2 Days Left to Save $200 on SANS Cyber Defense San Diego 2014

Intrusion Detection FAQ: What is p0f and what does it do?

Bente Petersen

This paper will describe the newly released p0f (Passive OS Fingerprinting) v1.8 tool. This tool is developed by Michael Zalewski and can be downloaded from http://lcamtuf.coredump.cx/p0f.shtml.

p0f is described as a tool which can fingerprint Operating System passively. There are two methods of detecting the type of Operating System a host is running. Active OS fingerprinting has been the most widely used method when analyzing a system. This is the method used in tools such as Queso and nmap by Fyodor (http://www.insecure.org/nmap). This method includes sending crafted, abnormal packets to the remote host, and analyze the replies being returned from the remote host. Different TCP stacks will give different replies and thus allowing the analyzer tool to recognize a particular OS. If the remote host’s network is being protected by IDS or firewall devices, such attacks will be detected.

Passive OS fingerprinting on the other hand will not contact the remote host, but instead capture traffic coming from a connecting host going to the local network. Another such tool is siphon, which was developed by the HoneyNet project. The fingerprinting can then be conducted without the remote host being aware that its packets are being captured. The packets being captured are the ones the remote host sends when it attempts to establish a connection to a host on the local network.

Active OS fingerprinting is a fast process and a large number of hosts can be scanned in a short time frame. Passive fingerprinting on the other hand is a much slower process, and will work best if used on historic data.

OS fingerprinting will most likely become more popular among black hat attackers as well. Being able to gain information of a hosts OS can be very valuable to the attacker when planning an attack. A patient attacker can gather information from a particular network and slowly map the OS the various hosts are running without alarming the network security devices. The attack can then be designed to exploit vulnerabilities solely for this type of OS without alarming the network security devices in advance, which is often the case when active fingerprinting methods are used.

The most common signatures to look for are the following fields in a packet:
  • TTL (IP header)
  • Win (TCP header)
  • DF (IP header)
  • TOS (IP header)
TTL (Time to Live) is the maximum number of routers a packet can pass before it is being dropped. It is initialized by the sender and then decremented by every router handling the packet. When the value reaches 0, the packet is dropped and an ICMP message is returned to the sender. The TTL value set will differ from various operating systems. For instance Windows systems will have a value of 32 while Linux will have a TTL of 64 (source: The HoneyNet project: http://project.honeynet.org/papers/finger/traces.txt).

Win (Window Size) is the flow control option used by TCP. When a host initiates a connection it will advertise the size of its incoming packet buffer. The other host will then adjust the rate it sends packets to ensure that the receiving host is not flooded.

DF (Don’t Fragment) is the value set if the packet is not to be broken up into smaller fragments. This might be necessary if the packet is too large for the network to handle. If the DF flag is set and the packet is too large, it will be discarded an the ICMP error message “fragmentation needed, but DF bit is set” will be sent to the source host.

TOS (Type of Service) allows for 4 values to be set for each packet being sent. The value being set depends on the application being used and only one value can be set for each packet. The following values are available:
  • Minimize delay
  • Maximize throughput
  • Maximize reliability
  • Minimize monetary costs
For instance Telnet packets have the “Minimize delay” option set, while SNMP have the “Maximize reliability” option set, (source: TCP/IP Illustrated, Volume 1; W. Richard Stevens).

The above listed signatures are the most common, however other signatures that can be used for OS detection are the initial sequence number, IP Identification number, TCP or IP options, ICMP payloads etc.

The HoneyNet Project has developed a database of known signatures, and this database can be found at: http://project.honeynet.org/papers/finger/traces.txt.

The main advantage of the passive fingerprinting technique is that it can be used in conjunction with firewalls and IDS systems to search through the information logged by these tools. This can give valuable information of the systems used by attackers and potentially help track down the attackers without the attacker knowing about it. Active fingerprinting on the other hand will most likely be detected and stopped by the network protection tools at the remote network, and could in worst case lead to legal proceedings.

p0f can run off-line and sift through large amounts of input data from various logs such s firewall logs, IDS logs, router logs etc. for long periods of time. All this information can be extracted and analyzed and give very interesting information of the systems connecting remotely to your network. The information in the packets being analyzed by p0f has often not been changed by the remote network’s network devices such as proxys, network address translation etc.

p0f will also look for certain well-known signatures of the packet captured. This allows for using the tool as a simple IDS, and the tool can be set to only capture packets with known signatures.

Installation

p0f uses libcap 0.4 or later. libpcap is a packet capture library that allows you to grab all packets going through your ethernet card. All packets on the network, even those destined for other hosts, are accessible using libpcap. libpcap is used but other tools such as tcpdump (ftp://ftp.ee.lpl.gov/tcpdump.tar.Z) and SNORT (www.snort.org).

The current version for libpcap is 0.6.2 and it can be downloaded from: http://www-nrg.ee.lbl.gov/nrg.html

libpcap is installed using the following steps:

./configure
make
make install

The next step is to download and install p0f, which can be downloaded from: http://www.stearns.org/p0f/p0f-current.tgz and is installed entering the following commands:

make
make install

Usage

p0f was run on my home network which consists of two linux boxes and one Windows 2000 box. I only captured traffic on the internal network. p0f was installed on a linux host which also function as a proxy for the other hosts.

The following command will start p0f:

p0f –i eth1 –vt


The -i options allows for selecting the device which p0f should be extracting packets from. The –v option indicates that p0f is run in verbose mode while –t adds timestamps to the output. An example of the output from the above command is shown on the next page:

[root@idunn p0f-1.8]# p0f -i eth1 -vt

p0f: passive os fingerprinting utility, version 1.8
(C) Michal Zalewski
William Stearns
p0f: file: '/etc/p0f.fp', 139 fprints, iface: 'eth1',rule: 'all'.
192.168.1.10 [1 hops]:Windows 2000 (9)
+ 192.168.1.10:3169 -> 192.168.1.1:23
192.168.1.10 [1 hops]:Windows 2000 (9)
+ 192.168.1.10:3171 -> 195.139.5.245:80
192.168.1.10 [1 hops]:Windows 2000 (9)
+ 192.168.1.10:3172 -> 195.139.5.245:80

The fingerprint information is located in a file called /etc/p0f.fp and is the file used by p0f by default. However, p0f can be directed to use another fingerprint file using the –f option.

The output can also be directed to a file using the –o option:

[root@idunn p0f-1.8]# p0f -i eth1 –vto output.txt


The following output shows an nmap attack being picked up by p0f. p0f was analyzing live data.
192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)

+ 192.168.1.14:52424 -> 192.168.1.1:932
192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:1482 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:416 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:937 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:3141 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:546 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)

Sources:
te Papers:
Books:
  • TCP/IP Illustrated, Volume 1; W. Richard Stevens
Links:
Track 3: The Most Advanced Intrusion Detection Immersion Training Avilable
< Previous Question | Back to Intrusion Detection FAQ Home | Next Question >