OS fingerprinting and routing distance
Contents
Introduction
Certain fields in the IP and TCP header give an indication about the type of operating system. Nevertheless, these fields, e.g. TTL, initial window size, TCP options, can be obfuscated by a NAT or a savvy user. In the good old times with Linux, Solaris, HP, Windows NT/XP and all these wonderful diverse OS this approach worked well. Even the User-Agent field in the HTTP protocol told you right away what kind of OS and application the machine was running. Nevertheless, it is still useful, but to be treated with care. T2 owns three plugins:
- tp0f
- p0f depending on sslDecode
- httpSniffer:
httpUsrAg(User-Agent) column - tcpFlags:
tcpOption(host clock frequency)
The first two depend on the rules of the well known p0f OS fingerprinting tool
version 3.09b.
While the third uses the User-Agent: field in HTTP traffic, which is nowadays rather rare, bummer.
The last one uses information from tcpTimestamp options and the pcap timestamps. It is implemented the in
tcpFlags plugin.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the following plugins:
t2build tranalyzer2 basicFlow tcpStates tp0f txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP and the fragmentation PCAP used in this tutorial can be downloaded here: faf-exercise.pcap.
Please save it in your ~/data folder.
Now you are all set for OS fingerprinting!
tp0f config
tp0f uses the p0f rules in the t2OnNewFlow() function, so the first packet in a A/B flow, which contains
all the valuable info, such as options, SYN, SYN-ACK sequence, etc
Let’s have a look into the tp0f directory.
tp0f
ls
autogen.sh CMakeLists.txt configure.ac COPYING default.config doc Makefile.am meson.build p0fdoc.txt p0f.fp src t2plconf tests tp0fL34conv tp0fL34.txt ttl.txt ver.txt win.txt
If the p0f rules don’t match, tp0f has its own heuristics, which tries to give an crude opinion about the type of OS.
For that the files ttl.txt, ver.txt and win.txt are necessary. The file p0f.fp is the p0f
database used by the p0f tool. The script tp0fL34conv converts p0f.fp to tp0fL34.txt. This happens automatically
when t2build is invoked and no tp0fL34.txt is found under ~/.tranalyzer/plugins. We added the documentation
of the p0f tool: p0fdoc.txt so that you can write your own p0f file.
Now look at the configuration options in tp0f.h in the src directory
tp0f
vi src/tp0f.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define TP0FRULES 1 // 0: standard OS guessing
// 1: OS guessing and p0f L3/4 rules
#define TP0FHSH 1 // 0: no IP hash
// 1: IP hash to recognize IP already classified
#define TP0FRC 0 // 0: only human readable
// 1: add classifier numbers
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define TP0FL34FILE "tp0fL34.txt"
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...TP0FRULES controls whether the p0f rules are being used or only t2 simple heuristics OS guessing.
TP0FHSH controls the query of the p0f file. If enabled duplicate queries are avoided, thus increasing
the speed of the plugin execution. For AI labeling tasks TP0FRC has to be enabled to
produce unique class numbers.
If you want to use your own rule file, change TP0FL34FILE. In ENVCNTRL=2 you do not need
to recompile for that parameter, just do a t2conf or edit it in the .h file or make an
environment variable with that name.
Note, that you have to use the same format as in the tp0fL34.txt file as shown below.
tcol tp0fL34.txt
#num clst ipv ip tcp qopt ittl olen mss wsize_ws num_tcpopt tcpopt pldl Nclass Nprog Nver class prog ver vOS comment
1 0x0a 0x00 0x40 0x02 0x0040 64 0 0 20,10 5 0x02,0x04,0x08,0x01,0x03 0 2 2 22 unix Linux 3.11 and newer Linux
2 0x0a 0x00 0x40 0x02 0x0040 64 0 0 20,7 5 0x02,0x04,0x08,0x01,0x03 0 2 2 22 unix Linux 3.11 and newer Linux
3 0x0a 0x00 0x40 0x02 0x0040 64 0 0 10,4 5 0x02,0x04,0x08,0x01,0x03 0 2 2 23 unix Linux 3.1-3.10 Linux
4 0x0a 0x00 0x40 0x02 0x0040 64 0 0 10,5 5 0x02,0x04,0x08,0x01,0x03 0 2 2 23 unix Linux 3.1-3.10 Linux
5 0x0a 0x00 0x40 0x02 0x0040 64 0 0 10,6 5 0x02,0x04,0x08,0x01,0x03 0 2 2 23 unix Linux 3.1-3.10 Linux
6 0x0a 0x00 0x40 0x02 0x0040 64 0 0 10,7 5 0x02,0x04,0x08,0x01,0x03 0 2 2 23 unix Linux 3.1-3.10 Linux
7 0x0a 0x00 0x40 0x02 0x0040 64 0 0 4,6 5 0x02,0x04,0x08,0x01,0x03 0 2 2 19 unix Linux 2.6.x so not I'm not flagging these signatures in a special way.
8 0x0a 0x00 0x40 0x02 0x0040 64 0 0 4,7 5 0x02,0x04,0x08,0x01,0x03 0 2 2 19 unix Linux 2.6.x so not I'm not flagging these signatures in a special way.
9 0x0a 0x00 0x40 0x02 0x0040 64 0 0 4,8 5 0x02,0x04,0x08,0x01,0x03 0 2 2 19 unix Linux 2.6.x so not I'm not flagging these signatures in a special way.
10 0x0a 0x00 0x40 0x02 0x0040 64 0 0 4,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 16 unix Linux 2.4.x so not I'm not flagging these signatures in a special way.
11 0x0a 0x00 0x40 0x02 0x0040 64 0 0 4,1 5 0x02,0x04,0x08,0x01,0x03 0 2 2 16 unix Linux 2.4.x so not I'm not flagging these signatures in a special way.
12 0x0a 0x00 0x40 0x02 0x0040 64 0 0 4,2 5 0x02,0x04,0x08,0x01,0x03 0 2 2 16 unix Linux 2.4.x so not I'm not flagging these signatures in a special way.
13 0x0a 0x00 0x40 0x02 0x0040 64 0 0 11,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 10 unix Linux 2.2.x No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data:
14 0x0a 0x00 0x40 0x02 0x0040 64 0 0 20,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 10 unix Linux 2.2.x No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data:
15 0x0a 0x00 0x40 0x02 0x0040 64 0 0 22,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 10 unix Linux 2.2.x No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data:
16 0x0a 0x00 0x00 0x02 0x0000 64 0 0 12,0 1 0x02 0 2 2 9 unix Linux 2.0 No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data:
17 0x08 0x00 0x00 0x02 0x0000 64 0 0 16384,0 1 0x02 0 2 2 9 unix Linux 2.0 No real traffic seen for 2.2 & 2.0, signatures extrapolated from p0f2 data:
18 0x02 0x00 0x40 0x02 0x0040 64 0 16396 524672,4 5 0x02,0x04,0x08,0x01,0x03 0 2 2 26 unix Linux 3.x (loopback) Just to keep people testing locally happy (IPv4 & IPv6):
19 0x02 0x00 0x40 0x02 0x0040 64 0 16376 524032,4 5 0x02,0x04,0x08,0x01,0x03 0 2 2 26 unix Linux 3.x (loopback) Just to keep people testing locally happy (IPv4 & IPv6):
20 0x02 0x00 0x40 0x02 0x0040 64 0 16396 131168,2 5 0x02,0x04,0x08,0x01,0x03 0 2 2 21 unix Linux 2.6.x (loopback) Just to keep people testing locally happy (IPv4 & IPv6):
21 0x02 0x00 0x40 0x02 0x0040 64 0 16376 131008,2 5 0x02,0x04,0x08,0x01,0x03 0 2 2 21 unix Linux 2.6.x (loopback) Just to keep people testing locally happy (IPv4 & IPv6):
22 0x02 0x00 0x40 0x02 0x0040 64 0 16396 32792,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 18 unix Linux 2.4.x (loopback) Just to keep people testing locally happy (IPv4 & IPv6):
23 0x02 0x00 0x40 0x02 0x0040 64 0 3884 31072,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 14 unix Linux 2.2.x (loopback) Just to keep people testing locally happy (IPv4 & IPv6):
24 0x02 0x04 0x00 0x02 0x0000 64 0 1430 366080,6 5 0x02,0x04,0x08,0x01,0x03 0 2 2 20 unix Linux 2.6.x (Google crawler) Various distinctive flavors of Linux:
25 0x0a 0x00 0x40 0x02 0x0040 64 0 0 44,1 5 0x02,0x04,0x08,0x01,0x03 0 2 2 39 unix Linux (Android) Various distinctive flavors of Linux:
26 0x0a 0x00 0x40 0x02 0x0040 64 0 0 44,3 5 0x02,0x04,0x08,0x01,0x03 0 2 2 39 unix Linux (Android) Various distinctive flavors of Linux:
27 0x1a 0x00 0x40 0x02 0x0040 64 0 0 10,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 25 unix Linux 3.x Various distinctive flavors of Linux:
28 0x1a 0x00 0x40 0x02 0x0040 64 0 0 4,0 5 0x02,0x04,0x08,0x01,0x03 0 2 2 17 unix Linux 2.4.x-2.6.x Various distinctive flavors of Linux:
...As the p0f rules are not supported anymore, in the future a new p0f file might be available again.
Then you may use the script tp0fL34conv to produce a new tp0f rule file. Or you generate your own rules during your
research work. Then, please contact us, so that we can integrate your rules in the older p0f rule set.
tp0f default config
Invoke T2 with the pcap in default mode and store it in your results folder.
t2 -r ~/data/faf-exercise.pcap -w ~/results/
In the plugin summary of the end report 51% of the matches with the tp0f rules. Now open the flow file in your results folder.
For each flow a status, the srcIP routing distance the OS short and the full name, version is listed.
The routing distance tp0fDis is generated from the TTL of the src address, it denotes the amount of hops
between the src and dst host. A good feature to assess the validity of IPs, etc.
tcol ~/results/faf-exercise_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tp0fStat tp0fDis tp0fClName tp0fPrName tp0fVerName tcpStatesAFlags
A 1 0x0400000000004000 1258544215.037210 1258544215.372742 0.335532 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1258 77.67.44.206 gb "Akamai Technologies" 80 6 0x01 0 win Windows XP 0x00
B 1 0x0400000000004001 1258544215.202900 1258544215.537951 0.335051 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1258 6 0x00 17 unix Solaris unknown 0x00
A 2 0x0400000000004000 1258544216.385370 1258544216.723144 0.337774 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1259 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 win Windows XP 0x00
B 2 0x0400000000004001 1258544216.551313 1258544216.888595 0.337282 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1259 6 0x00 17 unix Solaris unknown 0x00
A 3 0x0400000000004000 1258544216.908284 1258544217.008468 0.100184 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1260 198.189.255.75 us "California State University" 80 6 0x41 0 win Windows XP 0x00
B 3 0x0400000000004001 1258544216.915576 1258544217.008019 0.092443 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1260 6 0x00 7 unix Linux unknown 0x00
A 4 0x0400000000004000 1258544217.003718 1258544217.348506 0.344788 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1261 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 win Windows XP 0x00
B 4 0x0400000000004001 1258544217.169421 1258544217.513942 0.344521 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1261 6 0x00 17 unix Solaris unknown 0x00
A 5 0x0400000000004000 1258544217.349751 1258544217.413719 0.063968 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1262 198.189.255.75 us "California State University" 80 6 0x41 0 win Windows XP 0x00
B 5 0x0400000000004001 1258544217.357036 1258544217.413505 0.056469 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1262 6 0x00 7 unix Linux unknown 0x00
A 6 0x0400000000004000 1258544217.408963 1258544217.754495 0.345532 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1263 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 win Windows XP 0x00
B 6 0x0400000000004001 1258544217.574652 1258544217.919686 0.345034 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1263 6 0x00 17 unix Solaris unknown 0x00
A 7 0x0400000000004000 1258544217.755746 1258544217.791475 0.035729 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1264 198.189.255.75 us "California State University" 80 6 0x41 0 win Windows XP 0x00
B 7 0x0400000000004001 1258544217.763049 1258544217.791016 0.027967 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1264 6 0x00 7 unix Linux unknown 0x00
A 8 0x0400000000004000 1258544217.786474 1258544218.129260 0.342786 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1265 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 win Windows XP 0x00
B 8 0x0400000000004001 1258544217.952162 1258544218.294696 0.342534 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1265 6 0x00 17 unix Solaris unknown 0x00
A 9 0x0400000000004000 1258544218.130258 1258544218.166240 0.035982 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1266 198.189.255.75 us "California State University" 80 6 0x41 0 win Windows XP 0x00
B 9 0x0400000000004001 1258544218.137543 1258544218.165782 0.028239 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1266 6 0x00 7 unix Linux unknown 0x00
A 11 0x0400000000004000 1258562478.204828 1258562509.633367 31.428539 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1384 63.245.221.11 us "Mozilla Corporation" 80 6 0x41 0 win Windows XP 0x00
B 11 0x0400000000004001 1258562478.266384 1258562509.653978 31.387594 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "Mozilla Corporation" 80 192.168.1.104 07 "Private network" 1384 6 0x00 12 unix Linux unknown 0x00
A 10 0x0400000000004000 1258562467.749142 1258562509.633370 41.884228 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1379 63.245.221.11 us "Mozilla Corporation" 80 6 0x41 0 win Windows XP 0x00
B 10 0x0400000000004001 1258562467.754689 1258562509.653962 41.899273 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "Mozilla Corporation" 80 192.168.1.104 07 "Private network" 1379 6 0x00 12 unix Linux unknown 0x00
...Use tawk to decode tp0fStat:
The tp0fStat column with value 0x41 is to be interpreted as follows:
bit | tp0fStat | Description
=============================================================================
0 | 0x01 | SYN tp0f rule fired
6 | 0x40 | IP already seen by tp0f
The plugin knows which IP it has already seen, so it does not apply any rule again.
tp0f + p0f rule info
If you want to see which rule fired and in which class it resides, switch TP0FRC=1 in the tp0f.h file,
recompile and rerun t2.
t2conf tp0f -D TP0FRC=1 && t2build tp0f
t2 -r ~/data/faf-exercise.pcap -w ~/results/
tcol ~/results/faf-exercise_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto tp0fStat tp0fDis tp0fRN tp0fClass tp0fProg tp0fVer tp0fClName tp0fPrName tp0fVerName tcpStates
A 1 0x0400000000004000 1258544215.037210 1258544215.372742 0.335532 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1258 77.67.44.206 gb "Akamai Technologies" 80 6 0x01 0 33 1 1 2 win Windows XP 0x00
B 1 0x0400000000004001 1258544215.202900 1258544215.537951 0.335051 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1258 6 0x00 17 0 2 5 0 unix Solaris unknown 0x00
A 2 0x0400000000004000 1258544216.385370 1258544216.723144 0.337774 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1259 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 2 0x0400000000004001 1258544216.551313 1258544216.888595 0.337282 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1259 6 0x00 17 0 2 5 0 unix Solaris unknown 0x00
A 3 0x0400000000004000 1258544216.908284 1258544217.008468 0.100184 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1260 198.189.255.75 us "California State University" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 3 0x0400000000004001 1258544216.915576 1258544217.008019 0.092443 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1260 6 0x00 7 0 2 2 0 unix Linux unknown 0x00
A 4 0x0400000000004000 1258544217.003718 1258544217.348506 0.344788 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1261 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 4 0x0400000000004001 1258544217.169421 1258544217.513942 0.344521 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1261 6 0x00 17 0 2 5 0 unix Solaris unknown 0x00
A 5 0x0400000000004000 1258544217.349751 1258544217.413719 0.063968 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1262 198.189.255.75 us "California State University" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 5 0x0400000000004001 1258544217.357036 1258544217.413505 0.056469 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1262 6 0x00 7 0 2 2 0 unix Linux unknown 0x00
A 6 0x0400000000004000 1258544217.408963 1258544217.754495 0.345532 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1263 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 6 0x0400000000004001 1258544217.574652 1258544217.919686 0.345034 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1263 6 0x00 17 0 2 5 0 unix Solaris unknown 0x00
A 7 0x0400000000004000 1258544217.755746 1258544217.791475 0.035729 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1264 198.189.255.75 us "California State University" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 7 0x0400000000004001 1258544217.763049 1258544217.791016 0.027967 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1264 6 0x00 7 0 2 2 0 unix Linux unknown 0x00
A 8 0x0400000000004000 1258544217.786474 1258544218.129260 0.342786 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1265 77.67.44.206 gb "Akamai Technologies" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 8 0x0400000000004001 1258544217.952162 1258544218.294696 0.342534 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 77.67.44.206 gb "Akamai Technologies" 80 192.168.1.104 07 "Private network" 1265 6 0x00 17 0 2 5 0 unix Solaris unknown 0x00
A 9 0x0400000000004000 1258544218.130258 1258544218.166240 0.035982 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1266 198.189.255.75 us "California State University" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 9 0x0400000000004001 1258544218.137543 1258544218.165782 0.028239 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 198.189.255.75 us "California State University" 80 192.168.1.104 07 "Private network" 1266 6 0x00 7 0 2 2 0 unix Linux unknown 0x00
A 11 0x0400000000004000 1258562478.204828 1258562509.633367 31.428539 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1384 63.245.221.11 us "Mozilla Corporation" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 11 0x0400000000004001 1258562478.266384 1258562509.653978 31.387594 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "Mozilla Corporation" 80 192.168.1.104 07 "Private network" 1384 6 0x00 12 0 2 2 0 unix Linux unknown 0x00
A 10 0x0400000000004000 1258562467.749142 1258562509.633370 41.884228 1 3 eth:ipv4:tcp 00:0b:db:4f:6b:10 00:19:e3:e7:5d:23 0x0800 192.168.1.104 07 "Private network" 1379 63.245.221.11 us "Mozilla Corporation" 80 6 0x41 0 33 1 1 2 win Windows XP 0x00
B 10 0x0400000000004001 1258562467.754689 1258562509.653962 41.899273 1 3 eth:ipv4:tcp 00:19:e3:e7:5d:23 00:0b:db:4f:6b:10 0x0800 63.245.221.11 us "Mozilla Corporation" 80 192.168.1.104 07 "Private network" 1379 6 0x00 12 0 2 2 0 unix Linux unknown 0x00
...tp0f and httpSniffer User-Agent (httpUsrAg)
Load the httpSniffer plugin, recompile and rerun t2.
t2build httpSniffer
t2 -r ~/data/faf-exercise.pcap -w ~/results/
Then select only the srcIP column of basicFlow,
the standard tp0f fields and the httpUsrAg of httpSniffer to compare the output:
tawk '{ print $srcIP, $tp0fStat, $tp0fDis, $tp0fClName, $tp0fPrName, $tp0fVerName, $httpUsrAg }' ~/results/faf-exercise_flows.txt | sort -Vr -k1,1 | uniq | tcol
srcIP tp0fStat tp0fDis tp0fClName tp0fPrName tp0fVerName httpUsrAg
198.189.255.75 0x00 7 unix Linux unknown
192.168.1.105 0x41 0 win Windows 7 or 8
192.168.1.105 0x01 0 win Windows 7 or 8
192.168.1.104 0x41 0 win Windows XP "Thunderbird 2.0.0.23 (Windows/20090812)"
192.168.1.104 0x41 0 win Windows XP "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23"
192.168.1.104 0x41 0 win Windows XP "AVGINET9-WXPPX86 90 AVI=270.14.72/2511 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA="
192.168.1.104 0x41 0 win Windows XP "AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA="
192.168.1.104 0x01 0 win Windows XP "AVGINET9-WXPPX86 90 AVI=270.14.71/2510 BUILD=707 LOC=1033 LIC=9I-ASXNN-X4WGW-M0XFR-T84VX-3VX02 DIAG=51E OPF=0 PCA="
192.168.1.103 0x41 0 win Windows XP
192.168.1.103 0x01 0 win Windows XP
192.168.1.102 0x41 0 win Windows XP
192.168.1.102 0x01 0 win Windows XP
192.168.1.1 0x00 0 unix FreeBSD unknown
143.166.11.10 0x02 17 win Windows 7 or 8
143.166.11.10 0x00 16 unix Solaris unknown
77.67.44.206 0x00 17 unix Solaris unknown
63.245.221.11 0x00 12 unix Linux unknownNote that only for HTTP traffic a User-Agent is present, for the rest you have to live with the tp0f output.
p0f and sslDecode
I need to produce a suitable SSL/TLS traffic to commence the tutorial with the p0f plugin. If you load it, you also need to load the sslDecode.
Conclusion
Don’t forget to reset tp0f config.
t2conf tp0f -D TP0FRC=0 && t2build tp0f
Have fun!