P0f

glitchlist Blog Leave a Comment

by this fingerprinting utility, inspection of real-time data or an .pcap file can give as output informations about a system.

In this example, we have sniffed WAN interface of our Internet router. The tool passively recognize an OS from traces and behaviors in TCP packets.

[lab@ethprobe ~]$ sudo p0f -r /tmp/wires_3.pcap
[sudo] password for lab: 
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Will read pcap data from file '/tmp/wires_3.pcap'.
[+] Default packet filtering configured [+VLAN].
[+] Processing capture data.

.-[ x.x.x.x/52982 -> x.x.x.x/443 (syn) ]-
|
| client   = x.x.x.x/52982
| os       = Linux 2.6.x
| dist     = 2
| params   = none
| raw_sig  = 4:62+2:0:1460:mss*4,7:mss,sok,ts,nop,ws:df,id+:0
|
`----

.-[ x.x.x.x/33243 -> x.x.x.x/443 (mtu) ]-
|
| server   = x.x.x.x/443
| link     = generic tunnel or VPN
| raw_mtu  = 1420
|
`----

.-[ x.x.x.x/48831 -> x.x.x.x/443 (mtu) ]-
|
| server   = x.x.x.x/443
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ x.x.x.x/51853 -> x.x.x.x/443 (syn) ]-
|
| client   = x.x.x.x/51853
| os       = Windows NT kernel
| dist     = 6
| params   = generic
| raw_sig  = 4:122+6:0:1460:mss*44,8:mss,nop,ws,nop,nop,sok:df,id+:0
|
`----

.-[ x.x.x.x/55602 -> x.x.x.x/443 (syn) ]-
|
| client   = x.x.x.x/55602
| os       = Windows 7 or 8
| dist     = 1
| params   = none
| raw_sig  = 4:127+1:0:1460:8192,8:mss,nop,ws,nop,nop,sok:df,id+:0
|
`----

Cool stuff!

.glitchlist crew

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.