Update to "1.8 final release". Change master site. Add new home
page. Install new man page. Be verbose. Add patch to fix new -o option. Update patch to README (the old one was integrated upstream). The new patches have been sent to William Stearns.
This commit is contained in:
parent
0c6b0118e1
commit
508c4a1756
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=53438
10 changed files with 70 additions and 614 deletions
|
@ -7,28 +7,29 @@
|
|||
|
||||
PORTNAME= p0f
|
||||
PORTVERSION= 1.8
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= net
|
||||
MASTER_SITES= http://lcamtuf.hack.pl/
|
||||
DISTNAME= ${PORTNAME}
|
||||
MASTER_SITES= http://www.stearns.org/p0f/
|
||||
EXTRACT_SUFX= .tgz
|
||||
|
||||
MAINTAINER= trevor@FreeBSD.org
|
||||
|
||||
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
|
||||
MAN1= p0f.1
|
||||
|
||||
post-patch:
|
||||
@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
|
||||
${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
|
||||
${WRKSRC}/README \
|
||||
${WRKSRC}/p0f.c
|
||||
|
||||
do-install:
|
||||
@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
|
||||
@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
|
||||
${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
|
||||
${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
|
||||
${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1
|
||||
|
||||
post-install:
|
||||
.if !defined(NOPORTDOCS)
|
||||
@${MKDIR} ${PREFIX}/share/doc/p0f
|
||||
@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
|
||||
${MKDIR} ${PREFIX}/share/doc/p0f
|
||||
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
|
||||
.endif
|
||||
|
||||
.include <bsd.port.mk>
|
||||
|
|
|
@ -1 +1 @@
|
|||
MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822
|
||||
MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e
|
||||
|
|
|
@ -1,302 +1,11 @@
|
|||
patch to version 1.8.test9
|
||||
|
||||
- mention the FreeBSD port
|
||||
- mention that BSD make, not just GNU make, is adequate
|
||||
- some rewording for clarity, not intended to change meaning
|
||||
- reformatting of white space, mostly done with "fmt 79 80"
|
||||
- spelling changes, mostly suggested by ispell
|
||||
|
||||
--- README.old Thu Nov 22 16:37:28 2001
|
||||
+++ README Wed Jan 9 12:10:53 2002
|
||||
@@ -18,17 +18,17 @@
|
||||
Project Status
|
||||
--------------
|
||||
--- README.old Thu Jan 17 21:58:09 2002
|
||||
+++ README Sun Jan 20 23:30:58 2002
|
||||
@@ -94,7 +94,7 @@
|
||||
|
||||
- As for today, this packet is hosted and maintained by William Stearns
|
||||
- <wstearns@pobox.com>. Original code comes from Michal Zalewski
|
||||
- <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
|
||||
- bugfixes, ideas, etc =)
|
||||
+ This program is now hosted and maintained by William Stearns
|
||||
+ <wstearns@pobox.com>. It was originally written by Michal Zalewski
|
||||
+ <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
|
||||
+ bug-fixes, ideas, etc. =)
|
||||
|
||||
|
||||
-----------------
|
||||
Special thanks to
|
||||
-----------------
|
||||
|
||||
- * Lance Spitzner for whitepaper on passive OS fingerprinting:
|
||||
+ * Lance Spitzner for white paper on passive OS fingerprinting:
|
||||
http://www.enteract.com/~lspitz/finger.html
|
||||
|
||||
* tf8 for initial piece of libpcap support and packet parsing
|
||||
@@ -36,7 +36,7 @@
|
||||
* teso/security.is/b0f/#hax for ideas and testing
|
||||
|
||||
* Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
|
||||
- portability testing/patches, bugfixes and ideas,
|
||||
+ portability testing/patches, bug-fixes and ideas,
|
||||
|
||||
* other BUGTRAQ readers for OS fingerprints and useful patches
|
||||
|
||||
@@ -49,126 +49,127 @@
|
||||
Background
|
||||
----------
|
||||
|
||||
- * What is passive OS fingerprinting?
|
||||
-
|
||||
- Passive OS fingerprinting technique is based on information coming
|
||||
- from remote host when it tries to establish a connection to your system.
|
||||
- Captured packet parameters contain enough information to determine
|
||||
- remote OS - and, unlike active scanners (nmap, queSO) - this is done
|
||||
- without sending anything to this host.
|
||||
-
|
||||
- If you're looking for more information on this approach, read Spitzner's
|
||||
- whitepaper at http://www.enteract.com/~lspitz/finger.html :)
|
||||
-
|
||||
+ * What is passive OS fingerprinting?
|
||||
+
|
||||
+ The passive OS fingerprinting technique is based on information coming from a
|
||||
+ remote host when it tries to establish a connection to your system. Captured
|
||||
+ packet parameters contain enough information to identify the remote OS. In
|
||||
+ contrast to active scanners such as nmap and queSO, p0f does this without
|
||||
+ sending anything to the remote host.
|
||||
+
|
||||
+ If you're looking for more information on this approach, read Spitzner's white
|
||||
+ paper (mentioned above). :)
|
||||
+
|
||||
In short, there are certain TCP/IP flag settings specific for given systems.
|
||||
- Usually initial TTL (8 bits), window size (16 bits), maximum segment size
|
||||
- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
|
||||
- (1 bit), window scaling option (8 bits), initial packet size (16 bits)
|
||||
- vary from one TCP stack implementation to another, and, combined together,
|
||||
- give unique, 67-bit signature for every system.
|
||||
-
|
||||
- Some portions of p0f code are currently used by IDS systems and
|
||||
- sniffer software.
|
||||
-
|
||||
- * What are main advantages?
|
||||
-
|
||||
- Passive OS fingerprinting can be done on huge portions of input data - eg.
|
||||
- information gathered on firewall, proxy, routing device or Internet server,
|
||||
- without causing any network activity. You can launch passive OS detection
|
||||
- software on such machine and leave it for days, weeks or months, collecting
|
||||
- really interesting statistical information about your customers, about
|
||||
- attackers, other servers, etc. What's really funny - packet filtering
|
||||
- firewalls, network address translation and so on are almost always
|
||||
- transparent to p0f-alike software, so you're able to obtain information
|
||||
- about systems behind the firewall. Also, such software can determine
|
||||
- distance between remote host and your system, allowing you to generate
|
||||
- network structure maps for firewalled/structural networks. And all without
|
||||
- sending a single packet. Nice, especially for IDSes.
|
||||
+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16
|
||||
+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit),
|
||||
+ window scaling option (8 bits), and initial packet size (16 bits) vary from
|
||||
+ one TCP stack implementation to another. Together, they give a unique, 67-bit
|
||||
+ signature for every system.
|
||||
+
|
||||
+ Some portions of the p0f code are currently used by IDS systems and sniffer
|
||||
+ software.
|
||||
+
|
||||
+ * What are the main advantages?
|
||||
+
|
||||
+ Passive OS fingerprinting can be done on huge amounts of input data - for
|
||||
+ example, information gathered on a firewall, proxy, routing device or Internet
|
||||
+ server - without causing any network activity. You can launch passive OS
|
||||
+ detection software on such a machine and leave it for days, weeks or months,
|
||||
+ collecting really interesting statistical information about your customers,
|
||||
+ attackers, other servers, etc. Since packet filtering firewalls, network
|
||||
+ address translation and so on are almost always transparent to p0f-alike
|
||||
+ software, you're able to obtain information about systems behind the firewall.
|
||||
+ Also, such software can determine the distance between a remote host and your
|
||||
+ system, allowing you to generate network structure maps for
|
||||
+ firewalled/structural networks. All this can be done without sending a single
|
||||
+ packet. It is especially nice for IDSes.
|
||||
|
||||
|
||||
-----------
|
||||
Limitations
|
||||
-----------
|
||||
|
||||
- Proxy firewalls and other high-level proxy devices are not transparent to
|
||||
- any TCP-level fingerprinting software. The device itself will be
|
||||
- fingerprinted, not actual source hosts.
|
||||
-
|
||||
+ Proxy firewalls and other high-level proxy devices are not transparent to any
|
||||
+ TCP-level fingerprinting software. The device itself will be fingerprinted,
|
||||
+ not actual source hosts.
|
||||
+
|
||||
In order to obtain information required for fingerprinting, you have to
|
||||
- receive at least one SYN packet initializing TCP connection to your
|
||||
- machine or network. Note: you don't have to respond to particular SYN.
|
||||
- Of course, it's impossible to perform any kind of OS detection witout
|
||||
- receiving any information.
|
||||
-
|
||||
- It is possible to perform passive fingerprinting on live TCP connection, or
|
||||
- on a connection established by you to a remote host. However, these
|
||||
- techniques are less reliable (many implementations copy parameters from
|
||||
- the first SYN packet; other parameters change rapidly with time).
|
||||
-
|
||||
-
|
||||
------------------------------------------
|
||||
-Is there anything special about this one?
|
||||
------------------------------------------
|
||||
-
|
||||
- There is another passive OS detection utility, called 'siphon'. It's
|
||||
- pretty good piece of proof-of-concept software, but it isn't perfect. Well,
|
||||
- p0f isn't perfect for sure, but features some improvements:
|
||||
-
|
||||
+ receive at least one SYN packet initializing TCP connection to your machine or
|
||||
receive at least one SYN packet initiating a TCP connection to your machine or
|
||||
- or network. Note: you don't have to respond to this particular SYN. Of course,
|
||||
+ network. Note: you don't have to respond to this particular SYN. Of course,
|
||||
+ it's impossible to perform any kind of OS detection without receiving any
|
||||
+ information.
|
||||
+
|
||||
+ It is possible to perform passive fingerprinting on a live TCP connection, or
|
||||
+ on a connection established by you to a remote host. However, these techniques
|
||||
+ are less reliable (many implementations copy parameters from the first SYN
|
||||
+ packet; other parameters change rapidly with time).
|
||||
+
|
||||
+
|
||||
+---------------------------------------------
|
||||
+Is there anything special about this program?
|
||||
+---------------------------------------------
|
||||
+
|
||||
+ There is another passive OS detection utility, called 'siphon'. It's a pretty
|
||||
+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f
|
||||
+ isn't perfect for sure, but features some improvements:
|
||||
+
|
||||
- it's single-threaded and pretty clean,
|
||||
-
|
||||
+
|
||||
- works properly on Linuxes (siphon has a problem with bpf on 2.2), as
|
||||
well as on BSD systems and SunOS/Solaris,
|
||||
-
|
||||
+
|
||||
- has pretty large and detailed fingerprints database,
|
||||
-
|
||||
+
|
||||
- uses more information for fingerprinting (42 extra bits),
|
||||
-
|
||||
+
|
||||
- it's more accurate,
|
||||
-
|
||||
+
|
||||
- you can define your own filtering rules in the tcpdump flavour:
|
||||
- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
|
||||
- listening interface (using option -i).
|
||||
-
|
||||
- What more? Dunno :) Simply, check it out.
|
||||
+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening
|
||||
+ interface (using option -i).
|
||||
+
|
||||
+ What more? Dunno. :) Simply, check it out.
|
||||
it's impossible to perform any kind of OS detection without receiving any
|
||||
information.
|
||||
|
||||
|
||||
------------
|
||||
Not working!
|
||||
------------
|
||||
|
||||
- Probably p0f isn't working well on every platform in the world; first
|
||||
- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
|
||||
- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package).
|
||||
- In this case, simply issue:
|
||||
-
|
||||
- ln -s /usr/include/pcap/pcap.h /usr/include/
|
||||
- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
|
||||
-
|
||||
- NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
|
||||
- please send OS signature and system description to author. Thanks :)
|
||||
-
|
||||
+ Probably p0f isn't working well on every platform in the world. First of all,
|
||||
+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
|
||||
+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat
|
||||
+ 6.1 package). In this case, simply issue:
|
||||
+
|
||||
+ ln -s /usr/include/pcap/pcap.h /usr/include/
|
||||
+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
|
||||
+
|
||||
+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all,
|
||||
+ please send the OS signature and system description to the author. Thanks. :)
|
||||
+
|
||||
Tested platforms:
|
||||
|
||||
- NetBSD
|
||||
- FreeBSD
|
||||
+ in the ports collection
|
||||
- OpenBSD
|
||||
- Linux 2.0/2.2/2.4
|
||||
http://www.stearns.org/p0f/
|
||||
- Solaris 2.6-2.7
|
||||
- LinuxPPC
|
||||
http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
|
||||
-
|
||||
- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
|
||||
- GNU egrep (for proper Makefile processing)
|
||||
|
||||
-
|
||||
+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD
|
||||
+ make; GNU egrep (for proper Makefile processing)
|
||||
+
|
||||
+
|
||||
-------------
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
|
||||
- inside:
|
||||
-
|
||||
+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp .
|
||||
+ Its format is described below:
|
||||
+
|
||||
#
|
||||
# p0f - passive OS fingerprinting
|
||||
# -------------------------------
|
||||
@@ -208,9 +209,9 @@
|
||||
# W - window scaling (-1=not present, other=value)
|
||||
# S - sackOK flag (0=unset, 1=set)
|
||||
# N - nop flag (0=unset, 1=set)
|
||||
- # I - declared packet size (-1 = irrevelant)
|
||||
+ # I - declared packet size (-1 = irrelevant)
|
||||
#
|
||||
-
|
||||
+
|
||||
|
||||
--------------------
|
||||
What should be done?
|
||||
@@ -218,22 +219,22 @@
|
||||
|
||||
- Colorful interface, of course ;)
|
||||
- Packet sizes added for old fingerprints
|
||||
- - Manpage and other user-friendly features
|
||||
+ - Man page and other user-friendly features
|
||||
|
||||
|
||||
-------------------
|
||||
License, disclaimer
|
||||
-------------------
|
||||
|
||||
- The p0f utility and related utilities are free software; you can
|
||||
- redistribute it and/or modify it under the terms of the GNU Library
|
||||
- General Public License as published by the Free Software Foundation;
|
||||
- either version 2 of the License, or (at your option) any later version.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
|
||||
- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
|
||||
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
+ The p0f utility and related utilities are free software; you can redistribute
|
||||
+ it and/or modify it under the terms of the GNU Library General Public License
|
||||
+ as published by the Free Software Foundation; either version 2 of the License,
|
||||
+ or (at your option) any later version.
|
||||
+
|
||||
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
|
||||
+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
||||
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
||||
+ IN THE SOFTWARE.
|
||||
|
|
16
net-mgmt/p0f/files/patch-p0f.c
Normal file
16
net-mgmt/p0f/files/patch-p0f.c
Normal file
|
@ -0,0 +1,16 @@
|
|||
--- p0f.c.orig Thu Jan 17 21:05:58 2002
|
||||
+++ p0f.c Mon Jan 21 00:22:56 2002
|
||||
@@ -348,10 +348,9 @@
|
||||
T_tstamp = 1;
|
||||
break;
|
||||
case 'o':
|
||||
- { FILE* x;
|
||||
- x=fopen(optarg,"a");
|
||||
- if (!x) { perror(optarg); exit(1); }
|
||||
- stdout=x;
|
||||
+ if (!freopen(optarg,"a",stdout)) {
|
||||
+ perror(optarg);
|
||||
+ exit(1);
|
||||
}
|
||||
break;
|
||||
default:
|
|
@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
|
|||
if you do not understand how this can be harmful. Running p0f with
|
||||
no options will cause it to analyse packets intended for other
|
||||
hosts.
|
||||
|
||||
WWW: http://www.stearns.org/p0f/
|
||||
|
|
|
@ -7,28 +7,29 @@
|
|||
|
||||
PORTNAME= p0f
|
||||
PORTVERSION= 1.8
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= net
|
||||
MASTER_SITES= http://lcamtuf.hack.pl/
|
||||
DISTNAME= ${PORTNAME}
|
||||
MASTER_SITES= http://www.stearns.org/p0f/
|
||||
EXTRACT_SUFX= .tgz
|
||||
|
||||
MAINTAINER= trevor@FreeBSD.org
|
||||
|
||||
WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION}
|
||||
MAN1= p0f.1
|
||||
|
||||
post-patch:
|
||||
@${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
|
||||
${PERL} -pi -e "s=/etc=${PREFIX}/etc=g" \
|
||||
${WRKSRC}/README \
|
||||
${WRKSRC}/p0f.c
|
||||
|
||||
do-install:
|
||||
@${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
|
||||
@${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
|
||||
${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin
|
||||
${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc
|
||||
${INSTALL_MAN} ${WRKSRC}/${MAN1} ${MANPREFIX}/man/man1
|
||||
|
||||
post-install:
|
||||
.if !defined(NOPORTDOCS)
|
||||
@${MKDIR} ${PREFIX}/share/doc/p0f
|
||||
@${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
|
||||
${MKDIR} ${PREFIX}/share/doc/p0f
|
||||
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f
|
||||
.endif
|
||||
|
||||
.include <bsd.port.mk>
|
||||
|
|
|
@ -1 +1 @@
|
|||
MD5 (p0f.tgz) = 56d6797b8f0e9f00715dd59b4e5f6822
|
||||
MD5 (p0f-1.8.tgz) = a800396508a9d4bd4e4204a76ea79c2e
|
||||
|
|
|
@ -1,302 +1,11 @@
|
|||
patch to version 1.8.test9
|
||||
|
||||
- mention the FreeBSD port
|
||||
- mention that BSD make, not just GNU make, is adequate
|
||||
- some rewording for clarity, not intended to change meaning
|
||||
- reformatting of white space, mostly done with "fmt 79 80"
|
||||
- spelling changes, mostly suggested by ispell
|
||||
|
||||
--- README.old Thu Nov 22 16:37:28 2001
|
||||
+++ README Wed Jan 9 12:10:53 2002
|
||||
@@ -18,17 +18,17 @@
|
||||
Project Status
|
||||
--------------
|
||||
--- README.old Thu Jan 17 21:58:09 2002
|
||||
+++ README Sun Jan 20 23:30:58 2002
|
||||
@@ -94,7 +94,7 @@
|
||||
|
||||
- As for today, this packet is hosted and maintained by William Stearns
|
||||
- <wstearns@pobox.com>. Original code comes from Michal Zalewski
|
||||
- <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
|
||||
- bugfixes, ideas, etc =)
|
||||
+ This program is now hosted and maintained by William Stearns
|
||||
+ <wstearns@pobox.com>. It was originally written by Michal Zalewski
|
||||
+ <lcamtuf@coredump.cx>. Feel free to mail William or both of us with
|
||||
+ bug-fixes, ideas, etc. =)
|
||||
|
||||
|
||||
-----------------
|
||||
Special thanks to
|
||||
-----------------
|
||||
|
||||
- * Lance Spitzner for whitepaper on passive OS fingerprinting:
|
||||
+ * Lance Spitzner for white paper on passive OS fingerprinting:
|
||||
http://www.enteract.com/~lspitz/finger.html
|
||||
|
||||
* tf8 for initial piece of libpcap support and packet parsing
|
||||
@@ -36,7 +36,7 @@
|
||||
* teso/security.is/b0f/#hax for ideas and testing
|
||||
|
||||
* Jeremy Weatherford, Chris Wilson and Szilveszter Adam for
|
||||
- portability testing/patches, bugfixes and ideas,
|
||||
+ portability testing/patches, bug-fixes and ideas,
|
||||
|
||||
* other BUGTRAQ readers for OS fingerprints and useful patches
|
||||
|
||||
@@ -49,126 +49,127 @@
|
||||
Background
|
||||
----------
|
||||
|
||||
- * What is passive OS fingerprinting?
|
||||
-
|
||||
- Passive OS fingerprinting technique is based on information coming
|
||||
- from remote host when it tries to establish a connection to your system.
|
||||
- Captured packet parameters contain enough information to determine
|
||||
- remote OS - and, unlike active scanners (nmap, queSO) - this is done
|
||||
- without sending anything to this host.
|
||||
-
|
||||
- If you're looking for more information on this approach, read Spitzner's
|
||||
- whitepaper at http://www.enteract.com/~lspitz/finger.html :)
|
||||
-
|
||||
+ * What is passive OS fingerprinting?
|
||||
+
|
||||
+ The passive OS fingerprinting technique is based on information coming from a
|
||||
+ remote host when it tries to establish a connection to your system. Captured
|
||||
+ packet parameters contain enough information to identify the remote OS. In
|
||||
+ contrast to active scanners such as nmap and queSO, p0f does this without
|
||||
+ sending anything to the remote host.
|
||||
+
|
||||
+ If you're looking for more information on this approach, read Spitzner's white
|
||||
+ paper (mentioned above). :)
|
||||
+
|
||||
In short, there are certain TCP/IP flag settings specific for given systems.
|
||||
- Usually initial TTL (8 bits), window size (16 bits), maximum segment size
|
||||
- (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option
|
||||
- (1 bit), window scaling option (8 bits), initial packet size (16 bits)
|
||||
- vary from one TCP stack implementation to another, and, combined together,
|
||||
- give unique, 67-bit signature for every system.
|
||||
-
|
||||
- Some portions of p0f code are currently used by IDS systems and
|
||||
- sniffer software.
|
||||
-
|
||||
- * What are main advantages?
|
||||
-
|
||||
- Passive OS fingerprinting can be done on huge portions of input data - eg.
|
||||
- information gathered on firewall, proxy, routing device or Internet server,
|
||||
- without causing any network activity. You can launch passive OS detection
|
||||
- software on such machine and leave it for days, weeks or months, collecting
|
||||
- really interesting statistical information about your customers, about
|
||||
- attackers, other servers, etc. What's really funny - packet filtering
|
||||
- firewalls, network address translation and so on are almost always
|
||||
- transparent to p0f-alike software, so you're able to obtain information
|
||||
- about systems behind the firewall. Also, such software can determine
|
||||
- distance between remote host and your system, allowing you to generate
|
||||
- network structure maps for firewalled/structural networks. And all without
|
||||
- sending a single packet. Nice, especially for IDSes.
|
||||
+ Usually initial TTL (8 bits), window size (16 bits), maximum segment size (16
|
||||
+ bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option (1 bit),
|
||||
+ window scaling option (8 bits), and initial packet size (16 bits) vary from
|
||||
+ one TCP stack implementation to another. Together, they give a unique, 67-bit
|
||||
+ signature for every system.
|
||||
+
|
||||
+ Some portions of the p0f code are currently used by IDS systems and sniffer
|
||||
+ software.
|
||||
+
|
||||
+ * What are the main advantages?
|
||||
+
|
||||
+ Passive OS fingerprinting can be done on huge amounts of input data - for
|
||||
+ example, information gathered on a firewall, proxy, routing device or Internet
|
||||
+ server - without causing any network activity. You can launch passive OS
|
||||
+ detection software on such a machine and leave it for days, weeks or months,
|
||||
+ collecting really interesting statistical information about your customers,
|
||||
+ attackers, other servers, etc. Since packet filtering firewalls, network
|
||||
+ address translation and so on are almost always transparent to p0f-alike
|
||||
+ software, you're able to obtain information about systems behind the firewall.
|
||||
+ Also, such software can determine the distance between a remote host and your
|
||||
+ system, allowing you to generate network structure maps for
|
||||
+ firewalled/structural networks. All this can be done without sending a single
|
||||
+ packet. It is especially nice for IDSes.
|
||||
|
||||
|
||||
-----------
|
||||
Limitations
|
||||
-----------
|
||||
|
||||
- Proxy firewalls and other high-level proxy devices are not transparent to
|
||||
- any TCP-level fingerprinting software. The device itself will be
|
||||
- fingerprinted, not actual source hosts.
|
||||
-
|
||||
+ Proxy firewalls and other high-level proxy devices are not transparent to any
|
||||
+ TCP-level fingerprinting software. The device itself will be fingerprinted,
|
||||
+ not actual source hosts.
|
||||
+
|
||||
In order to obtain information required for fingerprinting, you have to
|
||||
- receive at least one SYN packet initializing TCP connection to your
|
||||
- machine or network. Note: you don't have to respond to particular SYN.
|
||||
- Of course, it's impossible to perform any kind of OS detection witout
|
||||
- receiving any information.
|
||||
-
|
||||
- It is possible to perform passive fingerprinting on live TCP connection, or
|
||||
- on a connection established by you to a remote host. However, these
|
||||
- techniques are less reliable (many implementations copy parameters from
|
||||
- the first SYN packet; other parameters change rapidly with time).
|
||||
-
|
||||
-
|
||||
------------------------------------------
|
||||
-Is there anything special about this one?
|
||||
------------------------------------------
|
||||
-
|
||||
- There is another passive OS detection utility, called 'siphon'. It's
|
||||
- pretty good piece of proof-of-concept software, but it isn't perfect. Well,
|
||||
- p0f isn't perfect for sure, but features some improvements:
|
||||
-
|
||||
+ receive at least one SYN packet initializing TCP connection to your machine or
|
||||
receive at least one SYN packet initiating a TCP connection to your machine or
|
||||
- or network. Note: you don't have to respond to this particular SYN. Of course,
|
||||
+ network. Note: you don't have to respond to this particular SYN. Of course,
|
||||
+ it's impossible to perform any kind of OS detection without receiving any
|
||||
+ information.
|
||||
+
|
||||
+ It is possible to perform passive fingerprinting on a live TCP connection, or
|
||||
+ on a connection established by you to a remote host. However, these techniques
|
||||
+ are less reliable (many implementations copy parameters from the first SYN
|
||||
+ packet; other parameters change rapidly with time).
|
||||
+
|
||||
+
|
||||
+---------------------------------------------
|
||||
+Is there anything special about this program?
|
||||
+---------------------------------------------
|
||||
+
|
||||
+ There is another passive OS detection utility, called 'siphon'. It's a pretty
|
||||
+ good piece of proof-of-concept software, but it isn't perfect. Well, p0f
|
||||
+ isn't perfect for sure, but features some improvements:
|
||||
+
|
||||
- it's single-threaded and pretty clean,
|
||||
-
|
||||
+
|
||||
- works properly on Linuxes (siphon has a problem with bpf on 2.2), as
|
||||
well as on BSD systems and SunOS/Solaris,
|
||||
-
|
||||
+
|
||||
- has pretty large and detailed fingerprints database,
|
||||
-
|
||||
+
|
||||
- uses more information for fingerprinting (42 extra bits),
|
||||
-
|
||||
+
|
||||
- it's more accurate,
|
||||
-
|
||||
+
|
||||
- you can define your own filtering rules in the tcpdump flavour:
|
||||
- p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and
|
||||
- listening interface (using option -i).
|
||||
-
|
||||
- What more? Dunno :) Simply, check it out.
|
||||
+ p0f 'src host 1.2.3.4' or p0f 'gateway 1.2.3.4 and port 80', and listening
|
||||
+ interface (using option -i).
|
||||
+
|
||||
+ What more? Dunno. :) Simply, check it out.
|
||||
it's impossible to perform any kind of OS detection without receiving any
|
||||
information.
|
||||
|
||||
|
||||
------------
|
||||
Not working!
|
||||
------------
|
||||
|
||||
- Probably p0f isn't working well on every platform in the world; first
|
||||
- of all, you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
|
||||
- /usr/include/pcap instead of /usr/include/ (eg. in broken RH 6.1 package).
|
||||
- In this case, simply issue:
|
||||
-
|
||||
- ln -s /usr/include/pcap/pcap.h /usr/include/
|
||||
- ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
|
||||
-
|
||||
- NOTE: if p0f recognized system incorrectly or cannot recognize it at all,
|
||||
- please send OS signature and system description to author. Thanks :)
|
||||
-
|
||||
+ Probably p0f isn't working well on every platform in the world. First of all,
|
||||
+ you'll need libpcap 0.4 or newer; sometimes pcap.h is placed in
|
||||
+ /usr/include/pcap instead of /usr/include/ (for example, in the broken Red Hat
|
||||
+ 6.1 package). In this case, simply issue:
|
||||
+
|
||||
+ ln -s /usr/include/pcap/pcap.h /usr/include/
|
||||
+ ln -s /usr/include/pcap/net/bpf.h /usr/include/net/
|
||||
+
|
||||
+ NOTE: if p0f recognized the system incorrectly or cannot recognize it at all,
|
||||
+ please send the OS signature and system description to the author. Thanks. :)
|
||||
+
|
||||
Tested platforms:
|
||||
|
||||
- NetBSD
|
||||
- FreeBSD
|
||||
+ in the ports collection
|
||||
- OpenBSD
|
||||
- Linux 2.0/2.2/2.4
|
||||
http://www.stearns.org/p0f/
|
||||
- Solaris 2.6-2.7
|
||||
- LinuxPPC
|
||||
http://rpmfind.net/linux/RPM/linuxPPC/contrib/software/Applications/Networking/p0f-1.7-0.ppc.html
|
||||
-
|
||||
- Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x;
|
||||
- GNU egrep (for proper Makefile processing)
|
||||
|
||||
-
|
||||
+ Requires: libpcap 0.4 or newer; GNU cc 2.7.x or newer; GNU make 3.7x or BSD
|
||||
+ make; GNU egrep (for proper Makefile processing)
|
||||
+
|
||||
+
|
||||
-------------
|
||||
Configuration
|
||||
-------------
|
||||
|
||||
- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described
|
||||
- inside:
|
||||
-
|
||||
+ The database of OS fingerprints is usually kept in /etc/p0f.fp or ./p0f.fp .
|
||||
+ Its format is described below:
|
||||
+
|
||||
#
|
||||
# p0f - passive OS fingerprinting
|
||||
# -------------------------------
|
||||
@@ -208,9 +209,9 @@
|
||||
# W - window scaling (-1=not present, other=value)
|
||||
# S - sackOK flag (0=unset, 1=set)
|
||||
# N - nop flag (0=unset, 1=set)
|
||||
- # I - declared packet size (-1 = irrevelant)
|
||||
+ # I - declared packet size (-1 = irrelevant)
|
||||
#
|
||||
-
|
||||
+
|
||||
|
||||
--------------------
|
||||
What should be done?
|
||||
@@ -218,22 +219,22 @@
|
||||
|
||||
- Colorful interface, of course ;)
|
||||
- Packet sizes added for old fingerprints
|
||||
- - Manpage and other user-friendly features
|
||||
+ - Man page and other user-friendly features
|
||||
|
||||
|
||||
-------------------
|
||||
License, disclaimer
|
||||
-------------------
|
||||
|
||||
- The p0f utility and related utilities are free software; you can
|
||||
- redistribute it and/or modify it under the terms of the GNU Library
|
||||
- General Public License as published by the Free Software Foundation;
|
||||
- either version 2 of the License, or (at your option) any later version.
|
||||
-
|
||||
- THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
- FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
|
||||
- MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM,
|
||||
- DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||
- OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
|
||||
- OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
+ The p0f utility and related utilities are free software; you can redistribute
|
||||
+ it and/or modify it under the terms of the GNU Library General Public License
|
||||
+ as published by the Free Software Foundation; either version 2 of the License,
|
||||
+ or (at your option) any later version.
|
||||
+
|
||||
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL
|
||||
+ MICHAL ZALEWSKI, OR ANY OTHER CONTRIBUTORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
|
||||
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
||||
+ FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
||||
+ IN THE SOFTWARE.
|
||||
|
|
16
net/p0f/files/patch-p0f.c
Normal file
16
net/p0f/files/patch-p0f.c
Normal file
|
@ -0,0 +1,16 @@
|
|||
--- p0f.c.orig Thu Jan 17 21:05:58 2002
|
||||
+++ p0f.c Mon Jan 21 00:22:56 2002
|
||||
@@ -348,10 +348,9 @@
|
||||
T_tstamp = 1;
|
||||
break;
|
||||
case 'o':
|
||||
- { FILE* x;
|
||||
- x=fopen(optarg,"a");
|
||||
- if (!x) { perror(optarg); exit(1); }
|
||||
- stdout=x;
|
||||
+ if (!freopen(optarg,"a",stdout)) {
|
||||
+ perror(optarg);
|
||||
+ exit(1);
|
||||
}
|
||||
break;
|
||||
default:
|
|
@ -19,3 +19,5 @@ http://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml
|
|||
if you do not understand how this can be harmful. Running p0f with
|
||||
no options will cause it to analyse packets intended for other
|
||||
hosts.
|
||||
|
||||
WWW: http://www.stearns.org/p0f/
|
||||
|
|
Loading…
Reference in a new issue