Jump to content

[Support] p0f - OS fingerprinting


bytedeez

Recommended Posts

The above link should be: http://www.ukhoneynet.org/2008/06/03/p0f-208-on-openwrt/

Nmap is not a replacement for p0f. p0f (Passive OS Fingerprinting), doesn't generate network traffic and if used properly is undetectable. While nmap can also do OS fingerprinting, it's very "loud."

p0f 2.0.8, the version referenced above, was released in 2006-2007. Then development apparently stopped for 5 years or so and restarted in 2012 with a complete rewrite. The current version is 3.0.7b.

I would be very interested to know if someone has compiled the latest version for use on the pineapple. The web page and downloads are here.

Link to comment
Share on other sites

Obviously the option that sticks a device into promiscuous mode might mess things up a bit, but this tool has been successfully embedded in a number of other tools and appliances. I think it may have applications in the pineapple beyond just a single infusion. I would love to see automatic fingerprinting of every client or browser that connects? BTW, p0f can process PCAP captures, so it might also be useful for post-processing.

I thought it was a great idea damavox, let's see what Whistle Master comes up with.

Link to comment
Share on other sites

Don't worry, listening on br-lan interface is the way to go and does not mess stuff up :wink:

I did some testing, it works well:

root@Pineapple:/sd# p0f -i br-lan
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on interface 'br-lan'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.

.-[ 172.16.42.159/52876 -> 23.51.247.91/80 (syn) ]-
|
| client   = 172.16.42.159/52876
| os       = MacOS X 10.9 or newer (sometimes iPhone or iPad)
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:65535,4:mss,nop,ws,nop,nop,ts,sok,eol+1:df,id+:0
|
`----

.-[ 172.16.42.159/52876 -> 23.51.247.91/80 (mtu) ]-
|
| client   = 172.16.42.159/52876
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 172.16.42.159/52876 -> 23.51.247.91/80 (syn+ack) ]-
|
| server   = 23.51.247.91/80
| os       = Linux 3.x
| dist     = 10
| params   = none
| raw_sig  = 4:54+10:0:1460:mss*10,1:mss,sok,ts,nop,ws:df:0
|
`----

.-[ 172.16.42.159/52876 -> 23.51.247.91/80 (mtu) ]-
|
| server   = 23.51.247.91/80
| link     = Ethernet or modem
| raw_mtu  = 1500
|
`----

.-[ 172.16.42.159/52876 -> 23.51.247.91/80 (http request) ]-
|
| client   = 172.16.42.159/52876
| app      = ???
| lang     = none
| params   = none
| raw_sig  = 0:Host,Connection=[close],User-Agent:Accept,Accept-Encoding,Accept-Language,Accept-Charset,Keep-Alive:CaptiveNetworkSupport-277.10.5 wispr
|
`----
Edited by Whistle Master
Link to comment
Share on other sites

Damn Whistle Master, You da man!
Now I just need to pull my head out of my ass and start playing with the Wifi Pineapple.
Thanks buddy! :D

Edited by spazi
Link to comment
Share on other sites

  • 2 weeks later...

While Seb was on holiday (being dragged around by tractors?), damavox asked about creating a p0f infusion. p0f is a passive OS fingerprinting tool that sends no packets to the host being fingerprinted. It is especially well suited for use in devices with connected clients, such as the pineapple.

In short order, Whistle Master created an infusion. However, because this required a custom p0f binary, he pulled the infusion and locked the support topic, pending Seb's return.

Now that Seb's back, I was wondering about the status. Can we get this turned back on?

Edited by fringes
Link to comment
Share on other sites

  • 8 months later...

Ive been out of the loop for awhile but this looks interesting. I have tried both installation methods, sd card and internal, but no luck When I start, it just jumps to "not running" after a second or so. any advice as to where to start hunting?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...