
                                  --=--
                                  p.0.f
                                  --=--

                    "Dr. Jekyll had something to Hyde"
		    
                      passive OS fingerprinting tool
                       version 1.7 <lcamtuf@tpi.pl>

 		    -= buffer0verfl0w security team =-
		       
                      http://lcamtuf.hack.pl/p0f.tgz


Special thanks to:

  * Lance Spitzner for whitepaper on passive OS fingerprinting:
    http://www.enteract.com/~lspitz/finger.html
  * tf8 for initial piece of libpcap support and packet parsing
  * teso/security.is/b0f/#hax for ideas and testing
  * Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
    portability testing/patches, bugfixes and ideas,
  * other BUGTRAQ readers for OS fingerprints and useful patches
  * other people involved (or not) in this project
  * very, very special thanks to el- :*
  
Background:

  *  What is passive OS fingerprinting?
  
  Passive OS fingerprinting technique bases on information coming
  from remote host when it establishes connection to our system. Captured
  packets contains enough information to determine OS - and, unlike
  active scanners (nmap, queSO) - without sending anything to this host.
  
  If you're looking for more information, read Spitzner's text at:
  http://www.enteract.com/~lspitz/finger.html
      
  * How it works?
  
  Well, there are some TCP/IP flag settings specific for given systems.
  Usually initial TTL (8 bits), window size (16 bits), maximum segment size
  (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
  (1 bit) and window scaling option (8 bits) combined together gives unique,
  51-bit signature for every system.
  
  * What are main advantages?
  
  Passive OS fingerprinting can be done on huge portions of input data - eg.
  information gathered on firewall, proxy, routing device or Internet server,
  without causing any network activity. You can launch passive OS detection
  software on such machine and leave it for days, weeks or months, collecting
  really interesting statistical and - *erm* - just interesting information. 
  What's really funny - packet filtering firewalls, network address
  translation and so on are transparent to p0f-alike software, so you're able
  to obtain information about systems behind the firewall. Also, such software
  can determine distance between remote host and your system, allowing you to
  generate network structure maps for firewalled/structural networks. And
  all without sending _any_ packet. Just think about IDS systems.
  
Limitations

  Proxy firewalls and other high-level proxy devices are not transparent to
  any tcp fingerprinting software. It applies to p0f, as well.
  
  In order to obtain information required for fingerprinting, you have to
  receive at least one SYN packet initializing TCP connection to your
  machine or network. Note: you don't have to respond to particular SYN.
  Of course, it's impossible to perform any kind of OS detection witout
  receiving any information.
  
  It is possible to perform fingerprinting on alive TCP connection or
  even when connection is initialized from your network. But these techniques
  are less realible (as in many implementations some parameters are copied
  from first SYN packet, so if connection has been initialized from our
  network, fingerprinting won't be successful; also, some parameters like
  window size are constant for initial TCP/IP packet, but changing rapidly
  later).
  
Why our bubble gum is better?

  There is another passive OS detection utility, called 'siphon'. It's
  pretty good piece of proof-of-concept software, but it isn't perfect. Well,
  p0f isn't perfect for sure, but has several improvements:
  
  - it's single-threaded and pretty clean,
  
  - works properly on Linuxes (siphon has a problem with bpf on 2.2), as
    well as on BSD systems and SunOS/Solaris,
  
  - has pretty large and detailed fingerprints database,
  
  - uses more information for fingerprinting (26 extra bits),
  
  - it's more accurate,
  
  - you can define your own filtering rules in the tcpdump flavour:
    p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
    listening interface (using option -i).
    
  What more? Dunno :) Simply, check it out.

Not working!

  Probably p0f isn't working well on every platform in the world; first
  of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
  /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package). 
  In this case, simply issue:
  
  ln -s /usr/include/pcap/pcap.h /usr/include/
  ln -s /usr/include/pcap/net/bsf.h /usr/include/net/
  
  NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
  please send OS signature and system description to author. Thanks :)
  
  Tested platforms:

  - NetBSD  
  - FreeBSD
  - OpenBSD
  - Linux 2.0/2.2
  - Solaris 2.6-2.7
  
  Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
            GNU egrep (for proper Makefile processing)
  
Files:

  /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
  inside:
  
  # Valid entry describes the way server starts TCP handshake (first SYN).
  # Important options are: window size (wss), maximum segment size (mss),
  # don't fragment flag (DF), window scaling (wscale), sackOK flag, nop
  # flag, and initial time to live (TTL) ;)
  #
  # How can you determine initial ttl? Well, usually it's first power of 2
  # bigger than TTL returned in scan. So, for example, if you get TTL 55 in
  # fingerprint returned by p0f, initial TTL will be usually 64... NOTE:
  # it's better to overestimate initial TTL than underestimate it ;)
  #
  # There are some brain-damaged devices, like network printers etc, that
  # have stupid initial TTLs like 60, but who cares, if HP LaserJet wants to
  # visit your server, you have to think again about your life ;)
  #
  # Format:
  #
  # wwww:ttt:mmm:D:W:S:N:OS Description
  #
  # wwww - window size
  # ttt  - time to live
  # mmm  - maximum segment size
  # D    - don't fragment flag  (0=unset, 1=set)
  # W    - window scaling (-1=not present, other=value)
  # S    - sackOK flag (0=unset, 1=set)
  # N    - nop flag (0=unset, 1=set)

What to do?

  - COLORFUL INTERFACE :))))

License, disclaimer:

  The p0f utility and related utilities are free software; you can
  redistribute it and/or modify it under the terms of the GNU Library
  General Public License as published by the Free Software Foundation;
  either version 2 of the License, or (at your option) any later version.
   
  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
  MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
  DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
  OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
  OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
       
-- Michal Zalewski <lcamtuf@tpi.pl>
