Passive fingerprinting works by quietly examining packets for patterns and not sending data directly to a target host. Due to this passive analysis, the remote system will not be able to detect the packet capture. The process is completely passive and does not generate any suspicious network traffic. Although other well-known and tested tools (like nmap, ettercap, Siphon) exists, p0f is considered the granddaddy of passive operating system fingerprinting. The O in operating system is replaced with a 0 (zero) character.
There are two methods of detecting the type of Operating System a host is running.
- Active OS fingerprinting has been the most widely used method when analyzing a system. This is the method used in tools such as nmap by Fyodor (http://www.insecure.org/nmap). This method includes sending crafted, abnormal packets to the remote host, and analyze the replies being returned from the remote host. Different TCP stacks will give different replies and thus allowing the analyzer tool to recognize a particular OS. If the remote host’s network is being protected by IDS or firewall devices, such attacks will be detected.
- Passive OS fingerprinting on the other hand will not contact the remote host, but instead capture traffic coming from a connecting host going to the local network. The packets being captured are the ones the remote host sends when it attempts to establish a connection to a host on the local network.
Active OS fingerprinting is a fast process and a large number of hosts can be scanned in a short time frame. Passive fingerprinting on the other hand is a much slower process, and will work best if used on stored data (from a file).
p0f can identify the system on machines that connect to your box, machines you connect to, and even machines that merely go through or near your box.
pof attempts to match the packets to a database of known characteristics (which is stored in /etc/p0f/p0f.fp), and is quit good at determining the general flavor of the operating system. P0f is based on the libpcap library, as many other utilities like tcpdump, wireshark, ettercap …., so there is full compatibility with these utilities. A good practice might be to capture network traffic with tcpdump and save it to a libpcap file, then let p0f analyze it’s contents (with the -s option ).
To accomplish the job, p0f equips you with four different detection modes:
- Incoming connection fingerprinting (SYN mode, default –> no options). Use this mode whenever you want to know the Os of the remote host, that connect to your box.
- Outgoing connections fingerprinting (SYN+ACK mode –> -A option). Fingerprint systems you or your users connect to.
- Outgoing connections refused fingerprinting (RST+ mode –> -R option). Fingerprint systems that reject your traffic.
- Established connections fingerprinting (stray ACK mode –> -O option). Examine existing sessions without needles interference.
As the README states, p0f is actually more suited for things like profiling, espionage, policy enforcement, penetration testing, and bypassing firewalls than it is simply for amusement. The more you know about it and its capabilities, the better chance you have of maintaining your own security.
p0f uses libcap 0.4 or later. libpcap is a packet capture library that allows you to grab all packets going through your ethernet card. All packets on the network, even those destined for other hosts, are accessible using libpcap. libpcap is used but other tools such as tcpdump (ftp://ftp.ee.lpl.gov/tcpdump.tar.Z) and SNORT (www.snort.org).
The current version for libpcap is 0.6.2 and it can be downloaded from: http://www-nrg.ee.lbl.gov/nrg.html
libpcap is installed using the following steps:
The next step is to download and install p0f, which can be downloaded from: http://www.stearns.org/p0f/p0f-current.tgz and is installed entering the following commands:
|-i interface||If you have more than one network interface, you can select which interface to use|
|-s file||If you have a tcpdump file that you created earlier, you can make p0f use it rather than live capture|
|-w file||You also can use p0f to record network traffic into a tcpdump file|
|-o file||If you’re using p0f in a script, use this option to dump the output into a text file for later perusal.|
|-p||By default, p0f looks only at network packets that are addressed to the machine where it is running. To look at all the packets that go by on the network, you need to set the card into promiscuous mode|
|By default, p0f sees machines only when they open new connections. You can try to guess what’s going on with already-opened connections. This option can generate a lot of data, so you probably won’t want to use it for an extended period of time.|
|-M||More and more often, machines actually are located behind routers and NATs, so they don’t really show up as individual machines. You can try to identify these types of machines|
|-t||Add timestamp to output|
|-f||The fingerprint database is located in a file called”/etc/p0f/p0f.fp” and is used by defauld, to use another file use this option|