From owner-freebsd-ports Mon Jun 12 14:30:13 2000 Delivered-To: freebsd-ports@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5B32E37BD14 for ; Mon, 12 Jun 2000 14:30:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id OAA18034; Mon, 12 Jun 2000 14:30:05 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 2084B37BAC3 for ; Mon, 12 Jun 2000 14:22:07 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id e5CLM1i02532 for ; Mon, 12 Jun 2000 17:22:01 -0400 (EDT) Message-Id: Date: Mon, 12 Jun 2000 17:22:00 -0400 (EDT) From: Trevor Johnson To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: ports/19225: new port: net/p0f Sender: owner-freebsd-ports@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19225 >Category: ports >Synopsis: new port: net/p0f >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Jun 12 14:30:04 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Trevor Johnson >Release: 4.0-STABLE i386 >Organization: myself >Environment: only tested under 4.0-STABLE FreeBSD 4.0-STABLE #0: Fri May 26 19:12:56 BST 2000 root@ws99.invalid:/usr/src/sys/compile/FREEBASE40f i386 against systems running FreeBSD 5.0 and Linux 2.2 >Description: When another host establishes a TCP connection to the computer running p0f, the operating system on the remote host is identified. >How-To-Repeat: N/A >Fix: # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # p0f # p0f/files # p0f/files/md5 # p0f/patches # p0f/patches/patch-aa # p0f/pkg # p0f/pkg/COMMENT # p0f/pkg/DESCR # p0f/pkg/PLIST # p0f/Makefile # echo c - p0f mkdir -p p0f > /dev/null 2>&1 echo c - p0f/files mkdir -p p0f/files > /dev/null 2>&1 echo x - p0f/files/md5 sed 's/^X//' >p0f/files/md5 << 'END-of-p0f/files/md5' XMD5 (p0f.tgz) = f4b76164257957645a798763c96bee19 END-of-p0f/files/md5 echo c - p0f/patches mkdir -p p0f/patches > /dev/null 2>&1 echo x - p0f/patches/patch-aa sed 's/^X//' >p0f/patches/patch-aa << 'END-of-p0f/patches/patch-aa' X--- README.orig Mon Jun 12 15:28:41 2000 X+++ README Mon Jun 12 21:15:54 2000 X@@ -27,30 +27,31 @@ X X Background: X X- * What is passive OS fingerprinting? X+ * What is passive OS fingerprinting? X X- Passive OS fingerprinting technique bases on information coming X- from remote host when it establishes connection to our system. Captured X- packets contains enough information to determine OS - and, unlike X- active scanners (nmap, queSO) - without sending anything to this host. X+ Passive OS fingerprinting is based on information coming from a remote host X+ when it establishes a connection to our system. Captured packets contain X+ enough information to identify the operating system. In contrast to active X+ scanners such as nmap and QueSO, p0f does not send anything to the host being X+ identified. X X If you're looking for more information, read Spitzner's text at: X http://www.enteract.com/~lspitz/finger.html X X- * How it works? X+ * How does it work? X X Well, there are some TCP/IP flag settings specific for given systems. X Usually initial TTL (8 bits), window size (16 bits), maximum segment size X (16 bits), don't fragment flag (1 bit), sackOK option (1 bit), nop option X- (1 bit) and window scaling option (8 bits) combined together gives unique, X+ (1 bit) and window scaling option (8 bits) combined together give a unique, X 51-bit signature for every system. X X- * What are main advantages? X+ * What are the main advantages? X X- Passive OS fingerprinting can be done on huge portions of input data - eg. X- information gathered on firewall, proxy, routing device or Internet server, X- without causing any network activity. You can launch passive OS detection X- software on such machine and leave it for days, weeks or months, collecting X+ Passive OS fingerprinting can be done on huge amounts of input data - X+ gathered on a firewall, proxy, routing device or Internet server - without X+ causing any network activity. You can launch passive OS detection X+ software on such a machine and leave it for days or months, collecting X really interesting statistical and - *erm* - just interesting information. X What's really funny - packet filtering firewalls, network address X translation and so on are transparent to p0f-alike software, so you're able X@@ -62,7 +63,7 @@ X Limitations X X Proxy firewalls and other high-level proxy devices are not transparent to X- any tcp fingerprinting software. It applies to p0f, as well. X+ any TCP fingerprinting software. It applies to p0f, as well. X X In order to obtain information required for fingerprinting, you have to X receive at least one SYN packet initializing TCP connection to your X@@ -78,9 +79,9 @@ X window size are constant for initial TCP/IP packet, but changing rapidly X later). X X-Why our bubble gum is better? X+Why is our bubble gum better? X X- There is another passive OS detection utility, called 'siphon'. It's X+ There is another passive OS detection utility, called 'siphon'. It's a X pretty good piece of proof-of-concept software, but it isn't perfect. Well, X p0f isn't perfect for sure, but has several improvements: X X@@ -128,8 +129,8 @@ X X Files: X X- /etc/p0f.fp or ./p0f.fp - OS fingerprints database. Format is described X- inside: X+ /etc/p0f.fp or ./p0f.fp - OS fingerprints database. X+ The format is described inside: X X # Valid entry describes the way server starts TCP handshake (first SYN). X # Important options are: window size (wss), maximum segment size (mss), END-of-p0f/patches/patch-aa echo c - p0f/pkg mkdir -p p0f/pkg > /dev/null 2>&1 echo x - p0f/pkg/COMMENT sed 's/^X//' >p0f/pkg/COMMENT << 'END-of-p0f/pkg/COMMENT' XPassive OS fingerprinting tool END-of-p0f/pkg/COMMENT echo x - p0f/pkg/DESCR sed 's/^X//' >p0f/pkg/DESCR << 'END-of-p0f/pkg/DESCR' Xfrom the README: X XPassive OS fingerprinting is based on information coming from a remote host Xwhen it establishes a connection to our system. Captured packets contain Xenough information to identify the operating system. In contrast to active Xscanners such as nmap and QueSO, p0f does not send anything to the host being Xidentified. X XFor more information, read Spitzner's text at: Xhttp://www.enteract.com/~lspitz/finger.html . X Xfrom the maintainer: X XUse of this program requires read access to the packet filtering device, Xtypically /dev/bpf0. Granting such access allows the users who have it to Xsniff your network. See Xhttp://www.infoworld.com/articles/op/xml/00/05/29/000529opswatch.xml if you do Xnot understand how this can be harmful. X XTrevor Johnson Xtrevor@jpj.net END-of-p0f/pkg/DESCR echo x - p0f/pkg/PLIST sed 's/^X//' >p0f/pkg/PLIST << 'END-of-p0f/pkg/PLIST' Xbin/p0f Xetc/p0f.fp Xshare/doc/p0f/README X@dirrm share/doc/p0f END-of-p0f/pkg/PLIST echo x - p0f/Makefile sed 's/^X//' >p0f/Makefile << 'END-of-p0f/Makefile' X# New ports collection makefile for: p0f X# Date created: 2000-06-12 X# Whom: Trevor Johnson X# X# $FreeBSD$ X# X XPORTNAME= p0f XPORTVERSION= 1.5 XCATEGORIES= net XMASTER_SITES= http://lcamtuf.hack.pl/ XDISTNAME= ${PORTNAME} XEXTRACT_SUFX= .tgz X XMAINTAINER= trevor@jpj.net X XWRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} X Xpost-patch: X @${SED} s=/etc=${PREFIX}/etc=g ${WRKSRC}/p0f.c >${WRKSRC}/p0f-sed.c X @${SED} s=/etc=${PREFIX}/etc=g ${WRKSRC}/README >${WRKSRC}/README-sed X ${MV} ${WRKSRC}/p0f-sed.c ${WRKSRC}/p0f.c X ${MV} ${WRKSRC}/README-sed ${WRKSRC}/README X Xdo-install: X @${INSTALL_PROGRAM} ${WRKSRC}/p0f ${PREFIX}/bin X @${INSTALL_DATA} ${WRKSRC}/p0f.fp ${PREFIX}/etc X Xpost-install: X.if !defined(NOPORTDOCS) X @${MKDIR} ${PREFIX}/share/doc/p0f X @${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/p0f X.endif X X.include END-of-p0f/Makefile exit >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message