Full Disclosure mailing list archives
Re: Re: [tool] the new p0f 2.0.1 is now out
From: "SPAM" <edwin () link net id>
Date: Fri, 5 Sep 2003 10:12:14 +0700
If you read the first thread it says that it does have an option to resolve host name... but with the word "passive mode" it'd be very unlikely an attacker would enable that.. Ed ----- Original Message ----- From: "Matt Barrie" <matt.barrie () sensorynetworks com> To: "'Andreas Gietl'" <a.gietl () e-admin de> Cc: <full-disclosure () netsys com> Sent: Friday, September 05, 2003 4:03 AM Subject: RE: [Full-disclosure] Re: [tool] the new p0f 2.0.1 is now out
Does it do DNS resolution on logfiles? If so, this may be a way of detecting. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Andreas Gietl Sent: Thursday, September 04, 2003 12:43 PM To: thetic; Michal Zalewski; honeypots () securityfocus com; pen-test () securityfocus com; focus-ids () securityfocus com; sectools () securityfocus com Cc: incidents () securityfocus com; bugtraq () securityfocus com; full-disclosure () netsys com Subject: Re: [Full-disclosure] Re: [tool] the new p0f 2.0.1 is now out On Thursday 04 September 2003 20:19, thetic wrote: it i a passive scan-tool! you can't detect the scans because there are no packets going to you network.Question concerning the the POF, how can we setup a IDS to detect aPOFscan. umer ----- Original Message ----- From: "Michal Zalewski" <lcamtuf () ghettot org> To: <honeypots () securityfocus com>; <pen-test () securityfocus com>; <focus-ids () securityfocus com>; <sectools () securityfocus com> Cc: <incidents () securityfocus com>; <bugtraq () securityfocus com>; <full-disclosure () netsys com> Sent: Wednesday, September 03, 2003 12:21 PM Subject: [tool] the new p0f 2.0.1 is now outI am proud to announce the new stable version of p0f, 2.0.1, acompleterewrite of the original open-source tool released back in 2000, andamajor step for the utility. I apologize for posting to all the forums, and leave it to themoderatorsto accept or drop this post - but I believe the tool is probably ofsomeinterest to the IDS / honeypot / pen-test / general ITSec audiences,andmore appropriate forums are largely defunct. ------------ What is p0f? ------------ P0f v2 is a versatile passive OS fingerprinting tool. P0f canidentifythe system on machines that connect to your box, machines youconnectto, and even machines that merely go thru or near your box. Allthiseven if the device is behind a fascist packet firewall. P0f will also detect what the remote system is hooked up to (beitEthernet, DSL, OC3, or avian carriers), how far it is located,what'sits uptime, and will often detect NAT, firewall presence, andeventhe name of the other guy's ISP - all this without sending asinglepacket. What do you need it for? ------------------------ P0f is quite useful for gathering all kinds of profilinginformationabout your users, customers or attackers (IDS, honeypot,firewall),tech espionage (laugh...), active or passive policy enforcement (restricting access for certain systems or otherwise handlingthemdifferently), content optimization, pen-testing, thru-firewall fingerprinting... plus all the tasks active fingerprinting issuitablefor. And, of course, it has a high coolness factor, even if youarenot a sysadmin. ----------- What's new? ----------- Almost everything. Please upgrade and encourage your vendor to update his packages. P0f v2 is far superior to the old code and its clones (such as the Ettercap passive OS fingerprinting functionality, based on the p0f v1 concepts). It is faster, more secure, reliable, precise, accurate, feature-loaded (including easy service integration). It also introduces many new metrics, some of them "invented" for p0f v2. NEW CORE CHECKS: - Option layout and count check, - EOL presence and trailing data [*], - Unrecognized options handling (TTCP, etc), - WSS to MSS/MTU correlation checks [*], - Zero timestamp check, - Non-zero ACK in initial SYN [*], - Non-zero "unused" TCP fields [*], - Non-zero urgent pointer in SYN [*], - Non-zero second timestamp [*], - Zero IP ID in initial packet, - Unusual auxilinary flags, - Data payload in control packets [*], - Non-empty IP options. [*] Metrics "invented" for p0f, as far as I know. Other metrics were discussed before, although usually not implementedanywhere.IMPROVEMENTS: - Major performance improvements - no more runtime signatureparsing,added BPF pre-filtering, signature hash lookups - to make p0fsuitablefor high-throughput devices, - Modulo and wildcard operators for certain TCP/IP parameters tomakeit easier to come up with generic last chance signatures for systems that tweak settings notoriously (think Windows), - Auto-detection of DF-zeroing firewalls, - Auto-detection of MSS-tweaking NAT and router devices, - Media type detection based on MSS, with a database of common link types, - Origin network detection based on unusual ToS / precedencebits,- Ability to detect and skip ECN option when examining flags, - Better fingerprint file structure and contents - allfingerprintsare rigorously reviewed before being added. - Generic last-chance signatures to cover general OScharacteristics,- Query mode to enable easy integration with third partysoftware -p0f caches recent fingerprints and answer queries for src-dst combinations on a local stream socket in a easy to parse form, - Usability features: greppable output option, daemon mode, host name resolution option, promiscuous mode switch, built-insignaturecollision detector, ToS reporting, etc, - "Officially unsupported" SYN+ACK fingerprinting mode forsilentidentifications of systems you connect to the usual way (web browser, MTA), - Fixed WSCALE handling in general, and WSS passing onlittle-endian,many other bug-fixes and improvements of the packet parser (including some sanity checks). -------------------- Download, demo, etc. -------------------- P0f home page is: http://lcamtuf.coredump.cx/p0f.shtml Download: http://lcamtuf.coredump.cx/p0f.tgz Contribute / see it in action: http://lcamtuf.coredump.cx/p0f-help/ P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD, OpenBSD, MacOS X, Solaris and AIX. Please consider contributing to the project if you liked it._______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html-- e-admin internet gmbh Andreas Gietl tel +49 941 3810884 Ludwig-Thoma-Strasse 35 fax +49 (0)1805/39160 - 29104 93051 Regensburg mobil +49 171 6070008 PGP/GPG-Key unter http://www.e-admin.de/gpg.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 03)
- Re: [tool] the new p0f 2.0.1 is now out thetic (Sep 04)
- Re: [tool] the new p0f 2.0.1 is now out Daniel Bartlett (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Andreas Gietl (Sep 04)
- RE: Re: [tool] the new p0f 2.0.1 is now out Matt Barrie (Sep 04)
- RE: Re: [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out simon (www.snosoft.com) (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out SPAM (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Thor Larholm (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Robert Jaroszuk (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out morning_wood (Sep 04)
- Re: Re: [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 05)
- Re: [tool] the new p0f 2.0.1 is now out thetic (Sep 04)
- <Possible follow-ups>
- RE: Re: [tool] the new p0f 2.0.1 is now out Parker, Jeff (MSE) (Sep 04)
- RE: Re: [tool] the new p0f 2.0.1 is now out Michal Zalewski (Sep 04)
- Re: [tool] the new p0f 2.0.1 is now out Peter van den Heuvel (Sep 04)
- Re: [tool] the new p0f 2.0.1 is now out Ron DuFresne (Sep 07)