How To: OS Fingerprinting Using Wireshark Capture and p0f [Security] : Divide By Zero

In one of my classes this week, a project we had to do entailed analyzing a Wireshark packet capture to determine what kind of attacks were being used and to identify not only the tool being used to perform the attacks but the attacker's operating system.

I will not go into detail on how to analyze a Wireshark capture nor the specifics on operating Wireshark. I only want to show you how to use p0f (Passive OS Fingerprinting software) to analyze and spit out the signatures from a capture file.

This is specific to Windows. Chances are, if you have Linux you can probably figure out how to do it…

Here's what you need:

Capture file (either *.cap, *.pcap). Use Wireshark to save the output.
Windows PowerShell or Command Prompt
p0f.exe

I will assume the capture file is in the same folder as p0f.

Open up PowerShell and navigate to your p0f directory (using the cd command).

Now just run this command to output the analyzed results to a file. To paste into PowerShell: Right-click titlebar, Edit > Paste.

&".\p0f.exe" -s attacker.pcap -o analyze.log -l

This command will execute p0f against the "attacker.pcap" (your capture file name) and output the results to a file named analyze.log.

The –s switch causes p0f to scan the capture file. The –o switch will output to a file. The –l switch will format every entry into one line.

You should open up analyze.log and look through it!

That will display the signatures p0f found (if any).

In my case, the perpetrator (192.168.0.9) was using Linux 2.4/2.6 and was using Nmap to scan the target. Keep in mind that p0f doesn't identify all Nmap scans… there were four total types in my capture but p0f just had one type.

Bonus

This command sequence works for my capture. It takes the output of the analysis, selects the pertinent information (regex), displays the matches, groups it, then displays it in a nice handy list. No need to look at the thousands of lines in analyze.log!

This may or may not work for you (PS. this is my first attempt at really trying PowerShell… so this probably sucks):

&".\p0f.exe" -s "attacker.pcap" -l | select-string "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(:\d{1,5})? - (.*?)(?=->|$)" | %{$_.Matches} | %{$_.Value} | %{$_ -replace ":\d{1,5}", ""} | group-object | Format-table Name

It will take a few seconds depending on how large your capture is. Alternatively, just replace the call to p0f with "get-content analyze.log" if you used the above method and it will be much faster. The output will look like this:

A neat little list that will display unique signature/IP combinations.

Comments

Very cool, Kamran - excellent work!

Posted by: Matt
On March 10, 2010 10:12 PM

Your blog has been recommended to us as a interviewee's favorite blog!

We would like to do an interview with you about your blog for Blog Interviewer. We'd
like to give you the opportunity to
give us some insight on the "person behind the blog."

It would just take a few minutes of your time. The interview form can
be submitted online here Submit your
interview.

Best regards,

Mike Thomas

Posted by: Mike Thomas
On March 25, 2010 7:01 AM

Seems complex, glad someone knows how to do it.

Posted by: Peter
On September 4, 2010 10:25 AM

Useful article. It looks quite complicated. I always mess up with regex.

Posted by: Traveler
On October 9, 2010 3:30 PM

This is definitely very useful. Im doing the same project! Thanks for the insight. Glad somebody posted this.

-Josh

Posted by: Josh
On February 22, 2011 5:22 PM