Hacking, Hacking Tools

p0f – Passive Traffic Analysis OS Fingerprinting and Forensics Tool

OS Fingerprinting and Forensics

According to Kali, P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.

Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads.

Some of p0f’s capabilities include:

  • Highly scalable and extremely fast identification of the operating system and software on both endpoints of a vanilla TCP connection – especially in settings where NMap probes are blocked, too slow, unreliable, or would simply set off alarms.
  • Measurement of system uptime and network hookup, distance (including topology behind NAT or packet filters), user language preferences, and so on.
  • Automated detection of connection sharing / NAT, load balancing, and application-level proxying setups.
  • Detection of clients and servers that forge declarative statements such as X-Mailer or User-Agent.

Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellanous forensics.

Step 1:

Start Kali and Open p0f 3.0 in Kali Tool List .

Kali Linux -> Forensics -> Network Forensics -> p0f.

Another Method to Open the tool ,type p0f -i eth0 -l

Step  3:

To Lanch p0f use this comment  [email protected]#p0f -i -eth0

Use interface eth0 (-i eth0)

promiscuous mode (-p)

saving the results to a file (-o /tmp/p0f.log):

Step 4:

Open your Browser  and Surf the Target Server ( Ex:www.google.com) .you will see lively active connection in p0f window.

Once connection established your Client will communicate with the server. In below image p0f identifies the IP address.My Client IP ( Established a Connection with Target web server ( with port number 443.

Here we got some valuable OS Fingerprint information.The client used Linux Machine.

We can Test this with Different ClientOS.

Step 5 :

p0f for Forensics

Final test of the p0f run on our interface and doing forensics on a compromised system or a system under attack.

My kali system was connected to unknown IP ( ) with port number 443 .

In the screenshot above, it identifies  as  server OS running by Windows and 0 hops away.

We can see the the connection Up time 5 min since it has been Established with server .

I can see that my system connected from my port 53088 to its port 443 and that this server has been up over 198 straight days.

Author : Michal Zalewski

Also Read :

Source : GBHackers

Previous ArticleNext Article
Send this to a friend