p0f

Description

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).

Usage

Options

  -f file   - read fingerprints from file
  -i device - listen on this device
  -s file   - read packets from tcpdump snapshot
  -o file   - write to this logfile (implies -t)
  -w file   - save packets to tcpdump snapshot
  -u user   - chroot and setuid to this user
  -Q sock   - listen on local socket for queries
  -0        - make src port 0 a wildcard (in query mode)
  -e ms     - pcap capture timeout in milliseconds (default: 1)
  -c size   - cache size for -Q and -M options
  -M        - run masquerade detection
  -T nn     - set masquerade detection threshold (1-200)
  -V        - verbose masquerade flags reporting
  -F        - use fuzzy matching (do not combine with -R)
  -N        - do not report distances and link media
  -D        - do not report OS details (just genre)
  -U        - do not display unknown signatures
  -K        - do not display known signatures (for tests)
  -S        - report signatures even for known systems
  -A        - go into SYN+ACK mode (semi-supported)
  -R        - go into RST/RST+ACK mode (semi-supported)
  -O        - go into stray ACK mode (barely supported)
  -r        - resolve host names (not recommended)
  -q        - be quiet - no banner
  -v        - enable support for 802.1Q VLAN frames
  -p        - switch card to promiscuous mode
  -d        - daemon mode (fork into background)
  -l        - use single-line output (easier to grep)
  -x        - include full packet dump (for debugging)
  -X        - display payload string (useful in RST mode)
  -C        - run signature collision check
  -t        - add timestamps to every entry

  'Filter rule' is an optional pcap-style BPF expression (man tcpdump).

Example

To get p0f running, we simply need to type the command (p0f) then -i (for interface), the name of the interface we want to listen on (eth0 here) and then the -v and -t options.

 

cyborg@cyborg:~$ sudo p0f -i eth0 -vt
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <[email protected]>, W. Stearns <[email protected]>
p0f: listening (SYN) on 'eth0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.

Send Windows 7 Traffic

To do this just open the Cyborg System IP in browser .

Ex :  192.168.1.8

 

cyborg@cyborg:~$ sudo p0f -i eth0 -vt
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <[email protected]>, W. Stearns <[email protected]>
p0f: listening (SYN) on 'eth0', 262 sigs (14 generic, cksum 0F1F5CA2), rule: 'all'.
<Thu Sep  3 17:41:10 2015> 192.168.1.18:61193 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] 
  Signature: [8192:128:1:52:M1460,N,W2,N,N,S:.:Windows:?] 
  -> 192.168.1.8:80 (distance 0, link: ethernet/modem)
<Thu Sep  3 17:41:10 2015> 192.168.1.18:61194 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] 
  Signature: [8192:128:1:52:M1460,N,W2,N,N,S:.:Windows:?] 
  -> 192.168.1.8:80 (distance 0, link: ethernet/modem)
<Thu Sep  3 17:41:10 2015> 192.168.1.18:61195 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] 
  Signature: [8192:128:1:52:M1460,N,W2,N,N,S:.:Windows:?] 
  -> 192.168.1.8:80 (distance 0, link: ethernet/modem)
<Thu Sep  3 17:41:10 2015> 192.168.1.18:61196 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] 
  Signature: [8192:128:1:52:M1460,N,W2,N,N,S:.:Windows:?] 
  -> 192.168.1.8:80 (distance 0, link: ethernet/modem)

however p0f detected window 7 as Windows XP/2000

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?