Brief introduction
p0f is a purely passive fingerprinting tools, which in the case of non-interference in communication between the parties, by the way sniffer to analyze traffic flowing through a network card in order to achieve the purpose of fingerprinting.
Its capacity is as follows:
- Highly scalable
- Can quickly identify a host operating system across the tcp connection because it is a passive identification tool, it is banned in some nmap, unreliable or too slow under the conditions that trigger an alarm, it still works well
- Detection system uptime, network hookup, from (nat comprises a packet filter or the network environment) and the like
- Automatic detection of NAT, load balancing, application-level proxy settings are
- Detecting a number of client / server and the X-Mailer User-Agent
This tool can be run in the foreground can also be run in the background, p0f also provides an easy-to-use real-time API for third-party platforms call (in order to develop spam-blocking tools, etc.). We can use this tool daily penetration testing and network management, network detect suspicious network connections.
Installation of ubuntu
0x00
By default kali is the integration of the tool, so if you do not want to install it to use it directly in kali, kali just type in the command:
p0f
You will see the following screen, which means already begun sniffing, if you open the browser to access the web page to be able to see the information captured in the terminal:
0x01
Download the source code from github p0f
git clone https://github.com/p0f/p0f.git
Then to go to the directory p0f, execute build.sh script directory, the script will automatically perform the compilation work, but I made a lot of problems during the installation process, workaround listed here
- ubuntu lack libpcap, resulting in an error during compilation:
fatal error:pcap.h:没有哪个文件或目
only need to install libcap on the line, the specific method reference:
https://blog.csdn.net/fengyun1989/article/details/7384899
After the installation can be carried out, careful to execute with administrator privileges
Instructions
Command line parameters
Usage: p0f [... Options ...] [ 'filter rule']
Network interface options:
-i iface - designated network interface to listen
-r file - file reads network packets captured by the capture tool
-p - -i parameter specifies the card set in promiscuous mode
-L - lists all available interfaces
Operation mode and output settings:
-f file - specify the fingerprint database (p0f.fp) route, do not specify the default database. (Default: /etc/p0f/p0f.fp)
-o File - write information to the specified log file. Only the same card log file before they can attach to merge this monitor in the past.
-s name - to answer queries unix socket API
-u the User - to specify the identity of the user to run the program, it will switch to the working directory to the root directory of the current user;
-d - as a background process running p0f, need to meet -0 or -s options
Performance-related options:
-S limit - Set the number of concurrent API, default is 20, the upper limit is 100;
-TC, H - set the connection timeout (30s, 120m)
-MC, H - set the maximum number of network connections (Connect), and also track the number of host (Host) (default: c = 1,000, h = 10,000 ).
By man tcpdump command you can read more filtering options expressions. E.g:
sudo ./p0f -i eth0 'port 443'
Common options Example
1. The fingerprint information to identify the connection between the two sides of the flow through the sniffer flow through eth0
./p0f -i eth0
2. Background to specify the rights to run a user, and the record is written into the identification /var/log/p0f.log file, the log is | to separate each of the symbols
./p0f -i eth0 -d -u user -o /var/log/p0f.log
Log file format is as follows:
3. The cap is identified from the file system
./p0f -r test.cap
API use
With the API we can easily put p0f integrating different tools in it, for example, use it to develop spam filters, web applications, etc., we only need the client to connect to p0f -s option specifies the unix socket and in accordance with the transmission request, a response can be obtained p0f friends.
Here are the rules of the API:
- Queries must be 21 bytes, the following format
| Field | byte | effect |
|---|---|---|
| Magic dword | Local host endianness (big-endian small end) | |
| Address type byte | ipv4 four bytes, ipv6 six bytes | ip address byte |
| Address data stored in network byte order | 16 |
- p0f return data format
| magic dword | native endian |
| status dword | 0x00 indicates an error query, 0x01 represents the query is successful, 0x20 indicating no match |
| Host Information | Host information is a lot of data entry, but also we need most information, it also has special meaning in each byte, I posted directly to official documents |
Host information, valid only if status is 'OK' (byte width in square
brackets):
[4] first_seen - unix time (seconds) of first observation of the host.
[4] last_seen - unix time (seconds) of most recent traffic.
[4] total_conn - total number of connections seen.
[4] uptime_min - calculated system uptime, in minutes. Zero if not known.
[4] up_mod_days - uptime wrap-around interval, in days.
[4] last_nat - time of the most recent detection of IP sharing (NAT,
load balancing, proxying). Zero if never detected.
[4] last_chg - time of the most recent individual OS mismatch (e.g.,
due to multiboot or IP reuse).
[2] distance - system distance (derived from TTL; -1 if no data).
[1] bad_sw - p0f thinks the User-Agent or Server strings aren't
accurate. The value of 1 means OS difference (possibly
due to proxying), while 2 means an outright mismatch.
NOTE: If User-Agent is not present at all, this value
stays at 0.
[1] os_match_q - OS match quality: 0 for a normal match; 1 for fuzzy
(e.g., TTL or DF difference); 2 for a generic signature;
and 3 for both.
[32] os_name - NUL-terminated name of the most recent positively matched
OS. If OS not known, os_name[0] is NUL.
NOTE: If the host is first seen using an known system and
then switches to an unknown one, this field is not
reset.
[32] os_flavor - OS version. May be empty if no data.
[32] http_name - most recent positively identified HTTP application
(e.g. 'Firefox').
[32] http_flavor - version of the HTTP application, if any.
[32] link_type - network link type, if recognized.
[32] language - system language, if recognized.
Fingerprint database
p0f is the default fingerprint database, and p0f executable file in the same directory, called p0f.fp, part of the shots are as follows:
As for the meaning of each field, since the content too much, here is not described in detail, with specific reference to github instructions on
to sum up
In general, I think it's nmap function compared to a lot less, but because it is a passive information-gathering tool, in some way make up for the lack of nmap, while its tcp, http header parsing is still very powerful.
