Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: [tool] the new p0f 2.0.1 is now out

From: "simon (www.snosoft.com)" <simon () snosoft com>
Date: Thu, 04 Sep 2003 17:42:37 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This sounds very simple actually, correct me if I am wrong ( I just jumped into this thread). Some IDS systems claim to do passive network monitoring and passive fingerprinting as well. They simply do checks on the packets sent from a host by sniffing the network. They do not make the request for the packet, they let other users generate packets and do the fingerprinting on those.
So, I suppose you could fingerprint a system by browsing a web page and looking at the packets being set from the web server. 

Matt Barrie wrote:


Does it do DNS resolution on logfiles? If so, this may be a way of
detecting.


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Andreas
Gietl
Sent: Thursday, September 04, 2003 12:43 PM
To: thetic; Michal Zalewski; honeypots () securityfocus com;
pen-test () securityfocus com; focus-ids () securityfocus com;
sectools () securityfocus com
Cc: incidents () securityfocus com; bugtraq () securityfocus com;
full-disclosure () netsys com
Subject: Re: [Full-disclosure] Re: [tool] the new p0f 2.0.1 is now out

On Thursday 04 September 2003 20:19, thetic wrote:

it i a passive scan-tool! you can't detect the scans because there are
no packets going to you network. 
Question concerning the the POF, how can we setup a IDS to detect a

POF

scan.

umer


----- Original Message -----
From: "Michal Zalewski" <lcamtuf () ghettot org>
To: <honeypots () securityfocus com>; <pen-test () securityfocus com>;
<focus-ids () securityfocus com>; <sectools () securityfocus com>
Cc: <incidents () securityfocus com>; <bugtraq () securityfocus com>;
<full-disclosure () netsys com>
Sent: Wednesday, September 03, 2003 12:21 PM
Subject: [tool] the new p0f 2.0.1 is now out


I am proud to announce the new stable version of p0f, 2.0.1, a

complete

rewrite of the original open-source tool released back in 2000, and

a

major step for the utility.

I apologize for posting to all the forums, and leave it to the

moderators

to accept or drop this post - but I believe the tool is probably of

some

interest to the IDS / honeypot / pen-test / general ITSec audiences,

and

more appropriate forums are largely defunct.

------------
What is p0f?
------------

  P0f v2 is a versatile passive OS fingerprinting tool. P0f can

identify

  the system on machines that connect to your box, machines you

connect

  to, and even machines that merely go thru or near your box. All

this

  even if the device is behind a fascist packet firewall.

  P0f will also detect what the remote system is hooked up to (be

it

  Ethernet, DSL, OC3, or avian carriers), how far it is located,

what's

  its uptime, and will often detect NAT, firewall presence, and

even

  the name of the other guy's ISP - all this without sending a

single

  packet.

What do you need it for?
------------------------

  P0f is quite useful for gathering all kinds of profiling

information

  about your users, customers or attackers (IDS, honeypot,

firewall),

  tech espionage (laugh...), active or passive policy enforcement
  (restricting access for certain systems or otherwise handling

them

  differently), content optimization, pen-testing, thru-firewall
  fingerprinting... plus all the tasks active fingerprinting is

suitable

  for. And, of course, it has a high coolness factor, even if you

are

  not a sysadmin.

-----------
What's new?
-----------

 Almost everything. Please upgrade and encourage your vendor to
 update his packages. P0f v2 is far superior to the old code
 and its clones (such as the Ettercap passive OS fingerprinting
 functionality, based on the p0f v1 concepts). It is faster,
 more secure, reliable, precise, accurate, feature-loaded
 (including easy service integration). It also introduces many
 new metrics, some of them "invented" for p0f v2.

 NEW CORE CHECKS:

   - Option layout and count check,
   - EOL presence and trailing data [*],
   - Unrecognized options handling (TTCP, etc),
   - WSS to MSS/MTU correlation checks [*],
   - Zero timestamp check,
   - Non-zero ACK in initial SYN [*],
   - Non-zero "unused" TCP fields [*],
   - Non-zero urgent pointer in SYN [*],
   - Non-zero second timestamp [*],
   - Zero IP ID in initial packet,
   - Unusual auxilinary flags,
   - Data payload in control packets [*],
   - Non-empty IP options.

   [*] Metrics "invented" for p0f, as far as I know. Other metrics
   were discussed before, although usually not implemented

anywhere.

 IMPROVEMENTS:

   - Major performance improvements - no more runtime signature

parsing,

     added BPF pre-filtering, signature hash lookups - to make p0f

suitable


     for high-throughput devices,

   - Modulo and wildcard operators for certain TCP/IP parameters to

make

     it easier to come up with generic last chance signatures for
     systems that tweak settings notoriously (think Windows),

   - Auto-detection of DF-zeroing firewalls,

   - Auto-detection of MSS-tweaking NAT and router devices,

   - Media type detection based on MSS, with a database of common
     link types,

   - Origin network detection based on unusual ToS / precedence

bits,

   - Ability to detect and skip ECN option when examining flags,

   - Better fingerprint file structure and contents - all

fingerprints

     are rigorously reviewed before being added.

   - Generic last-chance signatures to cover general OS

characteristics,

   - Query mode to enable easy integration with third party

software -

     p0f caches recent fingerprints and answer queries for src-dst
     combinations on a local stream socket in a easy to parse
     form,

   - Usability features: greppable output option, daemon mode, host
     name resolution option, promiscuous mode switch, built-in

signature

     collision detector, ToS reporting, etc,

   - "Officially unsupported" SYN+ACK fingerprinting mode for

silent

     identifications of systems you connect to the usual way (web
     browser, MTA),

   - Fixed WSCALE handling in general, and WSS passing on

little-endian,

     many other bug-fixes and improvements of the packet parser
     (including some sanity checks).

--------------------
Download, demo, etc.
--------------------

 P0f home page is:
 http://lcamtuf.coredump.cx/p0f.shtml

 Download:
 http://lcamtuf.coredump.cx/p0f.tgz

 Contribute / see it in action:
 http://lcamtuf.coredump.cx/p0f-help/

 P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD,
 OpenBSD, MacOS X, Solaris and AIX.

 Please consider contributing to the project if you liked it.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- -- Regards, 
       -simon-

       Secure Network Operations, Inc.
       http://www.secnetops.com || http://www.snosoft.com
       Office: 978-263-3829  Fax: 978-263-0033
       -------------------------------------------------------
       "Embracing the future of technology, protecting you..."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/V7HNf3Elv1PhzXgRAliLAJ9IIa66dz7tKYnyRPpaotsR26pYyQCgzZ22
91DX/yMGEvaN1wByLck60Ng=
=cXXb
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: