What is p0f
p0f is a passive TCP/IP stack fingerprinting tool. Also known as Penetration Testing with Kali Linux (PWK)
p0f can attempt to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine it is running on.
p0f can also assist in analysing other aspects of the remote system.
P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original code base, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Some of p0f’s capabilities include:
The tool can be operated in the foreground or as a daemon, and offers a simple real-time API for third-party components that wish to obtain additional information about the actors they are talking to.
Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
Measurement of system up-time and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellaneous forensics.
- Author: Michal Zalewski