Designs | Resume | KamranAyub.com | email: ayubx003 (@umn.edu)

« How To: Get Tversity to Stream MKV Files to Xbox 360 [It Works] | Main | One Sentence Review: Just Cause 2 [PC] »

How To: OS Fingerprinting Using Wireshark Capture and p0f [Security] | Posted at 4:00 PM

In one of my classes this week, a project we had to do entailed analyzing a Wireshark packet capture to determine what kind of attacks were being used and to identify not only the tool being used to perform the attacks but the attacker's operating system.

I will not go into detail on how to analyze a Wireshark capture nor the specifics on operating Wireshark. I only want to show you how to use p0f (Passive OS Fingerprinting software) to analyze and spit out the signatures from a capture file.

This is specific to Windows. Chances are, if you have Linux you can probably figure out how to do it…

Here's what you need:

  1. Capture file (either *.cap, *.pcap). Use Wireshark to save the output.
  2. Windows PowerShell or Command Prompt
  3. p0f.exe

I will assume the capture file is in the same folder as p0f.

image

Open up PowerShell and navigate to your p0f directory (using the cd command).

image

Now just run this command to output the analyzed results to a file. To paste into PowerShell: Right-click titlebar, Edit > Paste.

&".\p0f.exe" -s attacker.pcap -o analyze.log -l

This command will execute p0f against the "attacker.pcap" (your capture file name) and output the results to a file named analyze.log.

The –s switch causes p0f to scan the capture file. The –o switch will output to a file. The –l switch will format every entry into one line.

You should open up analyze.log and look through it!

That will display the signatures p0f found (if any).

image

In my case, the perpetrator (192.168.0.9) was using Linux 2.4/2.6 and was using Nmap to scan the target. Keep in mind that p0f doesn't identify all Nmap scans… there were four total types in my capture but p0f just had one type.

Bonus

This command sequence works for my capture. It takes the output of the analysis, selects the pertinent information (regex), displays the matches, groups it, then displays it in a nice handy list. No need to look at the thousands of lines in analyze.log!

This may or may not work for you (PS. this is my first attempt at really trying PowerShell… so this probably sucks):

&".\p0f.exe" -s "attacker.pcap" -l | select-string "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d{1,5})? - (.*?)(?=->|$)" | %{$_.Matches} | %{$_.Value} | %{$_ -replace ":\d{1,5}", ""} | group-object | Format-table Name

It will take a few seconds depending on how large your capture is. Alternatively, just replace the call to p0f with "get-content analyze.log" if you used the above method and it will be much faster. The output will look like this:

PowerShell to the rescue

A neat little list that will display unique signature/IP combinations.

Filed Under: How To Technology Tips and Tricks

Comments

Very cool, Kamran - excellent work!

Your blog has been recommended to us as a interviewee's favorite blog!

We would like to do an interview with you about your blog for Blog Interviewer. We'd
like to give you the opportunity to
give us some insight on the "person behind the blog."

It would just take a few minutes of your time. The interview form can
be submitted online here Submit your
interview.

Best regards,

Mike Thomas

Seems complex, glad someone knows how to do it.

Useful article. It looks quite complicated. I always mess up with regex.

This is definitely very useful. Im doing the same project! Thanks for the insight. Glad somebody posted this.

-Josh

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

About the Author

Kamran
Divide by Zero is Kamran Ayub's personal blog. Kamran owns and operates Intrepid Studios, a web design and development firm based in Minneapolis. Despite the above picture, Kamran is usually an intelligent person. Please forgive him.

View Kamran Ayub's profile on LinkedIn

Add to Technorati Favorites