the new p0f: 2.0.8 (2006-09-06) (C) Copyright 2000-2006 by Michal Zalewski (lcamtuf@coredump.cx) ------------------------------------------------------------------------------- What is p0f v2? P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on: - machines that connect to your box (SYN mode), - machines you connect to (SYN+ACK mode), - machine you cannot connect to (RST+ mode), - machines whose communications you can observe. P0f can also do many other tricks, and can detect or measure the following: - firewall presence, NAT use (useful for policy enforcement), - existence of a load balancer setup, - the distance to the remote system and its uptime, - other guy's network hookup (DSL, OC3, avian carriers) and his ISP. All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can't do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. How? It's simple: magic. Find out more here. Show me! 194.236.50.173:2502 - Linux 2.2 (1) [Bonet Sweden] (up: 9 hrs) -> 217.8.32.51:80 (distance 5, link: ethernet/modem) >> Masquerade at 206.157.248.34/ns1.mosaicsoftware.com: indicators at 43%. >> Masquerade at 213.158.197.100/ptcnat.era.pl: indicators at 60%. >> Masquerade at 216.88.158.142/crawlers.looksmart.com: indicators at 52%. >> Masquerade at 193.110.121.3/evil.tpi.pl: indicators at 86%. But why, why, why?! P0f is quite useful for gathering all kinds of profiling information about your users, customers or attackers (IDS, honeypot, firewall), tech espionage (laugh...), active or passive policy enforcement (restricting access for certain systems or otherwise handling them differently; or detecting guys with illegal network hookups using masquerade detection), content optimization, pen-testing (especially with SYN+ACK and RST+ACK modes), thru-firewall fingerprinting... plus all the tasks active fingerprinting is suitable for. And, of course, it has a high coolness factor, even if you are not a sysadmin. P0f v2 is lightweight, secure and fast enough to be run almost anywhere, hands-free for an extended period of time. I have version 1... I have Ettercap, Prelude, Siphon, Archaeopteryx... There are several tools that are capable of performing passive fingerprinting, but as of today and to my knowledge, p0f is simply the best. That's not telling much, as the competition isn't particularly stiff, but hey... So, some history: first, there was Siphon. Siphon was a trivial and weak proof-of-concept tool based on two or three very basic and sometimes unreliable metrics. Because the concept was pretty cool, but the implementation lacking, I decided to give it a try and write my own passive fingerprinter - p0f v1. P0f v1 was probably the first fully-fledged passive OS fingerprinter, featuring a number of advanced metrics, and with code more suitable for practical applications than its precedessor. Siphon code, while not being updated in long years, is still incorporated in several tools, such as Archaeopteryx and some commercial solutions. Needless to say, their fingerprinting capabilities are inadequate, and their databases are obsolete. P0f v1 also got it share of the, ahem, market: the code or methodology was incorporated in a bunch of applications, such as Ettercap or Prelude IDS, and is shipped with a number of operating systems and networking toolkits. But nowadays, p0f v1 is obsolete and no longer supported, with p0f v2 offering lots of new features and improved operation. So, switch to p0f v2 and encourage your package supplier to do the same. Among other things, p0f v2 introduces SYN+ACK, RST+, and stray ACK support, advanced masquerade detection, major performance and reliability improvements, 16 new packet checks, a number of fingerprinting extensions (link detection, network detection, fw detection, ECN handling, source network detection, etc), a considerably more accurate and thought out OS database with wildcard support, service integration support, many usability features, some fairly important bug fixes. Where can I get it? You can get p0f v2 (2.0.8) by clicking here. You can also try the most recent development snapshot (-), if you feel lucky (be sure to check it out before reporting a bug, or if you want to suggest a feature). If you like p0f and would like to stay up-to-date, I would like to encourage you to subscribe to its project page at Freshmeat. Windows users can also download a precompiled binary (2.0.4!), courtesy of Kirby Kuehl. And those of you who want to have p0f on the go can download ARM port at Kevin Currie's homepage. OpenBSD users now have some of p0f's functionality built-in, thanks to Mike Frantzen (whose work actually inspired the v2 rewrite). Linux patches for netfilter are also available. P0f itself runs on Linux, FreeBSD, NetBSD, OpenBSD, MacOS X, Solaris, AIX and Windows (and likely some other systems that have pcap or its port). Third party projects such as p0f_db or p0f-stats allow for easier storage and analysis of p0f output. How can I help? Easy. There are five things that need to be done - pick any: 1. Submit fingerprints. It's very easy - just visit this page to automatically obtain a fingerprint of the system you're browsing from, and submit any corrections or additions. It takes perhaps 30 seconds. 2. Download and test the beta code. Submit compilation reports from platforms other than the supported set (or submit problem reports from the supported ones). Send me suggestions and flames. Submit new fingerprints manually for the devices you have at home. 3. Submit SYN+ACK, RST+, and stray ACK signatures or take over the maintenance of this fingerprint database. There are no volunteers for this rather pleasurable task. 4. Write some code. We need MySQL support for this version (or something similar) and perhaps some visualization / support tools. 5. Talk to your vendor to upgrade and pick up the latest version of p0f. Or, you can just send chocolate. Mirrors The only officially endorsed mirror is at Wiretapped, at least for now. You are welcome to support p0f by setting up a reliable mirror of the distribution directory. ... Oh, liked p0f? How about a book of mine? You are a visitior number 7286400.