p0f的包装说明

p0f的是利用复杂的，纯粹被动流量指纹机制的阵列，以确定后面任何附带的TCP / IP通信的播放器（经​​常低至单个正常SYN）不会干扰以任何方式的工具。第3版是原代码库的一个完全重写，结合了显著一些改进网络级的指纹，并推出推理应用级负载（如HTTP）的能力。 一些p0f的的功能包括：

• Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
• Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
• Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
• Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent. The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to. Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics. Source: http://lcamtuf.coredump.cx/p0f3/

p0f Homepage | Kali p0f Repo

• Author: Michal Zalewski
• License: LGPL-2

  0x01 Tools included in the p0f package

  p0f – Passive OS fingerprinting tool

  :~# p0f -h
  --- p0f 3.06b by Michal Zalewski <
  > ---
  ./p0f: invalid option -- 'h'
  Usage: p0f [ ...options... ] [ 'filter rule' ]
  Network interface options:
  -i iface  - listen on the specified network interface
  -r file   - read offline pcap data from a given file
  -p        - put the listening interface in promiscuous mode
  -L        - list all available interfaces
  Operating mode and output settings:
  -f file   - read fingerprint database from 'file' (p0f.fp)
  -o file   - write information to the specified log file
  -s name   - answer to API queries at a named unix socket
  -u user   - switch to the specified unprivileged account and chroot
  -d        - fork into background (requires -o or -s)
  Performance-related options:
  -S limit  - limit number of parallel API connections (20)
  -t c,h    - set connection / host cache age limits (30s,120m)
  -m c,h    - cap the number of active connections / hosts (1000,10000)
  Optional filter expressions (man tcpdump) can be specified in the command
  line to prevent p0f from looking at incidental network traffic.
  Problems? You can reach the author at <
  >.
  

  0x02 p0f Usage Example

  Use interface eth0 (-i eth0) in promiscuous mode (-p) , saving the results to a file (-o /tmp/p0f.log) :

  :~# p0f -i eth0 -p -o /tmp/p0f.log
  --- p0f 3.07b by Michal Zalewski <
  > ---
  [+] Closed 1 file descriptor.
  [+] Loaded 320 signatures from 'p0f.fp'.
  [+] Intercepting traffic on interface 'eth0'.
  [+] Default packet filtering configured [+VLAN].
  [+] Log file '/tmp/p0f.log' opened for writing.
  [+] Entered main event loop.
  .-[ 192.168.1.15/35834 -> 173.246.39.185/873 (syn) ]-
  |
  | client   = 192.168.1.15/35834
  | os       = Linux 2.2.x-3.x
  | dist     = 0
  | params   = generic
  | raw_sig  = 4:64+0:0:1460:mss*20,10:mss,sok,ts,nop,ws:df,id+:0
  

  原文来自:https://www.hackfun.org/kali-tools/p0f_zh.html。转载请注明原出处，商用请联系原作者授权。