Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
p0f: TCP Packet Fingerprinting (coredump.cx)
140 points by btdmaster on Sept 17, 2022 | hide | past | favorite | 24 comments


I remember when I was in college and we were doing work about passive OS fingerprinting and we used p0f, Vista was a new OS back then and we fingerprinted it successfully before p0f got its own signatures, it was so cool. It was around 15 years ago, my god time flies so fast.


It’s still great for that exact purpose. Knowing that your SMTP peer is running Windows XP is the strongest spam fighting signal that has ever existed.


This is p0f 3.09b. Does anybody know of updated fingerprint files?

The fingerprint file dates to 2014, well before Windows 10, and about Linux kernel 3.12. There's lots of things it just doesn't identify.


The openbsd pf.os file is occasionally updated as practically required.

http://cvsweb.openbsd.org/src/etc/pf.os


I use this. It works, but it's dated and doesn't work consistently enough that it should be relied upon in any capacity.


inconsistency is due to missing fingerprints?


Not OP but: Linux with TTL modified to look like Windows+1 to avoid tethering prevention gets actively proxied by an enterprise security/nat appliance. What fingerprint do you expect to see and what would you want to learn from it? That kind of thing.


iirc, one of lcamtuf's works. His book Silence on the Wire is still one of my favorite reads of all time.


How would this fair now against encryption? Being that's it's from 2014.


If you update the fingerprints, it will still work fine.

Application layer or session layer stuff like encryption is irrelevant, the fingerprints are largely based on differences at the transport layer and below.

You can also do some nice fingerprinting at the TLS layer based on stuff like what ciphers are offered, the order of them, etc.


It looks at tcp header values, not packet data.


Thanks, that makes sense now. It was a genuine question, must have missed it on the page, I was wondering why I was getting downvoted.


Yeah, that is a reasonable question if you’re not familiar. People are mean if they’re downvoting :(


I assume p0f doesn't do TCP timestamp clock skew fingerprinting out of curiosity too? Curious if there are any OSS tools for that.


On Linux TCP timestamps are random.


nmap reports clock skew.


Do you mean via this script - https://svn.nmap.org/nmap/scripts/clock-skew.nse , if so it looks like that's extracting time values from protocols above TCP such as HTTP etc? Please correct me, if I misunderstood what you meant.

This was the type of technique I was thinking of - https://murdoch.is/talks/eurobsdcon07hotornot.pdf


Great tool, but not maintained anymore, unfortunatelly.


Too bad it doesn't work on Windows out of thr box without cygwin/msys trickery. The lippcap doesnt have an open source alternative on windows. winpcap is almost dead and npcap is not free to use.


You can try this one: https://github.com/Nisitay/scapy-p0f


Is there a UDP equivalent to passively monitor and fingerprint? I'm guessing not, but would be interested to hear if there is.


"Copyright (C) 2000-2014 by Michal Zalewski"

2014


Plis packet data


Pliss packet data




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: