[HN Gopher] p0f: TCP Packet Fingerprinting ___________________________________________________________________ p0f: TCP Packet Fingerprinting Author : btdmaster Score : 80 points Date : 2022-09-17 17:48 UTC (5 hours ago) (HTM) web link (lcamtuf.coredump.cx) (TXT) w3m dump (lcamtuf.coredump.cx) | account-5 wrote: | How would this fair now against encryption? Being that's it's | from 2014. | nickphx wrote: | It looks at tcp header values, not packet data. | account-5 wrote: | Thanks, that makes sense now. It was a genuine question, must | have missed it on the page, I was wondering why I was getting | downvoted. | nibbleshifter wrote: | If you update the fingerprints, it will still work fine. | | Application layer or session layer stuff like encryption is | irrelevant, the fingerprints are largely based on differences | at the transport layer and below. | | You can also do some nice fingerprinting at the TLS layer based | on stuff like what ciphers are offered, the order of them, etc. | lossolo wrote: | I remember when I was in college and we were doing work about | passive OS fingerprinting and we used p0f, Vista was a new OS | back then and we fingerprinted it successfully before p0f got its | own signatures, it was so cool. It was around 15 years ago, my | god time flies so fast. | jeffbee wrote: | It's still great for that exact purpose. Knowing that your SMTP | peer is running Windows XP is the strongest spam fighting | signal that has ever existed. | anfractuosity wrote: | I assume p0f doesn't do TCP timestamp clock skew fingerprinting | out of curiosity too? Curious if there are any OSS tools for | that. | nibbleshifter wrote: | nmap reports clock skew. | anfractuosity wrote: | Do you mean via this script - | https://svn.nmap.org/nmap/scripts/clock-skew.nse , if so it | looks like that's extracting time values from protocols above | TCP such as HTTP etc? Please correct me, if I misunderstood | what you meant. | | This was the type of technique I was thinking of - | https://murdoch.is/talks/eurobsdcon07hotornot.pdf | gsich wrote: | On Linux TCP timestamps are random. | nykolasz wrote: | Great tool, but not maintained anymore, unfortunatelly. | dilawar wrote: | Too bad it doesn't work on Windows out of thr box without | cygwin/msys trickery. The lippcap doesnt have an open source | alternative on windows. winpcap is almost dead and npcap is not | free to use. | therearwindow wrote: | You can try this one: https://github.com/Nisitay/scapy-p0f | bArray wrote: | Is there a UDP equivalent to passively monitor and fingerprint? | I'm guessing not, but would be interested to hear if there is. | binkHN wrote: | I use this. It works, but it's dated and doesn't work | consistently enough that it should be relied upon in any | capacity. | iszomer wrote: | iirc, one of lcamtuf's works. His book Silence on the Wire is | still one of my favorite reads of all time. | bediger4000 wrote: | This is p0f 3.09b. Does anybody know of updated fingerprint | files? | | The fingerprint file dates to 2014, well before Windows 10, and | about Linux kernel 3.12. There's lots of things it just doesn't | identify. ___________________________________________________________________ (page generated 2022-09-17 23:00 UTC)