Menu
▾
▴
p0f-en
p0f
Phase(s):
Primary: Mapping.
Secondary: N/A.
Description:
Tool that helps identify the server operating system where the web applications are deployed through a passive traffic fingerprinting.
Objective:
- Identify the server operating system in order to understand the web application deployment environment.
Features:
Supported technologies: Operative systems Linux/Unix, Windows, OS X, etc.
Operative mode: Passive.
Identify the server operative system:
- Returns the operative system name and version identified through the passive traffic fingerprinting.
Reports: Output reports:
- Log containing the passive traffic fingerprinting analysis which includes the operative system name, version and matching signature.
Basic usage:
Begin a passive traffic fingerprinting. The following command initiates the fingerprinting for the operative system identification.
p0f -i eth0 -A -S -o [path]/p0f.log
Where:
- -i: Defines the network interface to listen to.
- -A: Runs in SYN+ACK mode.
- -S: Includes the matching operative system signature.
- -o: Outputs the passive traffic fingerprinting analysis into a log file.
The tool will listen to the network traffic, fingerprinting the established connections, with the main focus on the server where the web applications are deployed.
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN+ACK) on 'eth0', 61 sigs (1 generic, cksum B253FA88), rule: 'all'.
</wstearns@pobox.com></lcamtuf@dione.cc>
(C) M. Zalewski <lcamtuf@dione.cc>, W. Stearns <wstearns@pobox.com>
p0f: listening (SYN+ACK) on 'eth0', 61 sigs (1 generic, cksum B253FA88), rule: 'all'.
</wstearns@pobox.com></lcamtuf@dione.cc>
Access the application with a web browser and begin surfing through the application with the objective of making multiple requests (connections) to the server. The tool will perform the fingerprinting of these requests against a signature repository in order to verify the operative system name and version.
Once deemed enough request have been made to the server, the tool is manually stopped to disable the traffic fingerprinting. The output log created by the tool contains the fingerprinting analysis results for analysis:
Log example:
<wed may="" 29="" 08:31:10="" 2013=""> 201.100.200.110:9001 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51628 (distance 0, link: ethernet/modem)
<wed may="" 29="" 08:31:30="" 2013=""> 201.100.200.110 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51629 (distance 0, link: ethernet/modem)
<wed may="" 29="" 08:40:11="" 2013=""> 201.100.200.110 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51630 (distance 0, link: ethernet/modem)
<wed may="" 29="" 08:40:31="" 2013=""> 201.100.200.110 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51631 (distance 0, link: ethernet/modem)
</wed></wed></wed></wed>
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51628 (distance 0, link: ethernet/modem)
<wed may="" 29="" 08:31:30="" 2013=""> 201.100.200.110 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51629 (distance 0, link: ethernet/modem)
<wed may="" 29="" 08:40:11="" 2013=""> 201.100.200.110 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51630 (distance 0, link: ethernet/modem)
<wed may="" 29="" 08:40:31="" 2013=""> 201.100.200.110 - Windows XP SP1 (firewall!)
Signature: [S44:128:0:64:M1460,N,W0,N,N,T0,N,N,S:A]
-> 201.100.200.120:51631 (distance 0, link: ethernet/modem)
</wed></wed></wed></wed>
Resources:
Link: http://lcamtuf.coredump.cx/p0f3/
Author(s): Michal Zalewski
Contact: lcamtuf at coredump.cx
License: GNU LGPL Version 2.1