU8vYjuerd5kdcg9W
IP9yurd7Ojw4O8NehueDfx287y0jhEoWetFnXrYsvgHCRz+Oee+oIuen5kzS
52yZ5Dqkg6kqf9U+0ZVXVU2SWUMMrLX4/6zH7PeP3xwd5XxePq23XBUWlxRj
vpciAycuioW58sZLqpqtH9iTl5Rb54ucdBNCB84WiLCnmvgetURNVInb/X7b
fMGsbr3vrgB/qyasBf3IoQoHpwsI0BHGhG2ljH7up0qk5aGsqALuoLzDgZU3
il8ZQekdzrILL77t6oq179QacYEJbr83i3yPaVAy0dDFJjUPcu5H1A/91wyh
03pfxub3nOPWsoTLOirFQQGP1mzqywzbmUq39xw6+3fX5F+zadfzZdf4+Puf
1ubW5nbx/ucmPbesraeP739/lZa9//3R0x+C+UxXZZ/rouzzXJN9+iUZseAz
XZB9vuuxz3Q59hmuxog9n+da7DNeiv1/r8RoU/l1GD1/ylVYDnfnGmz5JdjH
r8D+bxdgwvhr91+iL7IbsE+7//qE269Vw9hsWU/b3e1Od3Nnp9NtdS38a3X5
dR56VafRatfbljh7JbYbLWOrxaCtzrbVzf/koFZjc8fYbCM2FCBLsHVqKDVH
tp9kyPc2jdb2JlYuz6E/h7GUL8/3Radh1VHevzw6MHaeblv34M5D3449BXTb
AjmO8UOrY3XbW1tdflgKpcAEL5EvTKPzQ2vr/o4GZ4Ofsd0tvSDhenjFtmns
tH5od1vtnUWotyxaJY4vaAtLgIgxOdAPN0x7AYQwuxQGq7VbHWbWQyAdbEtz
9MHV2nT4riW12X5QUpuanDLEkn1t7RCXHyJ5S1Q3iRxr+75S7MuRZ2cvjvGK
IJ7fYzJzvgNqc2cZ35+W2bm1vZz6zfbT7R29KvaQy/bH89fi7e6pfmH0haie
oixFn/lfkEnyVcoXXuNP7v/aT7fy/G/bekpwyP82H/O/r9IeuK3L78cq8wPh
SsW623t8clqptO726jPhSqU9v2Qrn9QielQ27w7po1Ma6twdKo5i89OinfnF
351z3sgUvxYHS9VqOlRT5JrmerW4KjMJZgMFsHj2TOyIP8rwD4O36D2I4haR
bnkAb910oLyV5joF6Lvxeb1Zhn+t4dsZPL8QmsOrYsKcj6+Gh4PjinVjtcp9
yKCpr13uOzu/oL5Oue/0zfkr6twpd4K/6GtZ5b43Zz9WiCrDWLgMpJo9Y4Dw
pn6v9DUJVa9CWyBFoXSW0iokdvraiNknCCqhO5weA4YJ8jd8myRTDZWxWXiu
RuW54AL96Ea/YruAiW4ZGajgLnoU//5B+m6OL6Mt8TPayhn8Akh++8eU5V8W
qeJgweP8pJCVZeN+iJRJ6Fs8UepxdU/WMFEhiXTyl47pdwvZjzGA50PPMIh1
kEFFz6/AAQ+V/K1XCCG7FfuPUcloqiTToaKiSW8vQ88v8gJlGcqdQ7n8kxLN
0gI0W4sRYsmKxid/SyX96iJIZyMUAHcAbWIHA+IpCK996U74Be8S/KddYeiW
DpHz7wzpvaXhTbvbKTinmVdNg1RJ15xfRC5OgfwX5tBW6SdFmV4QMfraYzlN
Lwc/foygP8f+F7ahCaKfO5KwSBMr8zvLsvjo1kazOkvh74gXypiNl3WzDJHG
UQaRxhOSURRyhZXr3t8dbR7bY3tsj+2xPbbH9tge22N7bI/tsT22x/Z3tP8F
kzSZcgBQAAA=
---1463811583-1328626481-960588707=:7418--
