10633775 2003-09-03 21:21 +0200 /137 rader/ Michal Zalewski <lcamtuf@ghettot.org>
Importerad: 2003-09-03 23:01 av Brevbäraren
Extern mottagare: honeypots@securityfocus.com
Extern mottagare: pen-test@securityfocus.com
Extern mottagare: focus-ids@securityfocus.com
Extern mottagare: sectools@securityfocus.com
Extern kopiemottagare: incidents@securityfocus.com
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: full-disclosure@netsys.com
Mottagare: Bugtraq (import) <28794>
Mottagare: SECTOOLS (import) <790>
Sänt: 2003-09-04 19:44
Ärende: [tool] the new p0f 2.0.1 is now out
------------------------------------------------------------
From: Michal Zalewski <lcamtuf@ghettot.org>
To: honeypots@securityfocus.com, <pen-test@securityfocus.com>,
<focus-ids@securityfocus.com>, <sectools@securityfocus.com>
Cc: incidents@securityfocus.com, <bugtraq@securityfocus.com>,
<full-disclosure@netsys.com>
Message-ID: <Pine.LNX.4.42.0309032106110.6307-100000@nimue.bos.bindview.com>
I am proud to announce the new stable version of p0f, 2.0.1, a
complete rewrite of the original open-source tool released back in
2000, and a major step for the utility.
I apologize for posting to all the forums, and leave it to the
moderators to accept or drop this post - but I believe the tool is
probably of some interest to the IDS / honeypot / pen-test / general
ITSec audiences, and more appropriate forums are largely defunct.
------------
What is p0f?
------------
P0f v2 is a versatile passive OS fingerprinting tool. P0f can
identify the system on machines that connect to your box, machines
you connect to, and even machines that merely go thru or near your
box. All this even if the device is behind a fascist packet
firewall.
P0f will also detect what the remote system is hooked up to (be it
Ethernet, DSL, OC3, or avian carriers), how far it is located,
what's its uptime, and will often detect NAT, firewall presence,
and even the name of the other guy's ISP - all this without
sending a single packet.
What do you need it for?
------------------------
P0f is quite useful for gathering all kinds of profiling
information about your users, customers or attackers (IDS,
honeypot, firewall), tech espionage (laugh...), active or passive
policy enforcement (restricting access for certain systems or
otherwise handling them differently), content optimization,
pen-testing, thru-firewall fingerprinting... plus all the tasks
active fingerprinting is suitable for. And, of course, it has a
high coolness factor, even if you are not a sysadmin.
-----------
What's new?
-----------
Almost everything. Please upgrade and encourage your vendor to
update his packages. P0f v2 is far superior to the old code
and its clones (such as the Ettercap passive OS fingerprinting
functionality, based on the p0f v1 concepts). It is faster,
more secure, reliable, precise, accurate, feature-loaded
(including easy service integration). It also introduces many
new metrics, some of them "invented" for p0f v2.
NEW CORE CHECKS:
- Option layout and count check,
- EOL presence and trailing data [*],
- Unrecognized options handling (TTCP, etc),
- WSS to MSS/MTU correlation checks [*],
- Zero timestamp check,
- Non-zero ACK in initial SYN [*],
- Non-zero "unused" TCP fields [*],
- Non-zero urgent pointer in SYN [*],
- Non-zero second timestamp [*],
- Zero IP ID in initial packet,
- Unusual auxilinary flags,
- Data payload in control packets [*],
- Non-empty IP options.
[*] Metrics "invented" for p0f, as far as I know. Other metrics
were discussed before, although usually not implemented anywhere.
IMPROVEMENTS:
- Major performance improvements - no more runtime signature parsing,
added BPF pre-filtering, signature hash lookups - to make p0f suitable
for high-throughput devices,
- Modulo and wildcard operators for certain TCP/IP parameters to make
it easier to come up with generic last chance signatures for
systems that tweak settings notoriously (think Windows),
- Auto-detection of DF-zeroing firewalls,
- Auto-detection of MSS-tweaking NAT and router devices,
- Media type detection based on MSS, with a database of common
link types,
- Origin network detection based on unusual ToS / precedence bits,
- Ability to detect and skip ECN option when examining flags,
- Better fingerprint file structure and contents - all fingerprints
are rigorously reviewed before being added.
- Generic last-chance signatures to cover general OS
characteristics,
- Query mode to enable easy integration with third party software -
p0f caches recent fingerprints and answer queries for src-dst
combinations on a local stream socket in a easy to parse
form,
- Usability features: greppable output option, daemon mode, host
name resolution option, promiscuous mode switch, built-in signature
collision detector, ToS reporting, etc,
- "Officially unsupported" SYN+ACK fingerprinting mode for silent
identifications of systems you connect to the usual way (web
browser, MTA),
- Fixed WSCALE handling in general, and WSS passing on little-endian,
many other bug-fixes and improvements of the packet parser
(including some sanity checks).
--------------------
Download, demo, etc.
--------------------
P0f home page is:
http://lcamtuf.coredump.cx/p0f.shtml
Download:
http://lcamtuf.coredump.cx/p0f.tgz
Contribute / see it in action:
http://lcamtuf.coredump.cx/p0f-help/
P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD,
OpenBSD, MacOS X, Solaris and AIX.
Please consider contributing to the project if you liked it.
(10633775) /Michal Zalewski <lcamtuf@ghettot.org>/(Ombruten)