Wednesday, 26 August 2009


The program, p0f is an application host on freshmeat designed to passively identify operating systems. See also the page about p0f.

Why care?
Well the answer is fairly simple, when reviewing an incident, you do not want to scan the site that a packet came from. Sending data to the attacker is bad!

On top of this, you can also make sense of a remote site with this information. Think:

  1. Are there multiple OS versions for a single IP address (Proxy or NAT)?
  2. Does the system remain the same or change?
  3. Are you being attacked from a certain version of OS?
In fact, you can use P0f to identify:
  • Hosts that connect to your system (SYN mode),
  • Hosts you have initiated a connection to (SYN+ACK mode),
  • Hosts that you are unable to initiate a connection with (RST+ mode), &
  • Those hosts for whose communications you can observe (IDS, TCPDump etc).
Best of all
P0f is passive. It does not generate ANY further network traffic. The attacker will have NO idea that it is running.

So you have decided that you want ot try using p0f. First, download it from the link (get version 2.0.8 here).

Step 1
With the tgz file extracted to a temporary directory (tar -xvfz file.tgz), first read the 'README' file.

Step 2
As long as you have a build environment configured, the build process is faily standard.
You will need to ensure that your system has the following requirements (and I would hope so as some of these are damn old):
  1. libpcap 0.4 or newer
  2. GNU C Compiler 2.7.x or newer
  3. GNU make 3.7x or newer, or BSD make
  4. GNU bash / awk / grep / sed / textutils (for p0frep only)
Step 3
There is no '.configure' script. All you will have to do (I use RHEL, Centos and Solaris and this is all for these) is to go to the directory you extracted p0f into and to enter the commands:
  • make
  • make install
Simple huh!

Step 4
Test the tool and ensure that the install worked.
p0f can read data from pcap files (p0f -s ) so that you can also use it on your capture files at a later date. Note that the '-s' flag is used for tcpdump format files. The '-f' option is a file load option, but for p0f formats.

In the exaple above (in the image) we see a capture and the results from a Linux and Windows XP host. In each case, the correct diagnosis.

That's about it
There are more options (p0f --help). The best bet is to use the program on your data or on captures you may have access to.


No comments: