[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F57B1CD.4010605@snosoft.com>
From: simon at snosoft.com (simon (www.snosoft.com))
Subject: Re: [tool] the new p0f 2.0.1 is now out
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This sounds very simple actually, correct me if I am wrong ( I just
jumped into this thread). Some IDS systems claim to do passive network
monitoring and passive fingerprinting as well. They simply do checks on
the packets sent from a host by sniffing the network. They do not make
the request for the packet, they let other users generate packets and do
the fingerprinting on those.
So, I suppose you could fingerprint a system by browsing a web page and
looking at the packets being set from the web server.
Matt Barrie wrote:
>Does it do DNS resolution on logfiles? If so, this may be a way of
>detecting.
>
>
>-----Original Message-----
>From: full-disclosure-admin@...ts.netsys.com
>[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Andreas
>Gietl
>Sent: Thursday, September 04, 2003 12:43 PM
>To: thetic; Michal Zalewski; honeypots@...urityfocus.com;
>pen-test@...urityfocus.com; focus-ids@...urityfocus.com;
>sectools@...urityfocus.com
>Cc: incidents@...urityfocus.com; bugtraq@...urityfocus.com;
>full-disclosure@...sys.com
>Subject: Re: [Full-Disclosure] Re: [tool] the new p0f 2.0.1 is now out
>
>On Thursday 04 September 2003 20:19, thetic wrote:
>
>it i a passive scan-tool! you can't detect the scans because there are
>no
>packets going to you network.
>
>
>
>>Question concerning the the POF, how can we setup a IDS to detect a
>>
>>
>POF
>
>
>>scan.
>>
>>umer
>>
>>
>>----- Original Message -----
>>From: "Michal Zalewski" <lcamtuf@...ttot.org>
>>To: <honeypots@...urityfocus.com>; <pen-test@...urityfocus.com>;
>><focus-ids@...urityfocus.com>; <sectools@...urityfocus.com>
>>Cc: <incidents@...urityfocus.com>; <bugtraq@...urityfocus.com>;
>><full-disclosure@...sys.com>
>>Sent: Wednesday, September 03, 2003 12:21 PM
>>Subject: [tool] the new p0f 2.0.1 is now out
>>
>>
>>
>>>I am proud to announce the new stable version of p0f, 2.0.1, a
>>>
>>>
>complete
>
>
>>>rewrite of the original open-source tool released back in 2000, and
>>>
>>>
>a
>
>
>>>major step for the utility.
>>>
>>>I apologize for posting to all the forums, and leave it to the
>>>
>>>
>moderators
>
>
>>>to accept or drop this post - but I believe the tool is probably of
>>>
>>>
>some
>
>
>>>interest to the IDS / honeypot / pen-test / general ITSec audiences,
>>>
>>>
>and
>
>
>>>more appropriate forums are largely defunct.
>>>
>>>------------
>>>What is p0f?
>>>------------
>>>
>>> P0f v2 is a versatile passive OS fingerprinting tool. P0f can
>>>
>>>
>identify
>
>
>>> the system on machines that connect to your box, machines you
>>>
>>>
>connect
>
>
>>> to, and even machines that merely go thru or near your box. All
>>>
>>>
>this
>
>
>>> even if the device is behind a fascist packet firewall.
>>>
>>> P0f will also detect what the remote system is hooked up to (be
>>>
>>>
>it
>
>
>>> Ethernet, DSL, OC3, or avian carriers), how far it is located,
>>>
>>>
>what's
>
>
>>> its uptime, and will often detect NAT, firewall presence, and
>>>
>>>
>even
>
>
>>> the name of the other guy's ISP - all this without sending a
>>>
>>>
>single
>
>
>>> packet.
>>>
>>>What do you need it for?
>>>------------------------
>>>
>>> P0f is quite useful for gathering all kinds of profiling
>>>
>>>
>information
>
>
>>> about your users, customers or attackers (IDS, honeypot,
>>>
>>>
>firewall),
>
>
>>> tech espionage (laugh...), active or passive policy enforcement
>>> (restricting access for certain systems or otherwise handling
>>>
>>>
>them
>
>
>>> differently), content optimization, pen-testing, thru-firewall
>>> fingerprinting... plus all the tasks active fingerprinting is
>>>
>>>
>suitable
>
>
>>> for. And, of course, it has a high coolness factor, even if you
>>>
>>>
>are
>
>
>>> not a sysadmin.
>>>
>>>-----------
>>>What's new?
>>>-----------
>>>
>>> Almost everything. Please upgrade and encourage your vendor to
>>> update his packages. P0f v2 is far superior to the old code
>>> and its clones (such as the Ettercap passive OS fingerprinting
>>> functionality, based on the p0f v1 concepts). It is faster,
>>> more secure, reliable, precise, accurate, feature-loaded
>>> (including easy service integration). It also introduces many
>>> new metrics, some of them "invented" for p0f v2.
>>>
>>> NEW CORE CHECKS:
>>>
>>> - Option layout and count check,
>>> - EOL presence and trailing data [*],
>>> - Unrecognized options handling (TTCP, etc),
>>> - WSS to MSS/MTU correlation checks [*],
>>> - Zero timestamp check,
>>> - Non-zero ACK in initial SYN [*],
>>> - Non-zero "unused" TCP fields [*],
>>> - Non-zero urgent pointer in SYN [*],
>>> - Non-zero second timestamp [*],
>>> - Zero IP ID in initial packet,
>>> - Unusual auxilinary flags,
>>> - Data payload in control packets [*],
>>> - Non-empty IP options.
>>>
>>> [*] Metrics "invented" for p0f, as far as I know. Other metrics
>>> were discussed before, although usually not implemented
>>>
>>>
>anywhere.
>
>
>>> IMPROVEMENTS:
>>>
>>> - Major performance improvements - no more runtime signature
>>>
>>>
>parsing,
>
>
>>> added BPF pre-filtering, signature hash lookups - to make p0f
>>>
>>>
>>suitable
>>
>>
>>
>>> for high-throughput devices,
>>>
>>> - Modulo and wildcard operators for certain TCP/IP parameters to
>>>
>>>
>make
>
>
>>> it easier to come up with generic last chance signatures for
>>> systems that tweak settings notoriously (think Windows),
>>>
>>> - Auto-detection of DF-zeroing firewalls,
>>>
>>> - Auto-detection of MSS-tweaking NAT and router devices,
>>>
>>> - Media type detection based on MSS, with a database of common
>>> link types,
>>>
>>> - Origin network detection based on unusual ToS / precedence
>>>
>>>
>bits,
>
>
>>> - Ability to detect and skip ECN option when examining flags,
>>>
>>> - Better fingerprint file structure and contents - all
>>>
>>>
>fingerprints
>
>
>>> are rigorously reviewed before being added.
>>>
>>> - Generic last-chance signatures to cover general OS
>>>
>>>
>characteristics,
>
>
>>> - Query mode to enable easy integration with third party
>>>
>>>
>software -
>
>
>>> p0f caches recent fingerprints and answer queries for src-dst
>>> combinations on a local stream socket in a easy to parse
>>> form,
>>>
>>> - Usability features: greppable output option, daemon mode, host
>>> name resolution option, promiscuous mode switch, built-in
>>>
>>>
>signature
>
>
>>> collision detector, ToS reporting, etc,
>>>
>>> - "Officially unsupported" SYN+ACK fingerprinting mode for
>>>
>>>
>silent
>
>
>>> identifications of systems you connect to the usual way (web
>>> browser, MTA),
>>>
>>> - Fixed WSCALE handling in general, and WSS passing on
>>>
>>>
>little-endian,
>
>
>>> many other bug-fixes and improvements of the packet parser
>>> (including some sanity checks).
>>>
>>>--------------------
>>>Download, demo, etc.
>>>--------------------
>>>
>>> P0f home page is:
>>> http://lcamtuf.coredump.cx/p0f.shtml
>>>
>>> Download:
>>> http://lcamtuf.coredump.cx/p0f.tgz
>>>
>>> Contribute / see it in action:
>>> http://lcamtuf.coredump.cx/p0f-help/
>>>
>>> P0f is believed to run fine on Windows, Linux, FreeBSD, NetBSD,
>>> OpenBSD, MacOS X, Solaris and AIX.
>>>
>>> Please consider contributing to the project if you liked it.
>>>
>>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>>
>
>
>
- --
Regards,
-simon-
Secure Network Operations, Inc.
http://www.secnetops.com || http://www.snosoft.com
Office: 978-263-3829 Fax: 978-263-0033
-------------------------------------------------------
"Embracing the future of technology, protecting you..."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/V7HNf3Elv1PhzXgRAliLAJ9IIa66dz7tKYnyRPpaotsR26pYyQCgzZ22
91DX/yMGEvaN1wByLck60Ng=
=cXXb
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists