[HN Gopher] p0f: TCP Packet Fingerprinting
___________________________________________________________________
p0f: TCP Packet Fingerprinting
Author : btdmaster
Score : 80 points
Date : 2022-09-17 17:48 UTC (5 hours ago)
(HTM) web link (lcamtuf.coredump.cx)
(TXT) w3m dump (lcamtuf.coredump.cx)
| account-5 wrote:
| How would this fair now against encryption? Being that's it's
| from 2014.
| nickphx wrote:
| It looks at tcp header values, not packet data.
| account-5 wrote:
| Thanks, that makes sense now. It was a genuine question, must
| have missed it on the page, I was wondering why I was getting
| downvoted.
| nibbleshifter wrote:
| If you update the fingerprints, it will still work fine.
|
| Application layer or session layer stuff like encryption is
| irrelevant, the fingerprints are largely based on differences
| at the transport layer and below.
|
| You can also do some nice fingerprinting at the TLS layer based
| on stuff like what ciphers are offered, the order of them, etc.
| lossolo wrote:
| I remember when I was in college and we were doing work about
| passive OS fingerprinting and we used p0f, Vista was a new OS
| back then and we fingerprinted it successfully before p0f got its
| own signatures, it was so cool. It was around 15 years ago, my
| god time flies so fast.
| jeffbee wrote:
| It's still great for that exact purpose. Knowing that your SMTP
| peer is running Windows XP is the strongest spam fighting
| signal that has ever existed.
| anfractuosity wrote:
| I assume p0f doesn't do TCP timestamp clock skew fingerprinting
| out of curiosity too? Curious if there are any OSS tools for
| that.
| nibbleshifter wrote:
| nmap reports clock skew.
| anfractuosity wrote:
| Do you mean via this script -
| https://svn.nmap.org/nmap/scripts/clock-skew.nse , if so it
| looks like that's extracting time values from protocols above
| TCP such as HTTP etc? Please correct me, if I misunderstood
| what you meant.
|
| This was the type of technique I was thinking of -
| https://murdoch.is/talks/eurobsdcon07hotornot.pdf
| gsich wrote:
| On Linux TCP timestamps are random.
| nykolasz wrote:
| Great tool, but not maintained anymore, unfortunatelly.
| dilawar wrote:
| Too bad it doesn't work on Windows out of thr box without
| cygwin/msys trickery. The lippcap doesnt have an open source
| alternative on windows. winpcap is almost dead and npcap is not
| free to use.
| therearwindow wrote:
| You can try this one: https://github.com/Nisitay/scapy-p0f
| bArray wrote:
| Is there a UDP equivalent to passively monitor and fingerprint?
| I'm guessing not, but would be interested to hear if there is.
| binkHN wrote:
| I use this. It works, but it's dated and doesn't work
| consistently enough that it should be relied upon in any
| capacity.
| iszomer wrote:
| iirc, one of lcamtuf's works. His book Silence on the Wire is
| still one of my favorite reads of all time.
| bediger4000 wrote:
| This is p0f 3.09b. Does anybody know of updated fingerprint
| files?
|
| The fingerprint file dates to 2014, well before Windows 10, and
| about Linux kernel 3.12. There's lots of things it just doesn't
| identify.
___________________________________________________________________
(page generated 2022-09-17 23:00 UTC)