Annotation of src/etc/pf.os, Revision 1.2
1.2 ! avsm 1: # $OpenBSD: pf.os,v 1.1 2003/08/21 19:10:19 frantzen Exp $
1.1 frantzen 2: # passive OS fingerprinting
3: # -------------------------
4: #
5: # SYN signatures. Those signatures work for SYN packets only (duh!).
6: #
7: # (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
8: # (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
9: #
10: # Permission to use, copy, modify, and distribute this software for any
11: # purpose with or without fee is hereby granted, provided that the above
12: # copyright notice and this permission notice appear in all copies.
13: #
14: # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
15: # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
16: # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
17: # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
18: # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
19: # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
20: # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
21: #
22: #
23: # This fingerprint database is adapted Michal Zalewski's p0f passive
24: # operating system package.
25: #
26: #
27: # Each line in this file specifies a single fingerprint. Please read the
28: # information below carefully before attempting to append any signatures
29: # reported as UNKNOWN to this file to avoid mistakes.
30: #
31: # We use the following set metrics for fingerprinting:
32: #
33: # - Window size (WSS) - a highly OS dependent setting used for TCP/IP
34: # performance control (max. amount of data to be sent without ACK).
35: # Some systems use a fixed value for initial packets. On other
36: # systems, it is a multiple of MSS or MTU (MSS+40). In some rare
37: # cases, the value is just arbitrary.
38: #
39: # NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
40: # appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
41: # means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
42: # value of nn is not fixed (unlikely), just copy the Snn or Tnn token
43: # literally. If you know this device has a simple stack and a fixed
44: # MTU, you can however multiply S value by MSS, or T value by MSS+40,
45: # and put it instead of Snn or Tnn.
46: #
47: # If WSS otherwise looks like a fixed value (for example a multiple
48: # of two), or if you can confirm the value is fixed, please quote
49: # it literaly. If there's no apparent pattern in WSS chosen, you
50: # should consider wildcarding this value.
51: #
52: # - Overall packet size - a function of all IP and TCP options and bugs.
53: #
54: # NEW SIGNATURE: Copy this value literally.
55: #
56: # - Initial TTL - We check the actual TTL of a received packet. It can't
57: # be higher than the initial TTL, and also shouldn't be dramatically
58: # lower (maximum distance is defined as 40 hops).
59: #
60: # NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
61: # You need to determine the initial TTL. The best way to do it is to
62: # check the documentation for a remote system, or check its settings.
63: # A fairly good method is to simply round the observed TTL up to
64: # 32, 64, 128, or 255, but it should be noted that some obscure devices
65: # might not use round TTLs (in particular, some shoddy appliances use
66: # "original" initial TTL settings). If not sure, you can see how many
67: # hops you're away from the remote party with traceroute or mtr.
68: #
69: # - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
70: # discovery. Others do not bother.
71: #
72: # NEW SIGNATURE: Copy this value literally.
73: #
74: # - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
75: # uses it to determine link type of the remote host.
76: #
77: # NEW SIGNATURE: Always wildcard this value, except for rare cases when
78: # you have an appliance with a fixed value, know the system supports only
79: # a very limited number of network interface types, or know the system
80: # is using a value it pulled out of nowhere. Specific unique MSS
81: # can be used to tell Google crawlbots from the rest of the population.
82: #
83: # - Window scaling (WSCALE) - this feature is used to scale WSS.
84: # It extends the size of a TCP/IP window to 32 bits. Some modern
85: # systems implement this feature.
86: #
87: # NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
88: # to zero or other low value. There's usually no need to wildcard this
89: # parameter.
90: #
91: # - Timestamp - some systems that implement timestamps set them to
92: # zero in the initial SYN. This case is detected and handled appropriately.
93: #
94: # - Selective ACK permitted - a flag set by systems that implement
95: # selective ACK functionality.
96: #
97: # - The sequence of TCP all options (MSS, window scaling, selective ACK
98: # permitted, timestamp, NOP). Other than the options previously
99: # discussed, p0f also checks for timestamp option (a silly
100: # extension to broadcast your uptime ;-), NOP options (used for
101: # header padding) and sackOK option (selective ACK feature).
102: #
103: # NEW SIGNATURE: Copy the sequence literally.
104: #
105: # To wildcard any value (except for initial TTL or TCP options), replace
106: # it with '*'. You can also use a modulo operator to match any values
107: # that divide by nnn - '%nnn'.
108: #
109: # Fingerprint entry format:
110: #
111: # wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
112: #
113: # wwww - window size (can be *, %nnn, Snn or Tnn). The special values
114: # "S" and "T" which are a multiple of MSS or a multiple of MTU
115: # respectively.
116: # ttt - initial TTL
117: # D - don't fragment bit (0 - not set, 1 - set)
118: # ss - overall SYN packet size
119: # OOO - option value and order specification (see below)
120: # OS - OS genre (Linux, Solaris, Windows)
121: # Version - OS Version (2.0.27 on x86, etc)
122: # Subtype - OS subtype or patchlevel (SP3, lo0)
123: # details - Generic OS details
124: #
125: # If OS genre starts with '*', p0f will not show distance, link type
126: # and timestamp data. It is useful for userland TCP/IP stacks of
127: # network scanners and so on, where many settings are randomized or
128: # bogus.
129: #
130: # If OS genre starts with @, it denotes an approximate hit for a group
131: # of operating systems (signature reporting still enabled in this case).
132: # Use this feature at the end of this file to catch cases for which
133: # you don't have a precise match, but can tell it's Windows or FreeBSD
134: # or whatnot by looking at, say, flag layout alone.
135: #
136: # Option block description is a list of comma or space separated
137: # options in the order they appear in the packet:
138: #
139: # N - NOP option
140: # Wnnn - window scaling option, value nnn (or * or %nnn)
141: # Mnnn - maximum segment size option, value nnn (or * or %nnn)
142: # S - selective ACK OK
143: # T - timestamp
144: # T0 - timestamp with a zero value
145: #
146: # To denote no TCP options, use a single '.'.
147: #
148: # Please report any additions to this file, or any inaccuracies or
149: # problems spotted, to the maintainers: lcamtuf@coredump.cx,
150: # frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
151: # capture of the relevant SYN packet(s)
152: #
153: # WARNING WARNING WARNING
154: # -----------------------
155: #
156: # Do not add a system X as OS Y just because NMAP says so. It is often
157: # the case that X is a NAT firewall. While nmap is talking to the
158: # device itself, p0f is fingerprinting the guy behind the firewall
159: # instead.
160: #
161: # When in doubt, use common sense, don't add something that looks like
162: # a completely different system as Linux or FreeBSD or LinkSys router.
163: # Check DNS name, establish a connection to the remote host and look
164: # at SYN+ACK - does it look similar?
165: #
166: # Some users tweak their TCP/IP settings - enable or disable RFC1323
167: # functionality, enable or disable timestamps or selective ACK,
168: # disable PMTU discovery, change MTU and so on. Always compare a new rule
169: # to other fingerprints for this system, and verify the system isn't
170: # "customized" before adding it. It is OK to add signature variants
171: # caused by a commonly used software (personal firewalls, security
172: # packages, etc), but it makes no sense to try to add every single
173: # possible /proc/sys/net/ipv4 tweak on Linux or so.
174: #
175: # KEEP IN MIND: Some packet firewalls configured to normalize outgoing
176: # traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
177: # normalize packets. Signatures will not correspond to the originating
178: # system (and probably not quite to the firewall either).
179: #
180: # NOTE: Try to keep this file in some reasonable order, from most to
181: # least likely systems. This will speed up operation. Also keep most
182: # generic and broad rules near the end.
183: #
184:
185: ##########################
186: # Standard OS signatures #
187: ##########################
188:
189: # ----------------- Linux -------------------
190:
191: 512:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
192: 16384:64:0:44:M*: Linux:2.0:3x:Linux 2.0.3x
193:
194: 5440:64:1:60:M1360,S,T,N,W0: Linux:google::Linux (Google crawlbot)
195:
196: S3:64:1:60:M*,S,T,N,W0: Linux:2.4:18-21:Linux 2.4.18 and newer
197: S4:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4
198: S3:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5 (newer)
199: S4:64:1:60:M*,S,T,N,W1: Linux:2.5::Linux 2.5
200:
201: # That's quite stupid, but happens. The WSS is a multiplier of
202: # MSS, but not that MSS - the default ethernet MSS instead ;-)
203: 5840:64:1:60:M*,S,T,N,W0: Linux:2.4::Linux 2.4 (NAT or snafu)
204:
205: S20:64:1:60:M*,S,T,N,W0: Linux:2.2:20-25:Linux 2.2.20 and newer
206: S22:64:1:60:M*,S,T,N,W0: Linux:2.2::Linux 2.2
207:
208: # This happens only over loopback:
209: # 32767:64:1:60:M*,S,T,N,W0:Linux:2.4 (local)
210: # S8:64:1:60:M*,S,T,N,W0:Linux:2.2 (local)
211: # Some fairly common mods:
212: # S4:64:1:52:M*,N,N,S,N,W0: Linux:2.4:ts:Linux 2.4 w/o timestamps
213:
214: # ----------------- FreeBSD -----------------
215: # 4.6 - 5.0 is a bit of a guesswork at the moment.
216: # Need more data before the final release.
217:
218: 16384:64:1:44:M*: FreeBSD:2.0-2.2::FreeBSD 2.0-4.1
219: 16384:64:1:44:M*: FreeBSD:3.0-3.5::FreeBSD 2.0-4.1
220: 16384:64:1:44:M*: FreeBSD:4.0-4.1::FreeBSD 2.0-4.1
221:
222: 1024:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
223: 16384:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.4::FreeBSD 4.4
224:
225: S:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6::FreeBSD 4.6
226:
227: 57344:64:1:44:M*: FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
228: 57344:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.6-4.8::FreeBSD 4.6-4.8
229:
230: 65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.0
231: 65535:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0::FreeBSD 4.8-5.0
232: 32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:4.8-4.9::FreeBSD 4.8-5.0 (or MacOS X)
233: 32768:64:1:60:M*,N,W0,N,N,T: FreeBSD:5.0::FreeBSD 4.8-5.0 (or MacOS X)
234:
235: 65535:48:1:60:M*,N,W1,N,N,T: FreeBSD:5.1::FreeBSD 5.1
236:
237: # ----------------- NetBSD ------------------
238:
239: 16384:64:0:60:M*,N,W0,N,N,T0: NetBSD:1.6::NetBSD 1.6
240: 16384:64:1:60:M*,N,W0,N,N,T0: NetBSD:1.6:df:NetBSD 1.6 (DF)
241: 16384:64:0:60:M*,N,W0,N,N,T: NetBSD:1.3::NetBSD 1.3 (or OpenBSD 2.6)
242:
243: # ----------------- OpenBSD -----------------
244:
245: 16384:64:0:60:M*,N,W0,N,N,T: OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
246: 16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4::OpenBSD 3.0-3.4
247: 16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-3.4:no-df:OpenBSD 3.0-3.4 (scrub no-df)
248: 57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4::OpenBSD 3.3-3.4
249: 57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-3.4:no-df:OpenBSD 3.3-3.4 (scrub no-df)
250:
251: # ----------------- Solaris -----------------
252: # Splitting 8/9 into two cases, we'll see if there
253: # are any complaints...
254:
255: S17:64:1:64:N,W3,N,N,T0,N,N,S,M*: Solaris:8:RFC1323:Solaris 8 RFC1323
256: S17:64:1:48:N,N,S,M*: Solaris:8::Solaris 8
257: S34:64:1:48:M1460,N,N,S: Solaris:9::Solaris 9
258:
259: S17:255:1:44:M*: Solaris:2.5-2.7::Solaris 2.5 to 7
260: S6:255:1:44:M*: Solaris:2.6::Solaris 2.6
261:
262: # ----------------- IRIX --------------------
263:
264: 61440:64:0:44:M*: IRIX:6.2-6.5::IRIX 6.2-6.5
265: 49152:64:0:52:M*,N,W2,N,N,S: IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
266: 61440:64:0:48:M*,N,N,S: IRIX:6.5:14m:IRIX 6.5.14m
267: 49152:64:0:48:M*,N,N,S: IRIX:6.5:19:IRIX 6.5.19
268:
269: # ----------------- Tru64 -------------------
270:
271: 32768:64:1:48:M*,N,W0: Tru64:4.0f::Tru64 4.0f
272: 61440:64:0:48:M*,N,W0: Tru64:5.1a:JP4:Tru64 v5.1a JP4
273:
274: # ----------------- OpenVMS -----------------
275:
276: 6144:64:1:60:M*,N,W0,N,N,T: OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
277:
278: # ----------------- AIX ---------------------
279:
280: 32768:64:0:60:M*,N,W0,N,N,T: AIX:4.3:3:AIX 4.3.3
281:
282: # ----------------- MacOS -------------------
283:
284: 32768:255:1:48:M*,W0,N: MacOS:9.1-9.2::MacOS 9.1/9.2
285:
286: # ----------------- Windows -----------------
287:
288: S44:64:1:48:N,N,S,M*: Windows:98:SE:Windows 98SE
289: 8192:128:1:48:M*,N,N,S: Windows:98::Windows 98
290: 8192:128:1:44:M*: Windows:NT::Windows old NT (?)
291:
292: %8192:128:1:48:M*,N,N,S: Windows:XP::Windows XP/2000
293: %8192:128:1:48:M*,N,N,S: Windows:2000P::Windows XP/2000
294: 65535:128:1:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
295: S44:128:1:48:M*,N,N,S: Windows:XP::Windows XP or 2000 SP3
296: S44:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP or 2000 SP3
297: S6:128:1:48:M*,N,N,S: Windows:XP::Windows XP or 2000 SP3
298: S6:128:1:48:M*,N,N,S: Windows:2000:SP3:Windows XP or 2000 SP3
299:
300: S45:128:1:48:M*,N,N,S: @Windows:XP::Windows XP
301: S46:128:1:48:M*,N,N,S: @Windows:XP::Windows XP
302:
303: # The same stuff w/o DF - happens quite often:
304: %8192:128:0:48:M*,N,N,S: Windows:XP::Windows XP/2000
305: %8192:128:0:48:M*,N,N,S: Windows:2000P::Windows XP/2000
306: 65535:128:0:48:M*,N,N,S: Windows:2000:SP4:Windows 2000 SP4
307: S44:128:0:48:M*,N,N,S: Windows:XP::Windows XP or 2000 SP3
308: S44:128:0:48:M*,N,N,S: Windows:2000:SP3:Windows XP or 2000 SP3
309: S6:128:0:48:M*,N,N,S: Windows:XP::Windows XP or 2000 SP3
310: S6:128:0:48:M*,N,N,S: Windows:2000:SP3:Windows XP or 2000 SP3
311:
312: S45:128:0:48:M*,N,N,S: @Windows:XP:firewalled:Windows XP (firewalled)
313: S46:128:0:48:M*,N,N,S: @Windows:XP:firewalled:Windows XP (firewalled)
314:
315: # I'm not sure what this is, but one report suggests NT. 'll see...
316: 32767:128:1:52:M*,N,W0,N,N,S: Windows:NT:4:Windows NT4
317: 6144:128:1:52:M*,N,W0,N,N,S: Windows:NT:4:Windows NT4
318: S45:128:1:52:M*,N,W0,N,N,S: Windows:NT:4:Windows NT4
319:
320: *:128:1:64:M*,N,W2,N,N,T0,N,N,S: Windows:2000:SP4:Windows 2000 SP4 (RFC1323) or PalmPC
321:
322: # Odds and ends...
323: 58944:64:1:52:M*,N,W2,N,N,S: Windows:XP:SP2:Windows XP SP2 IPv6 System Mechanic tuned
324:
325: # ----------------- HP/UX -------------------
326:
327: 32768:64:1:44:M1460: HP-UX:B.10.20::HP/UX B.10.20
328: 32768:64:0:48:M1448,W0,N: HP-UX:11.0::HP/UX 11.0
329: 0:64:0:48:M1460,W0,N: HP-UX:B.11.00::HP/UX B.11.0 A (RFC1323)
330:
331:
332: # ----------------- SCO ------------------
333: S17:64:1:44:M1460: SCO:Unixware:7.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
334: S17:64:1:44:M1460: SCO:OpenServer:5.0:SCO Unixware 7.0.0 or OpenServer 5.0.4-5.06
335:
336: # ----------------- RiscOS ------------------
337:
338: # We don't yet support the ?12 TCP option
339: #16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12: RISCOS:3.70::RISC OS 3.70
340:
341: # ----------------- BSD/OS ------------------
342:
343: 8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:3.1::BSD/OS 3.1-4.3
344: 8192:64:1:60:M1460,N,W0,N,N,T: BSD/OS:4.0-4.3::BSD/OS 3.1-4.3
345:
346:
347: ################################
348: # Appliance / other signatures #
349: ################################
350:
351: # ---------- Firewalls / routers ------------
352:
353: S12:64:1:44:M1460: @Checkpoint:::Checkpoint (rnknown 1)
354: S12:64:1:48:N,N,S,M1460: @Checkpoint:::Checkpoint (unknown 2)
355:
356: # ------- Switches and other stuff ----------
357:
358: 4128:255:0:44:M*: Cisco:::Cisco Catalyst 3500, 7500 etc
359:
360: # ---------- Caches and whatnots ------------
361:
362: 5840:64:1:52:M1460,N,N,S,N,W0: AOL:web cache::AOL web cache
363:
364: 32850:64:1:64:N,W1,N,N,T,N,N,S,M*: NetApp:5.x::NetApp Data OnTap 5.x
1.2 ! avsm 365: 16384:64:1:64:M1460,N,N,S,N,W0,N: NetApp:5.3:1:NetApp NetCache 5.3.1
1.1 frantzen 366: 65535:64:0:60:M1460,N,W0,N,N,T: NetApp:CacheFlow::NetApp CacheFlow
1.2 ! avsm 367: 8192:64:1:64:M1460,N,N,S,N,W0,N,N,T: NetApp:5.2:1:NetApp NetCache 5.2.1
1.1 frantzen 368:
369: 5840:64:0:48:M1460,N,N,S: Cisco:Content Engine::Cisco Content Engine
370:
371: 27085:128:0:40:.: Dell:PowerApp cache::Dell PowerApp (Linux-based)
372:
373: 60352:128:1:64:M1460,N,W2,N,N,T,N,N,S: Alteon:ACEswitch::Alteon ACEswitch
374:
375: 65535:255:1:48:N,W1,M1460: Inktomi:crawler::Inktomi crawler
376:
377: 16384:255:0:40:.: Proxyblocker:::Proxyblocker (what's this?)
378:
379: # ----------- Embedded systems --------------
380:
381: S9:255:0:44:M536: PalmOS:Tungsten:C:PalmOS Tungsten C(Win95 based)
382: S5:255:0:44:M536: PalmOS:3::PalmOS 3 (Win95 based)
383:
384:
385: ####################
386: # Fancy signatures #
387: ####################
388:
389: 1024:64:0:40:.: *NMAP:syn scan:1:NMAP syn scan (1)
390: 2048:64:0:40:.: *NMAP:syn scan:2:NMAP syn scan (2)
391: 3072:64:0:40:.: *NMAP:syn scan:3:NMAP syn scan (3)
392: 4096:64:0:40:.: *NMAP:syn scan:4:NMAP syn scan (4)
393:
394: 1024:64:0:60:W10,N,M265,T: *NMAP:OS:1:NMAP OS detection probe (1)
395: 2048:64:0:60:W10,N,M265,T: *NMAP:OS:2:NMAP OS detection probe (2)
396: 3072:64:0:60:W10,N,M265,T: *NMAP:OS:3:NMAP OS detection probe (3)
397: 4096:64:0:60:W10,N,M265,T: *NMAP:OS:4:NMAP OS detection probe (4)
398:
399: #####################################
400: # Generic signatures - just in case #
401: #####################################
402:
403: #*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
404: #*:64:1:60:M*,N,W*,N,N,T: @FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
405: