Perimeter
2/3/2012
02:19 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Passive Network Fingerprinting; p0f Gets Fresh Rewrite

Passive network analysis can reveal OS, service, and even vulnerabilities -- just by sniffing the network

In the network security world, nmap is the king for fingerprinting systems and services over the network. It can help identify the operating system (OS), type, and version of a network service, and vulnerabilities that might be present. The problem with nmap is that it generates a lot of "noise" when it performs those activities because it has to send out packets to the system in question to learn more about it. Nmap is an example of an active fingerprinting tool.

There are less noisy alternatives to nmap that fall into the passive fingerprinting category. Instead of actively sending packets to a host and service, they passively analyze network traffic to identify unique characteristics for particular operating systems, client applications, and network services. Their strength is based on the breadth of their signature database, which is not always great. To date, the majority of free and open-source passive fingerprinting tools have focused on OS fingerprinting

Passive fingerprinting can go way beyond just identifying the operating system. Web and mail servers often give up more information than necessary when communicating with clients, and in general, as long as that traffic is unique and can be sniffed, a fingerprint can be created to identify it. The same goes for Web browsers, email clients, and any other application that communicates over the network. Often their version numbers are passed as part of their communications with servers. Tie that version information with a vulnerability database and vulnerable systems can start being identified without ever interacting with the system.

To date, PRADS is the one of the few open-source tools I've found that currently includes fingerprinting additional things like services; however, Michal Zalewski announced on Jan. 10 the availability of p0f v3, which includes the ability to fingerprint TCP services. This is the first release in about six years and is a complete rewrite. This new version currently supports HTTP response and request signatures, but additional protocols are expected to be added in the future.

The obvious difficulty with passive fingerprinting is the need to sniff the traffic, but if you're just monitoring traffic between yourself and another system, that's not an issue. In larger environments, you'll want to leverage a mirror port on a network switch or a network tap in order to see as much traffic as possible. The cool thing about p0f is that it can help find NAT devices in large environments where you might have users plugging in wireless routers.

There's a lot of value and fun that can be had through passive fingerprinting. I'll be discussing it more in the future as I start working on a project specific to mobile devices and application fingerprinting. For a quick preview and review on passive fingerprinting, check out my FireTalk, "Passive Aggressive Pwnage," at ShmooCon 2012.

John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.