Security researcher Michal Zalewski has released a new version of a passive fingerprinting tool called P0f that has the ability to diagnose a wide range of components in an Internet connection, even uncovering clients that are trying to forge some part of their identity in the connection.
P0f is a free tool that Zalewski has developed to give users the ability to delve into the details of the machines on either side of a given TCP/IP connection. The tool is designed to run on a variety of platforms, including Unix, Mac OS X and Windows, and it has a number of functions that users can employ to find out what kind of machines are connecting to their system, what they’re doing and whether they’re lying about what they are.
The newest version, v3, is in release candidate form, but is available for free download from Zalewski’s site.
“P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP),” Zalewski wrote in his announcement of the new version of P0f.
One of the more interesting features in P0f for security folks is likely the tool’s ability to unmask remote clients that might not be telling the whole truth about the systems they’re running. Plenty of malicious clients and servers forge certain parts of the packets they send out to identify themselves to remote machines, and it’s particularly common with spam mailers. P0f can give users the true fingerprint of the remote machine, and because it’s passive, the person on the other end of the connection won’t know that the packet analysis is occurring.
Among P0f’s capabilities are:
- Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
- Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
- Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.
Zalewski says there are still some things that need to be done in the new version and is soliciting help from people interested in helping to improve the tool. He’s looking for help with TCP signatures from unusual platforms, as well as more TCP SYN and ACK signatures.