P0f

                              --=--
                              p0f 2
                              --=--

                "Dr. Jekyll had something to Hyde"
	    
                  passive OS fingerprinting tool
                           version 2.0.8

 (C) Copyright 2000 - 2006 by Michal Zalewski <lcamtuf@coredump.cx>

            Various ports (C) Copyright 2003 - 2006 by:

               Michael A. Davis <mike@datanerds.net>
                  Kirby Kuehl <kkuehl@cisco.com>
                 Kevin Currie <kcurrie@cisco.com>

  Portions contributed by numerous good people - see CREDITS file.

               http://lcamtuf.coredump.cx/p0f.shtml
	   
  For a book on some interesting passive fingerprinting tips, see:
                http://lcamtuf.coredump.cx/silence

*********************************************************************
**** HELP WITH P0F DATABASE: http://lcamtuf.coredump.cx/p0f-help ****
*********************************************************************

---

0. Contents

---

This document describes the concept and history of p0f, its command-line options and extensions, and goes into some detail about its operation, integration with existing solutions, and so on.

Table of contents:

1. What's this, anyway?
2. Why would I want to use it?
3. What's new then?
4. Command-line
5. Active service integration
6. SQL database integration
7. Masquerade detection
8. Fingerprinting accuracy and precision
9. Adding signatures
10. Security
11. Limitations
12. Is it better than other software?
13. Program no work!
14. Appendix A: Links to OS fingerprinting resources

---

1. What's this, anyway?

---

The passive OS fingerprinting technique is based on analyzing the information sent by a remote host while performing usual communication tasks - such as whenever a remote party visits your webpage, connects to your MTA - or whenever you connect to a remote system while browsing the web or performing other routine tasks. In contrast to active fingerprinting (with tools such as NMAP or Queso), the process of passive fingerprinting does not generate any additional or unusual traffic, and thus cannot be detected.

Captured packets contain enough information to identify the remote OS, thanks to subtle differences between TCP/IP stacks, and sometimes certain implementation flaws that, although harmless, make certain systems quite unique. Some additional metrics can be used to gather information about the configuration of a remote system or even its ISP and network setup.

The name of the fingerprinting technique might be somewhat misleading - although the act of discovery is indeed passive, p0f can be used for active testing. It is just that you are not required to send any unusual or undesirable traffic, and can rely what you would be getting from the remote party anyway, in the course of everyday, seemingly innocuous chatter.

To accomplish the job, p0f equips you with four different detection modes:

- Incoming connection fingerprinting (SYN mode, default) - whenever
  you want to know what the guy or gal who connects to you runs,

- Outgoing connection (remote party) fingerprinting (SYN+ACK mode) -
  to fingerprint systems you or your users connect to,

- Outgoing connection refused (remote party) fingerprinting (RST+ mode) 
  - to fingerprint systems that reject your traffic,

- Established connection fingerprinting (stray ACK mode) - to examine
  existing sessions without any needless interference.

It is quite difficult to pinpoint who came up with this idea of passive SYN-based OS fingerprinting, though due credit must be given to Craig Smith, Peter Grundl, Lance Spitzner, Shok, Johan, Su1d, Savage, Fyodor and other brave hackers who explored this and related topics in the years 1999 and 2000.

P0f was the first (and I believe remains the best) fully-fledged implementation of a set of TCP-related passive fingerprinting techniques. The current version uses a number of detailed metrics, often invented specifically for p0f, and achieves a very high level of accuracy and detail; it is designed for hands-free operation over an extended period of time, and has a number of features to make it easy to integrate it with other solutions.

Portions of this code are used in several IDS systems, some sniffer
software; p0f is also shipped with several operating systems and incorporated into an interesting OpenBSD pf hack by Mike Frantzen, that allows you to filter out or redirect traffic based on the source OS. There is also a beta patch for Linux netfilter, courtesy of Evgeniy Polyakov. In short, p0f is a rather well-established software at this point.

---

2. Why would I want to use it?

---

Oh, a number of uses come to mind:

- Profiling / espionage - ran on a server, firewall, proxy or router, 
  p0f can be used to silently gather statistical and profiling information 
  about your visitors, users, or competitors. P0f also gathers netlink
  and distance information suitable for determining remote network
  topology, which may serve as a great piece of pre-attack intelligence.

- Active response / policy enforcement - integrated with your server
  or firewall, p0f can be used to handle specific OSes in the most
  suitable manner and serve most appropriate content; you may also enforce 
  a specific corporate OS policy, restrict SMTP connections to a set of 
  systems, etc; with masquerade detection capabilities, p0f can be used
  to detect illegal network hook-ups and TOS violations. 

- PEN-TEST - in the SYN+ACK, RST+, or stray ACK mode, or when a returning 
  connection can be triggered on a remote system (HTML-enabled mail with 
  images, ftp data connection, mail bounce, identd connection, IRC DCC 
  connection, etc), p0f is an invaluable tool for silent probing of a 
  subject of such a test.

  Masquerade detection in SYN+ACK or RST+ modes can be also used to
  test for load balancers and so forth.
  
- Network troubleshooting - RST+ mode can be used to debug network
  connectivity problems you or your visitors encounter.

- Bypassing a firewall - p0f can "see thru" most NAT devices, packet
  firewalls, etc. In SYN+ACK mode, it can be used for fingerprinting
  over a connection allowed by the firewall, even if other types of
  packets are dropped; as such, p0f is the solution when NMAP and
  other active tools fail.

- Amusement value is also pretty important. Want to know what this
  guy runs? Does he have a DSL, X.25 WAN hookup, or a shoddy SLIP 
  connection? What's Google crawlbot's uptime?

Of course, "a successful [software] tool is one that was used to do something undreamed of by its author" ;-)

---

3. What's new then?

---

The original version of p0f was written somewhere in 2000 by Michal Zalewski (that be me), and later taken over William Stearns (circa 2001). The original author still contributed to the code from time to time, and the version you're holding right now is his sole fault - although I'd like William to take over further maintenance, if he's interested.

Version 2 is a complete rewrite of the original v1 code. The main reason for this is to make signatures more flexible, and to implement certain additional checks for very subtle packet characteristics to improve fingerprint accuracy. Changes include:

NEW CORE CHECKS:

- Option layout and count check,
- EOL presence and trailing option data [*],
- Unrecognized option handling (TTCP, etc),
- WSS to MSS/MTU correlation checks [*],
- Zero timestamp check,
- Non-zero ACK in initial SYN [*],
- Non-zero "unused" TCP fields [*],
- Non-zero urgent pointer in SYN [*],
- Non-zero second timestamp [*],
- Zero IP ID in initial packet,
- Unusual auxiliary flags,
- Data payload in control packets [*],
- SEQ number equal to ACK number [*],
- Zero SEQ number [*],
- Non-empty IP options.

[*] denotes metrics "invented" for p0f, as far as I am concerned. Other 
metrics were discussed by certain researchers before, although usually 
not implemented anywhere. A detailed discussion of all checks performed
by p0f can be found in the introductory comments in p0f.fp, p0fa.fp
and p0fr.fp.

As a matter of fact, some of the metrics were so precise I managed
to find several previously unknown TCP/IP stack bugs :-) See
doc/win-memleak.txt and p0fr.fp for more information.

ENGINE IMPROVEMENTS:

- Major performance boost - no more runtime signature parsing, added 
  BPF pre-filtering, signature hash lookups. All this to make p0f 
  suitable for being run on high-throughput devices,

- Advanced masquerade detection for policy enforcement (ISPs,
  corporate networks),

- Modulo and wildcard operators for certain TCP/IP parameters to make
  it easier to come up with generic last chance signatures for
  systems that tweak settings notoriously (think Windows),

- Auto-detection of DF-zeroing firewalls,

- Auto-detection of MSS-tweaking NAT and router devices,

- Media type detection based on MSS, with a database of common
  link types,
  
- Origin network detection based on unusual ToS / precedence bits,

- Ability to detect and skip ECN option when examining flags,

- Better fingerprint file structure and contents - all fingerprints
  are rigorously reviewed before being added.

- Generic last-chance signatures to cover general OS characteristics,

- Query mode to ena