p0f – Advanced Passive OS Fingerprinting Tool


Ah can’t believe I haven’t posted about this one before, one of my favourite tools! It was a big breakthrough to have a passive OS-fingerprinting tool after relying on Nmap and Xprobe2 for the longest time.

OS fingerprinting is a very important part of a pen-test during the information gathering stage.

P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:

  • machines that connect to your box (SYN mode),
  • machines you connect to (SYN+ACK mode),
  • machine you cannot connect to (RST+ mode),
  • machines whose communications you can observe.

P0f can also do many other tricks, and can detect or measure the following:

  • firewall presence, NAT use (useful for policy enforcement),
  • existence of a load balancer setup,
  • the distance to the remote system and its uptime,
  • other guy’s network hookup (DSL, OC3, avian carriers) and his ISP.

All this even when the device in question is behind an overzealous packet firewall, when our favourite active scanner can’t do much. P0f does not generate ANY additional network traffic, direct or indirect. No name lookups, no mysterious probes, no ARIN queries, nothing. How? It’s simple: magic. Find out more here.

P0f is quite useful for gathering all kinds of profiling information about your users, customers or attackers (IDS, honeypot, firewall), tech espionage (laugh…), active or passive policy enforcement (restricting access for certain systems or otherwise handling them differently; or detecting guys with illegal network hookups using masquerade detection), content optimization, pen-testing (especially with SYN+ACK and RST+ACK modes), thru-firewall fingerprinting… plus all the tasks active fingerprinting is suitable for. And, of course, it has a high coolness factor, even if you are not a sysadmin.

P0f v2 is lightweight, secure and fast enough to be run almost anywhere, hands-free for an extended period of time.

You can donwload p0f v2 here:

p0f.tgz
p0f for Windows

Or read more here.

Posted in: Hacking Tools, Networking Hacking Tools

, , , , , ,


Latest Posts:


Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.


8 Responses to p0f – Advanced Passive OS Fingerprinting Tool

  1. navin October 13, 2008 at 2:04 pm #

    Nice!! esp the agility and size (windows version is only 58 KB in size!!) It’s like Robin when nmap is Batman

  2. elpeor October 13, 2008 at 3:46 pm #

    It is nice, I just run it in eth0 with mldonkey working and I get all OS of all connections..
    It gets 99% of OS guess, just some does not know what OS they use.
    funny!

  3. Lepht October 14, 2008 at 3:36 pm #

    “It’s like Robin when Nmap is Batman”

    absofuckinglutely.

  4. navin October 14, 2008 at 9:41 pm #

    “absofuckinglutely.” -Adding tht to my list of “favoritest” words!!

  5. Pantagruel October 25, 2008 at 9:49 am #

    Indeed funny you never coverd p0f before, it did get mentioned a few times in other posts.

    p0f appears to be more of a tooth pick compared to the swiss army knife Nmap ;)

  6. akito85 October 27, 2008 at 11:55 pm #

    i’ve never heard about this tool before im gonna give a try to this new knife :P

    thanks for the info

  7. backbone October 28, 2008 at 1:28 am #

    @Pentagruel:
    swiss army knife – netcat
    nmap – John Rambos knife :)

  8. razta November 3, 2008 at 12:42 am #

    IronGeek made an app for windows which apparetly in most cases cloaks OS fingerprinting. Looks like its quite affective against p0f, and im sure you can edit the TCP/IP in Linux with out the help of any apps. However its quite a cool concept and apparetly works.

    http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools