| version 1.6, 2003/08/28 18:17:09 |
version 1.7, 2003/08/29 18:43:41 |
|
|
| # passive OS fingerprinting |
# passive OS fingerprinting |
| # ------------------------- |
# ------------------------- |
| # |
# |
| # SYN signatures. Those signatures work for SYN packets only (duh!). |
# SYN signatures. Those signatures work for SYN packets only (duh!). |
| # |
# |
| # (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> |
# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> |
| # (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> |
# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org> |
|
|
| # cases, the value is just arbitrary. |
# cases, the value is just arbitrary. |
| # |
# |
| # NEW SIGNATURE: if p0f reported a special value of 'Snn', the number |
# NEW SIGNATURE: if p0f reported a special value of 'Snn', the number |
| # appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' |
# appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn' |
| # means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the |
# means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the |
| # value of nn is not fixed (unlikely), just copy the Snn or Tnn token |
# value of nn is not fixed (unlikely), just copy the Snn or Tnn token |
| # literally. If you know this device has a simple stack and a fixed |
# literally. If you know this device has a simple stack and a fixed |
|
|
| # |
# |
| # If WSS otherwise looks like a fixed value (for example a multiple |
# If WSS otherwise looks like a fixed value (for example a multiple |
| # of two), or if you can confirm the value is fixed, please quote |
# of two), or if you can confirm the value is fixed, please quote |
| # it literaly. If there's no apparent pattern in WSS chosen, you |
# it literally. If there's no apparent pattern in WSS chosen, you |
| # should consider wildcarding this value. |
# should consider wildcarding this value. |
| # |
# |
| # - Overall packet size - a function of all IP and TCP options and bugs. |
# - Overall packet size - a function of all IP and TCP options and bugs. |
|
|
| # |
# |
| # - Initial TTL - We check the actual TTL of a received packet. It can't |
# - Initial TTL - We check the actual TTL of a received packet. It can't |
| # be higher than the initial TTL, and also shouldn't be dramatically |
# be higher than the initial TTL, and also shouldn't be dramatically |
| # lower (maximum distance is defined as 40 hops). |
# lower (maximum distance is defined as 40 hops). |
| # |
# |
| # NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. |
# NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally. |
| # You need to determine the initial TTL. The best way to do it is to |
# You need to determine the initial TTL. The best way to do it is to |
|
|
| # |
# |
| # - Window scaling (WSCALE) - this feature is used to scale WSS. |
# - Window scaling (WSCALE) - this feature is used to scale WSS. |
| # It extends the size of a TCP/IP window to 32 bits. Some modern |
# It extends the size of a TCP/IP window to 32 bits. Some modern |
| # systems implement this feature. |
# systems implement this feature. |
| # |
# |
| # NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set |
# NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set |
| # to zero or other low value. There's usually no need to wildcard this |
# to zero or other low value. There's usually no need to wildcard this |
|
|
| # - Timestamp - some systems that implement timestamps set them to |
# - Timestamp - some systems that implement timestamps set them to |
| # zero in the initial SYN. This case is detected and handled appropriately. |
# zero in the initial SYN. This case is detected and handled appropriately. |
| # |
# |
| # - Selective ACK permitted - a flag set by systems that implement |
# - Selective ACK permitted - a flag set by systems that implement |
| # selective ACK functionality. |
# selective ACK functionality. |
| # |
# |
| # - The sequence of TCP all options (MSS, window scaling, selective ACK |
# - The sequence of TCP all options (MSS, window scaling, selective ACK |
|
|
| # NEW SIGNATURE: Copy the sequence literally. |
# NEW SIGNATURE: Copy the sequence literally. |
| # |
# |
| # To wildcard any value (except for initial TTL or TCP options), replace |
# To wildcard any value (except for initial TTL or TCP options), replace |
| # it with '*'. You can also use a modulo operator to match any values |
# it with '*'. You can also use a modulo operator to match any values |
| # that divide by nnn - '%nnn'. |
# that divide by nnn - '%nnn'. |
| # |
# |
| # Fingerprint entry format: |
# Fingerprint entry format: |
|
|
| # wwww - window size (can be *, %nnn, Snn or Tnn). The special values |
# wwww - window size (can be *, %nnn, Snn or Tnn). The special values |
| # "S" and "T" which are a multiple of MSS or a multiple of MTU |
# "S" and "T" which are a multiple of MSS or a multiple of MTU |
| # respectively. |
# respectively. |
| # ttt - initial TTL |
# ttt - initial TTL |
| # D - don't fragment bit (0 - not set, 1 - set) |
# D - don't fragment bit (0 - not set, 1 - set) |
| # ss - overall SYN packet size |
# ss - overall SYN packet size |
| # OOO - option value and order specification (see below) |
# OOO - option value and order specification (see below) |
|
|
| # bogus. |
# bogus. |
| # |
# |
| # If OS genre starts with @, it denotes an approximate hit for a group |
# If OS genre starts with @, it denotes an approximate hit for a group |
| # of operating systems (signature reporting still enabled in this case). |
# of operating systems (signature reporting still enabled in this case). |
| # Use this feature at the end of this file to catch cases for which |
# Use this feature at the end of this file to catch cases for which |
| # you don't have a precise match, but can tell it's Windows or FreeBSD |
# you don't have a precise match, but can tell it's Windows or FreeBSD |
| # or whatnot by looking at, say, flag layout alone. |
# or whatnot by looking at, say, flag layout alone. |
|
|
| # ----------------------- |
# ----------------------- |
| # |
# |
| # Do not add a system X as OS Y just because NMAP says so. It is often |
# Do not add a system X as OS Y just because NMAP says so. It is often |
| # the case that X is a NAT firewall. While nmap is talking to the |
# the case that X is a NAT firewall. While nmap is talking to the |
| # device itself, p0f is fingerprinting the guy behind the firewall |
# device itself, p0f is fingerprinting the guy behind the firewall |
| # instead. |
# instead. |
| # |
# |
|
|
| # Odds, ends, mods. Advanced Networking Pack turns out to be |
# Odds, ends, mods. Advanced Networking Pack turns out to be |
| # responsible for enabling RFC1323, System Mechanic also messes |
# responsible for enabling RFC1323, System Mechanic also messes |
| # with TTLs and timestamps: |
# with TTLs and timestamps: |
| |
|
| *:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:2000:SP4:Windows 2000 SP4 (AdvNetPack) or PalmPC |
*:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:2000:SP4:Windows 2000 SP4 (AdvNetPack) or PalmPC |
| S4:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows 2000 SP3 (NetTweak) |
S4:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows 2000 SP3 (NetTweak) |
| S44:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:XP:AdvNetPack:Windows XP (AdvNetPack) |
S44:128:1:64:M*,N,W0,N,N,T0,N,N,S: Windows:XP:AdvNetPack:Windows XP (AdvNetPack) |
|
|
| |
|
| |
|
| # ---------------- NewtonOS ----------------- |
# ---------------- NewtonOS ----------------- |
| |
|
| 4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 |
4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 |
| |
|
| # ---------------- NeXTSTEP ----------------- |
# ---------------- NeXTSTEP ----------------- |
|
|
| |
|
| # ---------- Firewalls / routers ------------ |
# ---------- Firewalls / routers ------------ |
| |
|
| S12:64:1:44:M1460: @Checkpoint:::Checkpoint (rnknown 1) |
S12:64:1:44:M1460: @Checkpoint:::Checkpoint (unknown 1) |
| S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) |
S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2) |
| 4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x |
4096:32:0:44:M1460: ExtremeWare:4.x::ExtremeWare 4.x |
| 60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7.03.01::Clavister firewall 7.03.01 |
60352:64:0:52:M1460,N,W2,N,N,S: Clavister:7.03.01::Clavister firewall 7.03.01 |
![[BACK]](/icons/back.gif){kind=icon}
Return to pf.os CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / etc