Setting Up and Modifying p0f
When
setting up
p0f
, you should use options that set up
the Unix socket and specific SYN/ACK mode. The A
option places the program in SYN/ACK mode, the O
option indicates that the Unix socket interface will be used, and
~/socket is given as the name of the socket. This
mode will fingerprint systems we connect to, as opposed to the
default, which fingerprints systems that connect to us. After
launching p0f, do a basic HTTP request so that
p0f has some packets to fingerprint:
$p0f -qlAQ ~/socket 192.168.0.100:80 - Linux recent 2.4 (1) (up: 210 hrs) -> 192.168.0.109:9818 (distance 1, link: pppoe (DSL))
Leave that process running in a shell and then, in a separate shell, use the p0fq example tool to query the socket for the specific connection:
$./p0fq ../sock 192.168.0.100 80 192.168.0.109 9818 Genre : Linux Details : recent 2.4 (1) Distance : 1 hops Link : pppoe (DSL) Uptime : 210 hrs
This appears to be working, but specifying source and destination
ports is too cumbersome. Let’s write a small patch
to p0f to make it easier on the user. The
following patch is against p0f Version 2.0.4.
You can apply it with the patch
-p0
<
p0f-2.0.4-msf.patch command:
--- p0f-query.org.c Fri Jan 3 18:19:58 2004 +++ p0f-query.c Fri Jan 3 19:09:46 2004 @@ -122,6 +122,14 @@ send(sock,n,sizeof(struct p0f_response),MSG_NOSIGNAL); return; + }else if((cur->sad == q->src_ad) && (cur->dad == q->dst_ad) && + (q->src_port == NULL) && (q->dst_port == NULL)){ + struct p0f_response* n ...Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
