Bugtraq mailing list archives

By Date By Thread p0f3 release candidate From: Michal Zalewski <lcamtuf () coredump cx>

Date: Tue, 10 Jan 2012 01:23:08 -0800

Hi folks, I wanted to share the news of p0f v3, a complete rewrite and redesign of my passive fingerprinting tool. == Synopsis == P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Some of its capabilities include: - Scalable and fast identification of the operating system and software on both endpoints of a vanilla TCP connection - especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms. - Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on. - Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups, - Detection of dishonest clients / servers that forge declarative statements such as X-Mailer or User-Agent. The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to. Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse prevention tools; and miscellaneous forensics. == What's new == Version 3 is a complete rewrite, bringing you much improved SYN and SYN+ACK fingerprinting capabilities, auto-calibrated uptime measurements, completely redone databases and signatures, new API design, IPv6 support (who knows, maybe it even works?), stateful traffic inspection with thorough cross-correlation of collected data, application-level fingerprinting modules (for HTTP now, more to come), and a lot more. == Download / demo == Please visit: http://lcamtuf.coredump.cx/p0f3/ This is a "release candidate", and my hope is to get folks to contribute signatures and help squash bugs. If all goes according to plan, this should progress to a final release in a week or two. Some issues are expected, so please report problems off-the-list. /mz By Date By Thread Current thread: p0f3 release candidate Michal Zalewski (Jan 10) Re: p0f3 release candidate Michal Zalewski (Jan 17)

Michal Zalewski (Jan 10)