Tuesday, December 6, 2011

p0f

Information Gathering -> Network Analysis -> OS fingerprinting -> p0f

p0f = Passive OS Fingerprinting

p0f is capable to identify OS fingerprints in passive mode. It does it by sniffing and analyzing TCP packets, so in case we connect somewhere, or someone else connects to us, it can listen to the traffic passively, and doesn't generate any traffic. It can detect OSes in the following ways:
- SYN mode (who connects to us) - this is the default
- SYN + ACK mode - where we connect to
- RST+ mode - where we can't connect
- those whose traffic we see

The default fingerprint database can be found in the /etc/p0f/ folder.

Examples:

root@bt:~# p0f -h <- help
root@bt:~# p0f -i eth1 <- listen on eth1 interface
root@bt:~# p0f -i eth1 -A <- SYN ACK mode
root@bt:~# p0f -i eth1 -A -l -t <- one line output and timestamp

For me it didn't really worked out, no matter what I visited.


Official website: http://lcamtuf.coredump.cx/p0f.shtml

No comments: