Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-06-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

p0f, Got Packets?

Published: 2014-06-04
Last Updated: 2014-06-05 14:24:22 UTC
by Richard Porter (Version: 2)
2 comment(s)

p0f has been discussed from time to time in our diary posts [1],[2] and I thought it good to bring that tool up again. There is a fully updated version [3] that has some additional features and seems to be maintained again (hoooray!). In that, there are some great things we can re-visit with the new and improved tool.

In the interest of the 'power' of sharing, to the "Inter-Tubes" for data. "Data, Data, Data" .... Here at the Internet Storm Center we have a saying "Got Packets?" well, in the interest of giving back check out http://www.netresec.com/?page=PcapFiles as a jumping off point for GiGs and GiGs worth of packets. Your mileage on the links may vary as some pcaps are no longer available. Be careful as always, some of that stuff may hurt :)

Checking what version is loaded, 3.06b and to the command line "Batman", let us first take a look at some simple protocol traffic. Mine is a capture from a ... location ... *hint_35K_feet*. If you want to take a look at other PCAPS that can be run through the tool for output check out references [4], [5], [6] (And I am sure there are others out there, please add in the comments).

We run p0f -r ./ and some results. Lets go over the normal stuff, then get to the good stuff.

 

If you notice in Figure 1., we see that we can tell a lot about this host, up-time, FREQ of the host, probably a Wifi, iType Device, likely a MacBook Pro (I have the inside scoop on that, it's me :).

For the more interesting part, we have to scroll back up a bit and we find?

According to the readme found at http://lcamtuf.coredump.cx/p0f3/README this is available via API. Just another tool in the belt of the analyst.

For fun, I downloaded a CTF PCAP from ICTF and ran it to see what p0f could find. 

 

[8]

References:
[1] https://isc.sans.edu/forums/diary/p0f+spam+detection+and+OOF+e-mails/2912
[2] https://isc.sans.edu/diary/Passive+Scanning+Two+Ways+-+How-Tos+for+the+Holidays/17246
[3] http://lcamtuf.coredump.cx/p0f3/
[4] http://www.netresec.com/?page=PcapFiles
[5] https://www.defcon.org/html/links/dc-torrent.html
[6] http://terasaur.org/item/downloads/computer-forensics-2009-m57-scenario/187
[7] https://www.evilfingers.com/repository/pcaps.php
[8] https://ictf.cs.ucsb.edu/data/ictf2009/

 

Richard Porter

--- ISC Handler on Duty

2 comment(s)
ISC StormCast for Wednesday, June 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4007
Diary Archives