Weekly Edition
Return to the Development page
| |||||||||||
p0f, the Passive OS Fingerprinter
p0f,
the passive OS fingerprinting tool, is a
networking utility application that runs from a standard command
line interface.
It was written by Michal Zalewski, William Stearns, and others.
p0f has been released under version 2.1 of the GNU Lesser General Public License (LGPL). p0f is cross-platform code, it runs on all of the major
Unix variants and Windows.
The project's README file explains how p0f works:
The passive OS fingerprinting technique is based on analyzing the
information sent by a remote host while performing usual communication
tasks - such as whenever a remote party visits your webpage, connecs to
your MTA - or whenever you connect to a remote system while browsing the
web or performing other routine tasks. In contrast to active
fingerprinting (with tools such as NMAP or Queso), the process of passive
fingerprinting does not generate any additional or unusual traffic,
and thus cannot be detected.
Captured packets contain enough information to identify the remote OS, thanks to subtle differences between TCP/IP stacks, and sometimes certain implementation flaws that, although harmless, make certain systems quite unique. Some of the uses of p0f include profiling, policy enforcement, network troubleshooting, and seeing through a firewall. Version 2.0.4 of p0f was announced this week, it features bug fixes, performance enhancements, and fingerprinting support for several additional network protocols including RST+ACK, SYN+ACK, masquerade and IP sharing. The README file has more information on what's new in this version. It is also a good place to read about the many command line options that p0f supports. Building p0f 2.0.4 was a breeze, it involved downloading the code, un-tarring, and typing make. It built and ran with no trouble on several machines that were tested. If you are interested in improving the accuracy of p0f, click on the fingerprint submission page and give the developers some feedback on whether it identifies your system correctly. (Log in to post comments)
p0f insecurity Posted Jul 15, 2004 16:45 UTC (Thu) by scripter (subscriber, #2654) [Link] I downloaded the p0f source code, but since I don't necessarily trust security tools without a track record of trustworthiness, I thought I'd look at the source before compiling and using it, just to make sure it doesn't do anything malicious.Although I didn't find anything malicious, I did find some sprintf calls (mainly for Win32 code). And no effort was made to enforce null termination of strings after strncpy was called. So, this utility is probably safe to use (famous last words), but it needs some improvement.
p0f, the Passive OS Fingerprinter Posted Jul 18, 2004 15:29 UTC (Sun) by Duncan (guest, #6647) [Link] Interesting this app should be covered now. I was just looking at it theother day (likely the day LWN weekly came out, instead of reading LWN <g>), as I looked for some new net-analyzer tools on my still fairly fresh copy of Gentoo. Unfortunately, this particular package, along with a number of others that sounded interesting, are still arch masked on Gentoo, for AMD64, my hardware platform. That doesn't mean they won't build, but rather, that no one's tried building them and filed a bug saying they worked, if indeed they did. Of course, it might have bad integer size assumptions and the like, preventing a clean compile, or it might not. I haven't had a chance to check, yet. However, I probably /will/ be checking within a week or so and if I remember, I'll report back how it goes and what I think of it, provided it goes well, in case anyone else might be interested. Duncan
|
|||||||||||