p0f passive os fingerprinting tool

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:
P0f是一种工具，它利用一组复杂的、纯粹被动的流量指纹识别机制来识别任何偶然的ip通信(通常是一个普通的SYN)的参与者，而不影响任何方式。版本3是对原始代码库的完全重写，包括对网络级指纹的大量改进，并引入了对应用程序级有效负载进行推理的能力(例如:HTTP)。

p0f的一些功能包括:
Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.
在一个普通的TCP连接的两个端点上的操作系统和软件的高度可伸缩和快速识别，特别是在NMap探测被阻塞的地方，速度太慢，不可靠，或者仅仅是设置警报。测量系统正常运行时间和网络连接、距离(包括NAT或数据包过滤后的拓扑)、用户语言首选项等等。自动检测连接共享/NAT、负载平衡和应用程序级代理设置。检测客户端和服务器，这些服务器可以伪造声明语句，如x-邮件或用户代理。该工具可以在前台或作为守护进程进行操作，并为第三方组件提供一个简单的实时API，这些组件希望获得关于它们正在与之交谈的参与者的额外信息。
Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.
p0f的常见用途包括在渗透测试期间进行侦察;常规网络监控;在公司环境中发现未授权的网络互连;为预防工具提供信号;和miscellanous取证。
Source: http://lcamtuf.coredump.cx/p0f3/

p0f – Passive OS fingerprinting tool

root@kali:~# p0f -h
--- p0f 3.06b by Michal Zalewski <lcamtuf@coredump.cx> ---

./p0f: invalid option -- 'h'
Usage: p0f [ ...options... ] [ 'filter rule' ]

Network interface options:

  -i iface  - listen on the specified network interface
  -r file   - read offline pcap data from a given file
  -p        - put the listening interface in promiscuous mode 将监听接口设置为混杂模式
  -L        - list all available interfaces
Operating mode and output settings:

  -f file   - read fingerprint database from 'file' (p0f.fp)
  -o file   - write information to the specified log file
  -s name   - answer to API queries at a named unix socket 在指定的unix 套接字上对API查询进行应答
  -u user   - switch to the specified unprivileged account and chroot切换到指定的无特权帐户和chroot
  -d        - fork into background (requires -o or -s)

Performance-related options: 性能相关的设置


  -S limit  - limit number of parallel API connections (20)并行API连接的数量限制(20)
  -t c,h    - set connection / host cache age limits (30s,120m)设置连接/主机缓存期限 默认30s/120min

-m c,h    - cap the number of active connections / hosts (1000,10000)限制活动连接/主机的数量

Optional filter expressions (man tcpdump) can be specified in the command

line to prevent p0f from looking at incidental network traffic.
可选的筛选器表达式(man tcpdump)可以在命令中指定

防止p0f查看偶然的网络流量。

Problems? You can reach the author at <lcamtuf@coredump.cx>.

root@kali:~# p0f -i eth0 -p -o /tmp/p0f.log
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] Intercepting traffic on interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Log file '/tmp/p0f.log' opened for writing.
[+] Entered main event loop.

.-[ 192.168.1.15/35834 -> 173.246.39.185/873 (syn) ]-
|
| client   = 192.168.1.15/35834
| os       = Linux 2.2.x-3.x
| dist     = 0
| params   = generic
| raw_sig  = 4:64+0:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0

p0f

February 18, 2014portsForensics, Information Gathering

p0f Package Description

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:

• Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
• Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
• Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
• Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.

  The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.

  Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.

  Source: http://lcamtuf.coredump.cx/p0f3/
  p0f Homepage | Kali p0f Repo

  • Author: Michal Zalewski
  • License: LGPL-2

  Tools included in the p0f package

  p0f – Passive OS fingerprinting tool

  root@kali:~# p0f -h
  --- p0f 3.06b by Michal Zalewski <lcamtuf@coredump.cx> ---
  
  ./p0f: invalid option -- 'h'
  Usage: p0f [ ...options... ] [ 'filter rule' ]
  
  Network interface options:
  
    -i iface  - listen on the specified network interface
    -r file   - read offline pcap data from a given file
    -p        - put the listening interface in promiscuous mode
    -L        - list all available interfaces
  
  Operating mode and output settings:
  
    -f file   - read fingerprint database from 'file' (p0f.fp)
    -o file   - write information to the specified log file
    -s name   - answer to API queries at a named unix socket
    -u user   - switch to the specified unprivileged account and chroot
    -d        - fork into background (requires -o or -s)
  
  Performance-related options:
  
    -S limit  - limit number of parallel API connections (20)
    -t c,h    - set connection / host cache age limits (30s,120m)
    -m c,h    - cap the number of active connections / hosts (1000,10000)
  
  Optional filter expressions (man tcpdump) can be specified in the command
  line to prevent p0f from looking at incidental network traffic.
  
  Problems? You can reach the author at <lcamtuf@coredump.cx>.

  p0f Usage Example

  Use interface eth0 (-i eth0) in promiscuous mode (-p), saving the results to a file (-o /tmp/p0f.log):

  root@kali:~# p0f -i eth0 -p -o /tmp/p0f.log
  --- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---
  
  [+] Closed 1 file descriptor.
  [+] Loaded 320 signatures from 'p0f.fp'.
  [+] Intercepting traffic on interface 'eth0'.
  [+] Default packet filtering configured [+VLAN].
  [+] Log file '/tmp/p0f.log' opened for writing.
  [+] Entered main event loop.
  
  .-[ 192.168.1.15/35834 -> 173.246.39.185/873 (syn) ]-
  |
  | client   = 192.168.1.15/35834
  | os       = Linux 2.2.x-3.x
  | dist     = 0
  | params   = generic
  | raw_sig  = 4:64+0:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0