This paper will describe the newly released p0f (Passive OS Fingerprinting) v1.8 tool. This tool is developed by Michael Zalewski and can be downloaded from http://lcamtuf.coredump.cx/p0f.shtml.
p0f is described as a tool which can fingerprint Operating System passively. There are two methods of detecting the type of Operating System a host is running. Active OS fingerprinting has been the most widely used method when analyzing a system. This is the method used in tools such as Queso and nmap by Fyodor (http://www.insecure.org/nmap). This method includes sending crafted, abnormal packets to the remote host, and analyze the replies being returned from the remote host. Different TCP stacks will give different replies and thus allowing the analyzer tool to recognize a particular OS. If the remote hostâs network is being protected by IDS or firewall devices, such attacks will be detected.
Passive OS fingerprinting on the other hand will not contact the remote host, but instead capture traffic coming from a connecting host going to the local network. Another such tool is siphon, which was developed by the HoneyNet project. The fingerprinting can then be conducted without the remote host being aware that its packets are being captured. The packets being captured are the ones the remote host sends when it attempts to establish a connection to a host on the local network.
Active OS fingerprinting is a fast process and a large number of hosts can be scanned in a short time frame. Passive fingerprinting on the other hand is a much slower process, and will work best if used on historic data.
OS fingerprinting will most likely become more popular among black hat attackers as well. Being able to gain information of a hosts OS can be very valuable to the attacker when planning an attack. A patient attacker can gather information from a particular network and slowly map the OS the various hosts are running without alarming the network security devices. The attack can then be designed to exploit vulnerabilities solely for this type of OS without alarming the network security devices in advance, which is often the case when active fingerprinting methods are used.
The most common signatures to look for are the following fields in a packet:
- TTL (IP header)
- Win (TCP header)
- DF (IP header)
- TOS (IP header)
Win (Window Size) is the flow control option used by TCP. When a host initiates a connection it will advertise the size of its incoming packet buffer. The other host will then adjust the rate it sends packets to ensure that the receiving host is not flooded.
DF (Donât Fragment) is the value set if the packet is not to be broken up into smaller fragments. This might be necessary if the packet is too large for the network to handle. If the DF flag is set and the packet is too large, it will be discarded an the ICMP error message âfragmentation needed, but DF bit is setâ will be sent to the source host.
TOS (Type of Service) allows for 4 values to be set for each packet being sent. The value being set depends on the application being used and only one value can be set for each packet. The following values are available:
- Minimize delay
- Maximize throughput
- Maximize reliability
- Minimize monetary costs
The above listed signatures are the most common, however other signatures that can be used for OS detection are the initial sequence number, IP Identification number, TCP or IP options, ICMP payloads etc.
The HoneyNet Project has developed a database of known signatures, and this database can be found at: http://project.honeynet.org/papers/finger/traces.txt.
The main advantage of the passive fingerprinting technique is that it can be used in conjunction with firewalls and IDS systems to search through the information logged by these tools. This can give valuable information of the systems used by attackers and potentially help track down the attackers without the attacker knowing about it. Active fingerprinting on the other hand will most likely be detected and stopped by the network protection tools at the remote network, and could in worst case lead to legal proceedings.
p0f can run off-line and sift through large amounts of input data from various logs such s firewall logs, IDS logs, router logs etc. for long periods of time. All this information can be extracted and analyzed and give very interesting information of the systems connecting remotely to your network. The information in the packets being analyzed by p0f has often not been changed by the remote networkâs network devices such as proxys, network address translation etc.
p0f will also look for certain well-known signatures of the packet captured. This allows for using the tool as a simple IDS, and the tool can be set to only capture packets with known signatures.
Installation
p0f uses libcap 0.4 or later. libpcap is a packet capture library that allows you to grab all packets going through your ethernet card. All packets on the network, even those destined for other hosts, are accessible using libpcap. libpcap is used but other tools such as tcpdump (ftp://ftp.ee.lpl.gov/tcpdump.tar.Z) and SNORT (www.snort.org).
The current version for libpcap is 0.6.2 and it can be downloaded from: http://www-nrg.ee.lbl.gov/nrg.html
libpcap is installed using the following steps:
./configure
make
make install
The next step is to download and install p0f, which can be downloaded from: http://www.stearns.org/p0f/p0f-current.tgz and is installed entering the following commands:
make
make install
Usage
p0f was run on my home network which consists of two linux boxes and one Windows 2000 box. I only captured traffic on the internal network. p0f was installed on a linux host which also function as a proxy for the other hosts.
The following command will start p0f:
p0f âi eth1 âvt
The -i options allows for selecting the device which p0f should be extracting packets from. The âv option indicates that p0f is run in verbose mode while ât adds timestamps to the output. An example of the output from the above command is shown on the next page:
[root@idunn p0f-1.8]# p0f -i eth1 -vtThe fingerprint information is located in a file called /etc/p0f.fp and is the file used by p0f by default. However, p0f can be directed to use another fingerprint file using the âf option.
p0f: passive os fingerprinting utility, version 1.8
(C) Michal Zalewski
William Stearns
p0f: file: '/etc/p0f.fp', 139 fprints, iface: 'eth1',rule: 'all'.
192.168.1.10 [1 hops]:Windows 2000 (9)
+ 192.168.1.10:3169 -> 192.168.1.1:23
192.168.1.10 [1 hops]:Windows 2000 (9)
+ 192.168.1.10:3171 -> 195.139.5.245:80
192.168.1.10 [1 hops]:Windows 2000 (9)
+ 192.168.1.10:3172 -> 195.139.5.245:80
The output can also be directed to a file using the âo option:
[root@idunn p0f-1.8]# p0f -i eth1 âvto output.txt
The following output shows an nmap attack being picked up by p0f. p0f was analyzing live data.
192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:932
192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:1482 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:416 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:937 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:3141 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
+ 192.168.1.14:52424 -> 192.168.1.1:546 192.168.1.14 [24 hops]: NMAP scan (distance inaccurate) (7)
Sources:
te Papers:- Know your enemy: Passive fingerpringing; the Honeynet Project; http://project.honeynet.org/papers/finger/
- Remote OS detection via TCP/IP Stack FingerPrinting; Fyodor; http://www.insecure.org/nmap/nmap-fingerprinting-article.html
- Passive Aggressive, John Lasser; http://www.securityfocus.com/columnists/57
- Passive System Fingerprinting using Network Client Applications, Jose Nazario
Books:
- TCP/IP Illustrated, Volume 1; W. Richard Stevens
