p0f(下)

----------------------
7. Masquerade detection
-----------------------php

Masquerade detection (-M) works by looking at the following factors for
all known signatures that belong to operating systems (and not userland
tools like scanners):html

- Differences in OS fingerprints for the same IP:
-3 if the same OS
+4 if different signature for the same OS genre
+6 if different OS genres

- NAT and firewall flags set:
+4 if NAT flags differ for the same signature
+4 if fw flags differ for the same signature
+1 per each NAT and fw flag if signatures differ (max. 4)node

- Link type differences:
+4 if media type differslinux

- Distance differences:
+1 if host distance differsios

- Timestamp scoring, if timestamps available:
-1 if timestamp delta within MAX_TIMEDIF (config.h)
+1 if timestamp delta past MAX_TIMEDIF
+2 if timestamp delta negativeweb

- Time from the previous occurence:
/2 if more than half the cache size to the previous occurenceexpress

The final score is reported as score * 200 / 25 (25 being the highest
score possible) and reported as a percentage.bash

The higher the value, the more likely the result is accurate. Since
the situation when all indicators are up is rather unrealistic, the
multiplier is 200, not 100, and you can get over 100% match ;-)
Everything above 0% should be looked at, over 20% is usually a sure
bet.

You can configure the reporting of matches by setting the threshold
to a value different than zero with -T switch. -T 10 might be a good
idea. If you're looking at a local network, you can define
DIST_EXTRASCORE to score distance differences much higher - it is
unlikely for a local LAN to shrink or grow, but it's not uncommon for
routing over the Internet to change. If you are unhappy with the
scoring algorithm and do not want to modify the sources, you can use
-V option to report the status of every masquerade indicator. In
conjunction with -l, -V can be used to grep for the precise set
of signatures you're interested in.

Every hit is prefixed with ">> ". Combine -M, -K and -U to report
masquerade hits only (but it is recommended to still dump packets
with -w to be able to examine the evidence later on). A good
example:app

p0f -M -K -U -w evidence.bin -c 500 -l -V 'not src host my_ip'

A quick demo:less

192.165.38.73:20908 - OpenBSD 3.0-3.4 (up: 836 hrs)
-> 217.8.32.51:80 (distance 6, link: GPRS or FreeS/WAN)
192.165.38.73:21154 - Linux 2.4/2.6 (NAT!) (up: 173 hrs)
-> 217.8.32.51:80 (distance 6, link: GPRS or FreeS/WAN)
192.165.38.73:22003 - Windows XP Pro SP1, 2000 SP3 (NAT!)
-> 217.8.32.51:80 (distance 6, link: GPRS or FreeS/WAN)

>> Masquerade at 192.165.38.73: indicators at 69%.

That was quite evident.

194.68.64.2:49030 - Windows 2000 SP2+, XP SP1
-> 217.8.32.51:80 (distance 10, link: ethernet/modem)
194.68.64.2:52942 - Windows 2000 SP4, XP SP1, patched 98
-> 217.8.32.51:80 (distance 12, link: ethernet/modem)

>> Masquerade at 194.68.64.2: indicators at 43%.

The host has a name of gateway.vlt.se, so once again, a good hit.

Verbose output looks like this:

>> Masquerade at 216.88.158.142/crawlers.looksmart.com: indicators at 26%.
Flags: OS -far

In this case, we have two different OSes (OS), but the time between two
occurences is long enough to lowe the score (-far). All -V flags are:

OS - different OS genres
VER - different OS versions
LINK - link type difference
DIST - distance differences
xNAT - NAT flags differ (when signature)
xFW - FW flags differ (same signature)
NAT1, NAT2 - NAT flags set (different signatures)
FW1, FW2 - FW flags set (different signatures)
FAST - timestamp delta too high
TNEG - timestamp delta negative
-time - timestamp delta within the norm
-far - distant occurences

Because the score is cummulative, it is possible to have exclusive
flags set (e.g xNAT and NAT1) if there's a higher number of signatures
for a specific IP in the cache. Masquerade information can be also
retrieved via the query interface, as noted in the section above.

The functionality depends on keeping the fingerprint database
clean and prefixing non-OS fingerprints (nmap, other scanner tools,
application-induced TCP/IP stack behavior) with - prefix. Those
fingerprints, as well as all the UNKNOWNs, are not used for masquerade
detection.

Note that a single host can be reported many times. The system reports
immediately, but later on, the host might score a different result
once new data arrives. Use the highest result for a specific host, but
also observe the consistency of subsequent results.

The solution uses a cyclic buffer also used in -Q mode (and affected by
-c parameter). You should set the value to cache not more than an
hour of traffic (and no less than a minute). Calculate the number of
connections on average per the interval of time you wish to cache,
then pass the value to p0f with -c.

Setting -c too high will result in false positives for dial-up nodes,
multiboot systems, etc. Setting it too low may miss some cases.

The code detects NAT devices that do not rewrite packets (almost
all packet firewalls). Ones that do rewrite packets can be detected by
their own signatures, though.

Masquerade detection will fail if all systems masqueraded have an
identical configuration and network setup (which is very unlikely,
even in a homogenous environment), or are never used at (roughly) the same
time.

NOTE: You can also try to combine -M with -A, which is only really
useful for detecting load balancers and other setups that map a single
address to several servers; or with -R, which can be used both for
detecting load balancers (RST) and normal incoming masquerade detection
(RST+ACK), although it's probably less reliable.

----------------------------------------
8. Fingerprinting accuracy and precision
----------------------------------------

Version 2 uses some more interesting TCP/IP packet metrics, and should
be inherently more accurate and precise. We also try to use common sense
when adding and importing signatures, which should be a great
realiability boost. More obscure modes, such as RST+, may be inherently
less accurate or reliable - see section 10 for more details.

NOTE: To avoid decreasing reliability of the database, you MUST read the
information provided at the beginning of p0f.fp carefully before touching
it in any way!

Link type identification is not particularly reliable, as some users tend
to mess with their default MTUs for better (or worse ;-) performance.
For most systems, it will be accurate, but if you see an unlikely
value reported, just deal with it.

Uptime detection is also of an amusement value. Some newly released
systems tend to multiply timestamp data by 10 or have other clocking
algorithms. The current version of p0f does not support those differences
over the entire database. I will try to fix it, until then, those boxes
would have an artifically high uptime.

NAT detection is merely an indication of MSS being tweaked at some point.
Most likely, the reason for this is indeed a NATing router, but there
are some other explanations. Linux, for example, tends to mix up MTUs
from different interfaces in certain scenarios (when, I'm not sure, but
it's common and is probably a bug), and if you see a Linux box tagged as
"NAT", it does not have to be NATed - it might simply have two network
interfaces. P0f can still be a useful NAT detection tool (you can examine
changing distances and OS matches for a specific host, too), simply don't
rely on this flag alone.

If you see link type identified as unknown-XXXX, try to Google for
"mtu XXXX". If you find something reasonable, you might want update
mtu.h and recompile p0f, and submit this information to me. Keep in
mind some MTU settings are just arbitrary and do not have to mean a
thing.

P0f also tries to recognize some less popular combinations of precedence
bits, type of service and so-called "must be zero" bit in TCP headers to
detect certain origin ISPs. Many DSL and cable operators, particularly
in Europe, tend to configure their routers in fairly unique ways in
this regard. This, again, is purely of an amusement value. See tos.h
for more information.

P0f will never be as precise as NMAP, simply because it has to rely
on what the host sends by itself, and can't check how it responds to
"invalid" or tweaked packets. On the other hand, in the times of
omnipresent personal and not quite personal firewalls and such,
p0f can often help where NMAP is confused.

Just like with any fingerprinting utility, active or passive, it is
possible to change TCP/IP stack settings to either avoid identification,
or appear as some other system - although some of the changes might
require kernel-space hacking.

--------------------
9. Adding signatures
--------------------

Please refer to p0f.fp for more information about signatures and
their format. You NEED to read this information carefully before
changing or adding anything.

Do consider submitting your signature to lcamtuf@coredump.cx,
wstearns@pobox.com, or connecting from the system to
http://lcamtuf.coredump.cx/p0f-help/. We will be happy to incorporate
this signature in the official release, and can help you make your
signature more accurate.

Be sure to run p0f -C after making any additions. This will run
a collision checker and warn about shadowed or possibly incorrect
signatures. This happens more often than you'd think.

The same applies to p0fa.fp and p0fr.fp files. You need to
run p0f -A -C and p0f -R -C to verify their contents.

Rest assured, you will sooner or later find something really
surprising. You can look at tmp/ to see a current list of
mysteries I've stumbled upon. The museum at
http://lcamtuf.coredump.cx/mobp/ lists some other funky cases.
By all means, I'd like to hear about other UFO sightings!

------------
10. Security
------------

Running p0f as a daemon should pose a fairly low risk, compared to
tcpdump or other elaborate packet parsers (Ettercap, etc). P0f does not
attempt anything stupid, such as parsing tricky high-level protocols.
There is a slight risk I screwed up something with the option parser
or such, but this code should be easy to audit. If you do not feel to
comfortable, you can always use the -u option, which should mitigate
the risk signigicantly.

Do not make p0f setuid, setgid or otherwise privileged when the caller
isn't. Running it via sudo for users you do not trust entirely is also a
so-so idea.

The biggest threat is using -r option carelessly, as it enables the
entire name resolution overhead, and introducing a potentially vulnerable
DNS handling code, not to mention DoS potential.

Other than that, when running in -Q mode, you need to make sure, either
by setting umask or calling chmod/chown after launching p0f, to set
correct permissions on the query socket - that is, unless you don't
see a problem with your users querying p0f, which isn't a great threat
to the humanity.

Do not use world-writable directories for keeping the socket. Do not
use world-writable directories for output files or configuration.

---------------
11. Limitations
---------------

Proxy firewalls and other high-level proxy devices are not transparent
to any TCP-level fingerprinting software. The device itself will be
fingerprinted, not actual source hosts. There is some software that
lets you perform application fingerprinting, this isn't it.

Some packet firewalls configured to normalize outgoing traffic (OpenBSD pf
with "scrub" enabled, for example) will, well, normalize packets. Those
signatures will not correspond to the originating system, and probably not
quite to the firewall either. Checkpoint firewall, in a fairly lame attempt
to defeat OS fingerprinting, tweaks IP ID and TTL on outgoing packets; if
you want to work around this problem, run p0f with -F option.

In order to obtain the information required for fingerprinting, you have
to receive at least one SYN packet initiating a TCP connection to your
machine or network. Note: you don't have to respond to this
particular SYN, and it's perfectly fine to respond with RST.

For SYN+ACK fingerprinting, you must be able to connect to at least one
open port on the target machine to actually get SYN+ACK packet. You
do not need any other ports, or the ability to send awkward, multiple
or otherwise suspicious packets to the remote host (unlike with NMAP).
Also note that SYN+ACK fingerprints are somewhat affected by the initial
SYN on some systems.

If you cannot establish a connection, but the remote party at least
sends you RST+ACK back ("Connection refused"), you can use RST+ mode of
p0f (-R option), but be aware this mode is inherently less accurate
and reliable, mostly because systems usually don't bother with
putting any options in those packets, and they all look very similar.

SYN+ACK fingerprinting is considered (by me) to be less accurate and
sometimes dependent on the system that initiates the connection. This is
why I put stress on developing the SYN fingerprinting capability - but
SYN+ACK database contributions and techniques are of course very welcome.

Fingerprinting on a fully established (existing) TCP connection is
currently not supported by p0f, because it is inherently less reliable,
and seldom of any use. You can, however, implement this rather easily
by tweaking the filter expression hardcoded in p0f.c and coming up with
a new fingerprint database.

What I'll be trying to do is to integrate a number of fingerprinting
techniques, currently completely separate (SYN, SYN+ACK, ACK, FIN,
RST, retransmission timing, etc) into a single solution for very
high accuracy. But this is perhaps p0f 3.0.

-------------------------------------
12. Is it better than other software?
-------------------------------------

Depends on what you need. As I said before, p0f is fast, lightweight,
low-profile. It can be integrated with other services. It has a clean and
simple code, runs as a single thread and uses very little CPU power, works
on a number of systems (Linux, BSD, Solaris and probably others), has a
pretty detailed and accurate fingerprint database. Quite frankly, I
doubt there is a program that offers better overall functionality or
accuracy when it comes to passive fingerprinting, but I would not be
surprised to be proven wrong one day. In other words, feel free to
explore other alternatives.

Of the ones I know... is it better than Siphon? Yes. Ettercap? Yes,
version 2 is better than v1-derived fingerprinting in Ettercap. Besides,
it's simply different, and intended for a different range of applications.

Version 1 of p0f did implement many novel fingerprinting metrics that were
later incorporated in other software, but so did version 2 - and others are
yet to catch up.

As to other "current" utilities, you can use masqdet by
Wojtek Kaniewski as an alternative to p0f -M mode. On the web, you can
also stumble upon "n0t" and "natdet" utilities authored by "r3b00t",
but these are just dumbed-down and inherently less reliable rip-offs
closely inspired on p0f code. Your mileage may vary, but I recommend
you to avoid them: they won't work any better.

--------------------
13. Program no work!
--------------------

Whoops. We apologize. P0f requires the following to compile and
run fine:

- libpcap 0.4 or newer
- GNU cc 2.7.x or newer
- GNU make 3.7x or newer, or BSD make
- GNU bash / awk / grep / sed / textutils (for p0frep only)

For the Windows port requirements and instructions, please read
INSTALL.Win32 file.

Not every platform is supported by p0f, and compilation problems do
happen. Please let us know if you have any problems (or, better yet,
managed to find a solution).

If you find a system that is either not recognized, or is fingerprinted
incorrectly, please do not downplay this and let us know.

Platforms known to be working fine (regression tests not done on
a regular basis, though):

- NetBSD
- FreeBSD
- OpenBSD
- MacOS X
- Linux (2.0 and up)
- Solaris (2.6 and up)
- Windows (see INSTALL.Win32)
- AIX (you need precompiled BULL libpcap)

If p0f compiles and runs, but displays "unknown datalink" or
"bad header_len" warnings, it is likely that your network interface type
is not (yet) recognized. Let us know.

-----------------------
14. Exact output format
-----------------------

Following is a brief description of the output format of p0f v2.
While it is recommended to use -Q mode for service integration, it
might be still necessary to perform log post-processing, etc.

Every line starts with an optional timestamp (enabled by -o or -t
options). The format is as follows:

<Wed Sep 24 01:14:55 2003>

The format is essentially the standard Unix date format. The next
field is mandatory and specifies the source host:

ip_address[/name]:port

The /name part is appended only if -r option is provided, and there
was a DNS record for this particular IP. Following is a ' - '
separator, and the name of the system with any additional remarks:

System_name [ version (notes) ]

The latter part is supressed by -D option. Notes usually describe
signature number or other specifics. Then, there is a number of
optional notes:

(NAT!) - the system is behind MSS-tweaking NAT
(NAT2!) - the system is behind MTU-tweaking NAT
(ECN) - ECN enabled on the remote system
(firewall!) - the system has DF cleared
\[Name\] - provider name identified as..., OR
\[tos XX\] - ToS set, but provider name not identified
\[GENERIC\] - signature is a generic one
\[FUZZY\] - fuzzy match
\* - further details inhibited for this signature
(up nnn hrs) - system uptime
(refused) - RST+ mode: valid conn. refused packet
(dropped) - RST+ mode: valid conn. dropped packet
(invalid-NN) - RST+ mode: invalid RST packet (see p0fr.fp)

If the signature is generic, or if -S option was used, the next line is:

Signature: \[signature_data\]

...where signature_data follows the standard p0f.fp notation.

If the system was not regognized, the format of the OS line is
slightly different:

UNKNOWN \[signature_data\]

Where signature data follows the standard p0f.fp notation. All
options except for GENERIC, * and (firewall!) can still follow the entry.
Signature is not repeated in the next line regardless of -S.

Unless -N is in effect, the next line is as follows:

-> dst_ip:port ([distance NN, ]link: description)

...the distance part is present only when the signature was recognized
properly. Link description is the name of the link type, or a special
keyword "unspecified", or a special value "unknown-NNNN".

The next line is present if -X mode is enabled and the packet has
a payload. The line has the following format:

# Payload: "...printable text..."

Maximum length of the text to report is defined in config.h (PKT_MAXPAY).

In -l mode, all line breaks are inhibited.


If -x is enabled (not compatible with -l), the subsequent lines are in
this format:

\[XX\] nn nn nn nn .... | AAAA...

Where XX is a hex address, nn is a hex sequence of byte values, and
AAAA is human-readable contents of the packet.

Additionally, when -M option is in effect, the data described in
section 7 may be displayed.

----------------------------------------
15. Links to OS fingerprinting resources
----------------------------------------

Recommended RFC reading:

http://www.faqs.org/rfcs/rfc793.html - TCP/IP specification
http://www.faqs.org/rfcs/rfc1122.html - TCP/IP tutorial
http://www.faqs.org/rfcs/rfc1323.html - performance extensions
http://www.faqs.org/rfcs/rfc1644.html - T/TCP extensions
http://www.faqs.org/rfcs/rfc2018.html - TCP/IP selective ACK

Practical information:

Active ICMP fingerprinting:
http://www.sys-security.com/html/papers.html

Passive OS fingerprinting basics:
http://project.honeynet.org/papers/finger/
http://www.linuxjournal.com/article.php?sid=4750

THC Amap, application fingerprinting:
http://www.thc.org/releases.php

Hmap, web server fingerprinting:
http://wwwcsif.cs.ucdavis.edu/~leed/hmap/

Fyodor's NMAP, the active fingerprinter:
http://www.nmap.org

User-Agent information:
http://www.siteware.ch/webresources/useragents/db.html

Ident fingerprinting:
http://www.team-teso.net/data/ldistfp-auth-fingerprints

Other free tools known to have passive OS fingerprinting:

http://ettercap.sourceforge.net/ - Ettercap (p0f v1)
http://prelude-ids.org - Prelude IDS (p0f v1)
http://www.w4g.org/fingerprinting.html - OpenBSD pf (p0f v2.0.1)
http://cvs.netfilter.org/~checkout~/netfilter/patch-o-matic//base/osf.patch - Linux netfilter
http://www-nrg.ee.lbl.gov/bro.html - Vern Paxson's / Holger Dreger's NIDS (p0f 2.0)

http://www.raisdorf.net/projects/pfprintd - pfprintd http://siphon.datanerds.net - Siphon (very out of date) http://members.fortunecity.com/sektorsecurity/projects/archaeopteryx.html (Siphon w/GUI) http://r3b00t.itsec.pl/ - n0t and natdet (ripped off, AFAIC) http://toxygen.net/misc/ - masqdet (NAT detection only)

相關文章
相關標籤/搜索