lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F57B1CD.4010605@snosoft.com>
From: simon at snosoft.com (simon (www.snosoft.com))
Subject: Re: [tool] the new p0f 2.0.1 is now out

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This sounds very simple actually, correct me if I am wrong ( I just 
jumped into this thread).  Some IDS systems claim to do passive network 
monitoring and passive fingerprinting as well.  They simply do checks on 
the packets sent from a host by sniffing the network. They do not make 
the request for the packet, they let other users generate packets and do 
the fingerprinting on those.

So, I suppose you could fingerprint a system by browsing a web page and 
looking at the packets being set from the web server. 


Matt Barrie wrote:

>Does it do DNS resolution on logfiles? If so, this may be a way of
>detecting.
>
>
>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com
>[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Andreas
>Gietl
>Sent: Thursday, September 04, 2003 12:43 PM
>To: thetic; Michal Zalewski; honeypots@...urityfocus.com;
>pen-test@...urityfocus.com; focus-ids@...urityfocus.com;
>sectools@...urityfocus.com
>Cc: incidents@...urityfocus.com; bugtraq@...urityfocus.com;
>full-disclosure@...sys.com
>Subject: Re: [Full-Disclosure] Re: [tool] the new p0f 2.0.1 is now out
>
>On Thursday 04 September 2003 20:19, thetic wrote:
>
>it i a passive scan-tool! you can't detect the scans because there are
>no 
>packets going to you network. 
>
>  
>
>>Question concerning the the POF, how can we setup a IDS to detect a
>>    
>>
>POF
>  
>
>>scan.
>>
>>umer
>>
>>
>>----- Original Message -----
>>From: "Michal Zalewski" <lcamtuf@...ttot.org>
>>To: <honeypots@...urityfocus.com>; <pen-test@...urityfocus.com>;
>><focus-ids@...urityfocus.com>; <sectools@...urityfocus.com>
>>Cc: <incidents@...urityfocus.com>; <bugtraq@...urityfocus.com>;
>><full-disclosure@...sys.com>
>>Sent: Wednesday, September 03, 2003 12:21 PM
>>Subject: [tool] the new p0f 2.0.1 is now out
>>
>>    
>>
>>>I am proud to announce the new stable version of p0f, 2.0.1, a
>>>      
>>>
>complete
>  
>
>>>rewrite of the original open-source tool released back in 2000, and
>>>      
>>>
>a
>  
>
>>>major step for the utility.
>>>
>>>I apologize for posting to all the forums, and leave it to the
>>>      
>>>
>moderators
>  
>
>>>to accept or drop this post - but I believe the tool is probably of
>>>      
>>>
>some
>  
>
>>>interest to the IDS / honeypot / pen-test / general ITSec audiences,
>>>      
>>>
>and
>  
>
>>>more appropriate forums are largely defunct.
>>>
>>>------------
>>>What is p0f?
>>>------------
>>>
>>>   P0f v2 is a versatile passive OS fingerprinting tool. P0f can
>>>      
>>>
>identify
>  
>
>>>   the system on machines that connect to your box, machines you
>>>      
>>>
>connect
>  
>
>>>   to, and even machines that merely go thru or near your box. All
>>>      
>>>
>this
>  
>
>>>   even if the device is behind a fascist packet firewall.
>>>
>>>   P0f will also detect what the remote system is hooked up to (be
>>>      
>>>
>it
>  
>
>>>   Ethernet, DSL, OC3, or avian carriers), how far it is located,
>>>      
>>>
>what's
>  
>
>>>   its uptime, and will often detect NAT, firewall presence, and
>>>      
>>>
>even
>  
>
>>>   the name of the other guy's ISP - all this without sending a
>>>      
>>>
>single
>  
>
>>>   packet.
>>>
>>>What do you need it for?
>>>------------------------
>>>
>>>   P0f is quite useful for gathering all kinds of profiling
>>>      
>>>
>information
>  
>
>>>   about your users, customers or attackers (IDS, honeypot,
>>>      
>>>
>firewall),
>  
>
>>>   tech espionage (laugh...), active or passive policy enforcement
>>>   (restricting access for certain systems or otherwise handling
>>>      
>>>
>them
>  
>
>>>   differently), content optimization, pen-testing, thru-firewall
>>>   fingerprinting... plus all the tasks active fingerprinting is
>>>      
>>>
>suitable
>  
>
>>>   for. And, of course, it has a high coolness factor, even if you
>>>      
>>>
>are
>  
>
>>>   not a sysadmin.
>>>
>>>-----------
>>>What's new?
>>>-----------
>>>
>>>  Almost everything. Please upgrade and encourage your vendor to
>>>  update his packages. P0f v2 is far superior to the old code
>>>  and its clones (such as the Ettercap passive OS fingerprinting
>>>  functionality, based on the p0f v1 concepts). It is faster,
>>>  more secure, reliable, precise, accurate, feature-loaded
>>>  (including easy service integration). It also introduces many
>>>  new metrics, some of them "invented" for p0f v2.
>>>
>>>  NEW CORE CHECKS:
>>>
>>>    - Option layout and count check,
>>>    - EOL presence and trailing data [*],
>>>    - Unrecognized options handling (TTCP, etc),
>>>    - WSS to MSS/MTU correlation checks [*],
>>>    - Zero timestamp check,
>>>    - Non-zero ACK in initial SYN [*],
>>>    - Non-zero "unused" TCP fields [*],
>>>    - Non-zero urgent pointer in SYN [*],
>>>    - Non-zero second timestamp [*],
>>>    - Zero IP ID in initial packet,
>>>    - Unusual auxilinary flags,
>>>    - Data payload in control packets [*],
>>>    - Non-empty IP options.
>>>
>>>    [*] Metrics "invented" for p0f, as far as I know. Other metrics
>>>    were discussed before, although usually not implemented
>>>      
>>>
>anywhere.
>  
>
>>>  IMPROVEMENTS:
>>>
>>>    - Major performance improvements - no more runtime signature
>>>      
>>>
>parsing,
>  
>
>>>      added BPF pre-filtering, signature hash lookups - to make p0f
>>>      
>>>
>>suitable
>>
>>    
>>
>>>      for high-throughput devices,
>>>
>>>    - Modulo and wildcard operators for certain TCP/IP parameters to
>>>      
>>>
>make
>  
>
>>>      it easier to come up with generic last chance signatures for
>>>      systems that tweak settings notoriously (think Windows),
>>>
>>>    - Auto-detection of DF-zeroing firewalls,
>>>
>>>    - Auto-detection of MSS-tweaking NAT and router devices,
>>>
>>>    - Media type detection based on MSS, with a database of common
>>>      link types,
>>>
>>>    - Origin network detection based on unusual ToS / precedence
>>>      
>>>
>bits,
>  
>
>>>    - Ability to detect and skip ECN option when examining flags,
>>>
>>>    - Better fingerprint file structure and contents - all
>>>      
>>>
>fingerprints
>  
>
>>>      are rigorously reviewed before being added.
>>>
>>>    - Generic last-chance signatures to cover general OS
>>>      
>>>
>characteristics,
>  
>
>>>    - Query mode to enable easy integration with third party
>>>      
>>>
>software -
>  
>
>>>      p0f caches recent fingerprints and answer queries for src-dst
>>>      combinations on a local stream socket in a easy to parse
>>>      form,
>>>
>>>    - Usability features: greppable output option, daemon mode, host
>>>      name resolution option, promiscuous mode switch, built-in
>>>      
>>>
>signature
>  
>
>>>      collision detector, ToS reporting, etc,
>>>
>>>    - "Officially unsupported" SYN+ACK fingerprinting mode for
>>>      
>>>
>silent
>  
>
>>>      identifications of systems you connect to the usual way (web
>>>      browser, MTA),
>>>
>>>    - Fixed WSCALE handling in general, and WSS passing on
>>>      
>>>
>little-endian,
>  
>
>>>      many other bug-fixes and improvements of the packet parser
>>>      (including some sanity checks).
>>>
>>>--------------------
>>>Download, demo, etc.
>>>--------------------
>>>
>>>  P0f home page is:
>>>  http://lcamtuf.coredump.cx/p0f.shtml
>>>
>>>  Download:
>>>  http://lcamtuf.coredump.cx/p0f.tgz
>>>
>>>  Contribute / see it in action:
>>>  http://lcamtuf.coredump.cx/p0f-help/
>>>
>>>  P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD,
>>>  OpenBSD, MacOS X, Solaris and AIX.
>>>
>>>  Please consider contributing to the project if you liked it.
>>>      
>>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>    
>>
>
>  
>


- -- 
Regards,
        -simon-

        Secure Network Operations, Inc.
        http://www.secnetops.com || http://www.snosoft.com
        Office: 978-263-3829  Fax: 978-263-0033
        -------------------------------------------------------
        "Embracing the future of technology, protecting you..."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/V7HNf3Elv1PhzXgRAliLAJ9IIa66dz7tKYnyRPpaotsR26pYyQCgzZ22
91DX/yMGEvaN1wByLck60Ng=
=cXXb
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ