Network Analyzer: P0f

Share this…

P0f INTRO:- P0f is a network inspecting tool used in analyzing the structure of TCP/IP packets. It even identifies the operating system and other configuration properties of a listed host, ethical hacking experts clarifies. For information gathering of a remote host. The other host has to be on attacker’s hosted network or to be contacted by some other entity on attacker’s network. Unlike other tools it does not generate traffic, p0f determines the operating system of remote host by analyzing certain packets.

Ethical hacking researcher  of international institute of cyber security says that P0f comes handy while doing the network assessment.

This tool can’t be detected by network firewalls and does not have a restriction on active fingerprinting.This tool comes pre-installed in Kali Linux.

  • Just open terminal in Kali Linux and type p0f -h.
root@kali:/home/iicybersecurity# p0f -h
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

p0f: invalid option -- 'h'
Usage: p0f [ ...options... ] [ 'filter rule' ]

Network interface options:

-i iface - listen on the specified network interface
-r file - read offline pcap data from a given file
-p - put the listening interface in promiscuous mode
-L - list all available interfaces

Operating mode and output settings:

-f file - read fingerprint database from 'file' (/etc/p0f/p0f.fp)
-o file - write information to the specified log file
-s name - answer to API queries at a named unix socket
-u user - switch to the specified unprivileged account and chroot
-d - fork into background (requires -o or -s)

Performance-related options:

-S limit - limit number of parallel API connections (20)
-t c,h - set connection / host cache age limits (30s,120m)
-m c,h - cap the number of active connections / hosts (1000,10000)

Optional filter expressions (man tcpdump) can be specified in the command
line to prevent p0f from looking at incidental network traffic.

Problems? You can reach the author at <lcamtuf@coredump.cx>.
  • In the above context, p0f shows the help menu.

RUNNING p0f :-

  • Type p0f or type p0f -i eth0 will show same output.
root@kali:/home/iicybersecurity# p0f
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 322 signatures from '/etc/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.

.-[ 192.168.1.105/54494 -> 202.88.147.48/80 (syn) ]-
|
| client = 192.168.1.105/54494
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----

.-[ 192.168.1.105/54494 -> 202.88.147.48/80 (mtu) ]-
|
| client = 192.168.1.105/54494
| link = Ethernet or modem
| raw_mtu = 1500
|
`----

.-[ 192.168.1.105/54494 -> 202.88.147.48/80 (syn+ack) ]-
|
| server = 202.88.147.48/80
| os = ???
| dist = 3
| params = none
| raw_sig = 4:61+3:0:1452:mss*20,7:mss,sok,ts,nop,ws:df:0
|
`----


.-[ 192.168.1.105/54494 -> 202.88.147.48/80 (http request) ]-
|
| client = 192.168.1.105/54494
| app = Safari 5.1-6
| lang = English
| params = dishonest
| raw_sig = 1:Host,User-Agent,Accept=[*/*],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],?Cache-Control,Pragma=[no-cache],Connection=[keep-alive]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0
|
`----

.-[ 192.168.1.105/54494 -> 202.88.147.48/80 (http response) ]-
|
| server = 202.88.147.48/80
| app = ???
| lang = none
| params = none
| raw_sig = 1:Content-Type,?Content-Length,?Last-Modified,?ETag,Accept-Ranges=[bytes],Server,X-Amz-Cf-Id=[lJbJX62-PTZNknBuRfEeKfGkXucXaCTKmuR-tmXZL3DV2dYbk_CqOg==],?Cache-Control,Date,Connection=[keep-alive]:Keep-Alive:AmazonS3
|
`----


.-[ 192.168.1.105/38994 -> 52.27.184.151/443 (syn) ]-
|
| client = 192.168.1.105/38994
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----


.-[ 192.168.1.105/38996 -> 52.27.184.151/443 (uptime) ]-
|
| server = 52.27.184.151/443
| uptime = 18 days 15 hrs 54 min (modulo 248 days)
| raw_freq = 208.47 Hz
|
`----
.-[ 192.168.1.105/58144 -> 162.241.216.11/80 (http request) ]-
|
| client = 192.168.1.105/58144
| app = Firefox 10.x or newer
| lang = English
| params = none
| raw_sig = 1:Host,User-Agent,Accept=,Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],Connection=[keep-alive],Upgrade-Insecure-Requests=[1],Pragma=[no-cache],?Cache-Control:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0
|
`----
  • As you can see p0f loads 322 signatures and listen to main interface eth0 loads the main even loop
  • P0f detects that remote machine is using Linux OS.
  • This tool even shows the IP address and port which is being used by web browser connected to the remote machine.
  • P0f is often helpful grabbing the uptime, it shows that the remote machine has been up from 18 days, 15 hours, 54 minutes.
  • The above information can be used in other hacking activities because it showcase the operating system and the web browser.

LISTENING ALL THE INTERFACES :-

  • Type p0f -L
root@kali:/home/iicybersecurity# p0f -L
--- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> ---


-- Available interfaces --

0: Name : eth0
Description : -
IP address : 192.168.1.105

1: Name : any
Description : Pseudo-device that captures on all interfaces
IP address : (none)

2: Name : lo
Description : -
IP address : 127.0.0.1

3: Name : nflog
Description : Linux netfilter log (NFLOG) interface
IP address : (none)

4: Name : nfqueue
Description : Linux netfilter queue (NFQUEUE) interface
IP address : (none)

5: Name : usbmon1
Description : USB bus number 1
IP address : (none)

6: Name : usbmon2
Description : USB bus number 2
IP address : (none)
  • After executing the above command, it shows the all network interface which can be use to check how many network interfaces are being used.
  • The above command is useful for the network administrators and as well as for pentesters which list no. of  interface.