上QQ阅读APP看书，第一时间看更新

Fingerprinting systems with P0f

P0f is a great little utility to help identify or passively fingerprint another system based on network connections that are being observed by p0f. Each operating system handles things a little differently and has slight differences in the network stack. Because of this, p0f can usually determine the host machine's operating system. This is useful as you can note the operating system for all the hosts for future exploit testing.

P0f is pretty straightforward to use. It can be run against live traffic coming from or to the host you are on, or you can also feed in a network capture to determine operating systems. Here is the output of the command-line arguments to help determine your method of use:

If you wish to run tests against hosts on the network, you can run p0f by specifying the correct interface and any filters in place to limit what gets into p0f. In our case, I will be checking for any traffic leaving this box going to TCP 3389. I will start p0f by specifying the interface locally I want to watch on and then use the filter.

The filter syntax is the same as tcpdump, so utilize these whenever possible to prevent a streaming p0f screen, especially on a busy box:

Based on the screenshot, you can see that it correctly identified both the source and destination of the connection. You will not always get the exact version of the operating system due to the fact that the vendor may not change how certain stacks are programmed. You can see how, in the previous example performed in my lab, the target host was identified as either a Windows 7 or Windows 8 host. Even though the fingerprint is not exact, you can use that information for further exploiting later.

Using the tcpdump style filters is very important when running multiple tools on your penetration-testing box. For example, if you are running Nmap to see what is open and then take some of those results to p0f for further examination, you may end up capturing not only the p0f traffic you want to see, but also the continuing Nmap. My advice is always to use filters whenever possible, to prevent multiple tests converging into the p0f screen.

Now, what happens if you don't want to test live traffic but want to see which hosts were communicating in a live conversation that was recorded in the past? That's no problem at all. By specifying -r with the file name, you can pull a file into p0f and see that operating systems were identified.

In my lab environment, I initiated an ssh connection from my OS X box to another host on the network. You can see that p0f identified my OS X box correctly. Also, further down, it identified the target machine as a Linux box:

As you can see with the examples, using p0f to read traffic (both live and recorded) can help further identify machine operating systems that you may not currently know. Again, this shows the power of using p0f in your penetration-testing toolbox.