This repository has been archived by the owner on Jun 24, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathp0f.1
279 lines (262 loc) · 10.6 KB
/
p0f.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
.TH P0F 1
.SH NAME
p0f \- identify remote systems passively
.SH SYNOPSIS
.B p0f
.I p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket [ -0 ] ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -e nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ]
.br
.SH "DESCRIPTION"
.PP
.B p0f
uses a fingerprinting technique based on analyzing the structure of a TCP/IP
packet to determine the operating system and other configuration properties
of a remote host. The process is completely passive and does not generate
any suspicious network traffic. The other host has to either:
.FP
- connect to your network - either spontaneously or in an induced manner, for
example when trying to establish a ftp data stream, returning a bounced
mail, performing auth lookup, using IRC DCC, external html mail image
reference and so on,
.FP
- or be contacted by some entity on your network using some standard means
(such as a web browsing); it can either accept or refuse the connection.
.PP
The method can see thru packet firewalls and does not have the restrictions
of an active fingerprinting. The main uses of passive OS fingerprinting
are attacker profiling (IDS and honeypots), visitor profiling (content
optimization), customer/user profiling (policy enforcement), pen-testing,
etc.
.SH OPTIONS
.TP
\fB-f\fR file
read fingerprints from file; by default, p0f reads signatures
from ./p0f.fp or /etc/p0f/p0f.fp (the latter on Unix systems
only). You can use this to load custom fingerprint data.
Specifying multiple -f values will NOT combine several signature
files together.
.TP
\fB-i\fR device
listen on this device; p0f defaults to whatever device libpcap
considers to be the best (and which often isn't). On some newer
systems you might be able to specify 'any' to listen on all
devices, but don't rely on this. Specifying multiple -i values
will NOT cause p0f to listen on several interfaces at once.
.TP
\fB-s\fR file
read packets from tcpdump snapshot; this is an alternate
mode of operation, in which p0f reads packet from pcap
data capture file, instead of a live network. Useful for
forensics (this will parse tcpdump -w output, for example).
You can use Ethereal's text2pcap to convert human-readable
packet traces to pcap files, if needed.
.TP
\fB-w\fR file
writes matching packets to a tcpdump snapshot, in addition to
fingerprinting; useful when it is advisable to save copies of
the actual traffic for review.
.TP
\fB-o\fR file
write to this logfile. This option is required for -d and
implies -t.
.TP
\fB-Q\fR socket
listen on a specified local stream socket (a filesystem object,
for example /var/run/p0f-sock) for queries. One can later send a
packet to this socket with p0f_query structure from p0f-query.h,
and wait for p0f_response. This is a method of integrating p0f
with active services (web server or web scripts, etc). P0f will
still continue to report signatures the usual way - but you can
use -qKU combination to suppress this. Also see -c notes.
A sample query tool (p0fq) is provided in the test/
subdirectory. There is also a trivial perl implementation of
a client available.
NOTE: The socket will be created with permissions corresponding
to your current umask. If you want to restrict access to this
interface, use caution.
.TP
\fB-0\fR
treat source port 0 in remote queries as a wildcard: find
any record for that host. This is useful when developing plugins
for programs that do not pass source port information to the
subsystem that uses p0f queries; note that this introduces some
ambiguity, and the returned match might be not for the
exact connection in question (-Q mode only).
.TP
\fB-e\fR ms
packet capture window. On some systems (particularly on older Suns),
the default pcap capture window of 1 ms is insufficient, and p0f
may get no packets. In such a case, adjust this parameter to the
smallest value that results in reliable operation (note that this
might introduce some latency to p0f).
\fB-c\fR size
cache size for -Q and -M options. The default is 128, which
is sane for a system under a moderate network load. Setting it
too high will slow down p0f and may result in some -M false
positives for dial-up nodes, dual-boot systems, etc. Setting it
too low will result in cache misses for -Q option. To choose the
right value, use the number of connections on average per the
interval of time you want to cache, then pass it to p0f with -c.
P0f, when run without -q, also reports average packet ratio
on exit. You can use this to determine the optimal -c setting.
This option has no effect if you do not use -Q nor -M.
.TP
\fB-u\fR user
this option forces p0f to chroot to this user's home directory
after reading configuration data and binding to sockets, then to
switch to his UID, GID and supplementary groups.
This is a security feature for the paranoid - when running
p0f in daemon mode, you might want to create a new
unprivileged user with an empty home directory, and limit the
exposure when p0f is compromised. That said, should such a
compromise occur, the attacker will still have a socket he can
use for sniffing some network traffic (better than rm -rf /).
.TP
\fB-N\fR
inhibit guesswork; do not report distances and link media. With
this option, p0f logs only source IP and OS data.
.TP
\fB-F\fR
deploy fuzzy matching algorithm if no precise matches are
found (currently applies to TTL only). This option is not
recommended for RST+ mode.
.TP
\fB-D\fR
do not report OS details (just genre). This option is useful
if you don't want p0f to elaborate on OS versions and such
(combine with -N).
.TP
\fB-U\fR
do not display unknown signatures. Use this option if you want
to keep your log file clean and are not interested in hosts that
are not recognized.
.TP
\fB-K\fR
do not display known signatures. This option is useful when you
run p0f recreationally and want to spot UFOs, or in -Q or -M
modes when combined with -U to inhibit all output.
.TP
\fB-q\fR
be quiet - do not display banners and keep low profile.
.TP
\fB-p\fR
switch card to promiscuous mode; by default, p0f listens
only to packets addressed or routed thru the machine it
runs on. This setting might decrease performance, depending
on your network design and load. On switched networks,
this usually has little or no effect.
Note that promiscuous mode on IP-enabled interfaces can be
detected remotely, and is sometimes not welcome by network
administrators.
.TP
\fB-t\fR
add human-readable timestamps to every entry (use multiple
times to change date format, a la tcpdump).
.TP
\fB-d\fR
go into daemon mode (detach from current terminal and fork into
background). Requires -o.
.TP
\fB-l\fR
outputs data in line-per-record style (easier to grep).
.TP
\fB-A\fR
a semi-supported option for SYN+ACK mode. This option will cause
p0f to fingerprint systems you connect to, as opposed to systems
that connect to you (default). With this option, p0f will look
for p0fa.fp file instead of the usual p0f.fp. The usual config
is NOT SUITABLE for this mode.
The SYN+ACK signature database is sort of small at the moment,
but suitable for many uses. Feel free to contribute.
.TP
\fB-R\fR
a barely-supported option for RST+ mode. This option will
prompt p0f to fingerprint several different types of traffic,
most importantly "connection refused" and "timeout" messages.
This mode is similar to SYN+ACK (-A), except that the program
will now look for p0fr.fp. The usual config is NOT SUITABLE for
this mode. You may have to familiarize yourself with p0fr.fp
before using it.
.TP
\fB-O\fR
absolutely experimental open connection (stray ACK)
fingerprinting mode. In this mode, p0f will attempt to
indiscriminately identify OS on all packets within an already
established connection.
The only use of this mode is to perform an immediate
fingerprinting of an existing session. Because of the sheer
amount of output, you are advised against running p0f in this
mode for extended periods of time.
The program will use p0fo.fp file to read fingerprints. The
usual config is NOT SUITABLE for this mode. Do not use unless
you know what you are doing. NOTE: The p0fo.fp database is very
sparsely populated at the moment.
.TP
\fB-r\fR
resolve host names; this mode is MUCH slower and poses some
security risk. Do not use except for interactive runs or
low traffic situations. NOTE: the option ONLY resolves
IP address into a name, and does not perform any checks for
matching reverse DNS. Hence, the name may be spoofed - do not
rely on it without checking twice.
.TP
\fB-C\fR
perform collision check on signatures prior to running. This
is an essential option whenever you add new signatures to
.fp files, but is not necessary otherwise.
.TP
\fB-x\fR
dump full packet contents; this option is not compatible with
-l and is intended for debugging and packet comparison only.
.TP
\fB-X\fR
display packet payload; rarely, control packets we examine
may carry a payload. This is a bug for the default (SYN)
and -A (SYN+ACK) modes, but is (sometimes) acceptable in
-R (RST+) mode.
.TP
\fB-M\fR
deploy masquerade detection algorithm. The algorithm looks over
recent (cached) hits and looks for indications of multiple
systems being behind a single gateway. This is useful on routers
and such to detect policy violations. Note that this mode is
somewhat slower due to caching and lookups. Use with caution
(or do not use at all) in modes other than default (SYN).
.TP
\fB-T\fR nn
masquerade detection threshold; only meaningful with -M,
sets the threshold for masquerade reporting.
.TP
\fB-V\fR
use verbose masquerade detection reporting. This option
describes the status of all indicators, not only an overall
value.
.TP
\fB-v\fR
enable support for 802.1Q VLAN tagged frames. Available on
some interfaces, on other, will result in BPF error.
.SH FILTERS
The last part, 'filter rule', is a bpf-style filter expression for
incoming packets. It is very useful for excluding or including certain
networks, hosts, or specific packets, in the logfile. See man tcpdump for
more information, few examples:
\'src port ftp-data\'
\'not dst net 10.0.0.0 mask 255.0.0.0\'
\'dst port 80 and ( src host 195.117.3.59 or src host 217.8.32.51 )\'
You also can use a companion log report utility for p0f. Simply
run 'p0frep' for help.
.SH SECURITY
P0f, due to its simplicity, is believed to be considerably secure than other
software that is often being run for packet capture (tcpdump, Ettercap,
Ethereal, etc). Please follow the security guidelines posted in the
documentation supplied with the package.
.SH BUGS
You need to consult the documentation for an up-to-date list of issues.
.SH FILES
.TP
.BI /etc/p0f/p0f.fp\ /etc/p0f/p0fa.fp\ /etc/p0f/p0fr.fp\ /etc/p0f/p0fo.fp
default fingerprint database files
.SH AUTHOR
.B p0f
was written by Michal Zalewski <[email protected]>. This man page was
originally written by William Stearns <[email protected]>, then
adopted for p0f v2 by Michal Zalewski.