CLI Magic: p0f

This week’s CLI Magic will be a little different from the norm. It’s still about magic happening at the command line, but this time it’s magic from the dark side. P0f is a passive OS fingerprint tool written by The Evil Twin, a.k.a. Michal Zalewski. Don’t worry, we won’t be doing anything illegal, just making our own personal version of Netcraft’s “What’s that site running?” survey.In order to compile p0f, you’ll need to have libpcap installed from source in order to be sure the required header files are present.

Once you have libpcap installed, you’re ready to tackle p0f. Download the tarball and decompress it, then enter the p0f subdirectory you’ve just created. Assuming that you’re running Linux — you are running Linux, right? — enter the following command to copy the appropriate Makefile into the proper directory:


cp mk/Linux Makefile


Next, type make to start the compile. It didn’t work the first time I tried it, because p0f was looking for bpf.h in the wrong place. When I installed libpcap, bfp.h ended up in the /usr/include directory, and was named pcap-bpf.h. p0f, on the other hand, was looking for bpf.h in /usr/include/net without the pcap- prefix. There are a number of ways to resolve the problem. I just created the /net subdirectory p0f was looking for and copied pcap-bpf.h there as bpf.h. That allowed make to run to a successful creation. The last step was to run make install as root.

In its default mode, p0f attempts to fingerprint the source of all incoming connections. As suggested by the name, it does its magic passively, without introducing additional traffic on the network. But it can also be run in other modes: one will attempt to fingerprint machines that you connect to, and another will work on all existing connections, regardless of who initiated the session.

Quoting from p0f’s README file:

P0f is rather easy to use. There’s a number of options, but you don’t need to know most of them for normal operation:


p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -Q socket ] [ -w file ] [ -u user ] [ -c size ] [ -T nn ] [ -FNODVUKAXMqxtpdlRL ] [ 'filter rule' ]


For our purposes in building a personal “What’s that site running” tool, we’ll need to know only a few options and modes.

In addition to telling p0f that we want it to fingerprint sites that we connect to by using the -A argument, we can also keep a log of what p0f identifies by using the -o logfilename option. So as root, we enter this:


# /usr/sbin/p0f -o whatsthatsite.txt -A

And p0f responds with this:


p0f - passive os fingerprinting utility, version 2.0.6b1p1
(C) M. Zalewski , W. Stearns
p0f: listening (SYN+ACK) on 'eth0', 57 sigs (1 generic), rule: 'all'.


Now we need to visit the site we’re interested in. Let’s start with Linux.com, using a new terminal window while we leave p0f running in the first one. If you have a text-based browser such as lynx installed, enter lynx www.linux.com. When it loads, enter Q to quit, and Y to confirm. Then enter cat whatsthatsite.txt.

On my system, the result was about a half dozen entries like this one:


66.35.250.177:80 - Linux recent 2.4 (1) (up: 7988 hrs)
-> 192.168.0.101:51036 (distance 16, link: ethernet/modem)


Which — for the remote site — breaks down to a datetime stamp, an IP address and port,
the results of P0f’s fingerprint tests, and the length of time the system has been up. Now let’s see if it works on other sites. I tried www.forbes.com next, then www.microsoft.com. Then I took another peek at the whatsthatsite log. It said:


63.240.4.179:80 - Linux recent 2.4 (1) (up: 485 hrs)
-> 192.168.0.101:47237 (distance 18, link: ethernet/modem)


What’s this? Forbes is running Linux? My, my, my. The running dog capitalist site is getting downright chummy with those nasty communist coders of the free software movement. Now let’s see what p0f had to say about Microsoft:


207.46.225.60:80 - UNKNOWN
[16384:113:0:64:M1460,N,W0,N,N,T0,N,N,S:A:?:?]
-> 192.168.0.101:48438 (link: ethernet/modem)


This result made me curious, so I asked Michal Zalewski what it was all about. He replied:

Microsoft’s website is actually hosted by Akamai on their proprietary platform that has nothing to do with Windows. Since p0f ACK signature set is relatively humble (as noted in p0fa.fp and README), it does not include the most recent version of Akamai accelerators.

As usual, we’ve only scratched the surface. I recommend that you read the docs that come with p0f completely, even if you never intend to use it. Why? Because there are people using it and similar tools all the time, sometimes for nefarious purposes.

As the README states, p0f is actually more suited for things like profiling, espionage, policy enforcement, penetration testing, and bypassing firewalls than it is simply for amusement. The more you know about it and its capabilities, the better chance you have of maintaining your own security.