Joined: 29 Mar 2003 Posts: 3 Location: East Coast, USA
Posted: Thu Jun 19, 2003 3:11 pm Post subject: Nmap's Silent Partner
Nmap's Silent Partner
By Marcus Ranum
Tools that fingerprint operating systems are a hacker's dream. They make
it ridiculously simple to identify easy targets. Run Nmap against a
target, learn what OS version it's running, and then look for a set of
attack tools that can take out that particular release.
Fortunately for us (the good guys), most fingerprinting scans leave
distinctive patterns that are easily detected by a decent IDS. But aside
from that, the good guys can also use a powerful OS fingerprinting
technique called Passive Operating System Fingerprinting (POF). Several
POF tools are available; the original is called "p0f" (with a zero),
co-created by Michael Zalewski and Bill Stearns.
POF is invisible, silent and nonintrusive. Unlike active fingerprinting
tools such as Nmap, POF operates only as a sniffer and generates no
packets. This is extremely important, because that means it won't
interfere with legitimate traffic, and it won't force you and your IDS to
worry about which scans are legitimate and which aren't.
Yes indeed p0f is an excellent passive fingerprinting tool. Though imho one should still try to learn what tcp metrics belong to what system. It just helps you recognize potential anomalies while looking over your logs and or IP address pulls. That being said we use it at our work as well. Good post Rottz!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum