pyp0f
pyp0f copied to clipboard
p0f v3 with impersonation spoofing, written in Python - Accurately guess the OS of a packet with passive fingerprinting.
pyp0f
Native implementation of p0f v3 in typed Python 3.
Documentation: https://github.com/Nisitay/pyp0f/blob/master/docs/README.md
Source Code: https://github.com/Nisitay/pyp0f
pyp0f
is able to accurately guess the source OS or user application of a given packet with passive fingerprinting, as well as impersonate packets so that p0f
will think it has been sent by a specific OS.
Motivation
-
pyp0f
is platform independent (using Scapy), whilep0f
can be cumbersome to run on some platforms (such as Windows). - The implementation and concepts behind
p0f
are very sophisticated, but the tool is written in C which makes it harder to understand and extend. Performance is expected to be slower in Python, butpyp0f
still performs well enough (see Performance benchmarks) -
p0f
heavily depends on full packet flow details, whilepyp0f
attempts to use as little information as possible. For example, you may be able to fingerprint a SYN+ACK packet from a session without having the matching SYN packet. -
pyp0f
aims to be highly configurable and used as a library, without limiting its effectiveness to one packet format/library, as opposed top0f
which runs on a seperate process and you query the results using an API.
Installation
$ pip install pyp0f
Features
- Full p0f fingerprinting (MTU, TCP, HTTP)
- p0f spoofing - impersonation (MTU, TCP)
- TCP timestamps uptime detection
In Progress
- Flow tracking
- NAT detection
Getting Started
from scapy.layers.inet import IP, TCP
from pyp0f.database import DATABASE
from pyp0f.fingerprint import fingerprint_mtu, fingerprint_tcp, fingerprint_http
from pyp0f.fingerprint.results import MTUResult, TCPResult, HTTPResult
DATABASE.load() # Load the fingerprints database
# MTU Fingerprinting
google_packet = IP() / TCP(options=[("MSS", 1430)])
mtu_result: MTUResult = fingerprint_mtu(google_packet)
# TCP Fingerprinting
linux_packet = IP(tos=0x10, flags=0x02, ttl=58) / TCP(
seq=1,
window=29200,
options=[("MSS", 1460), ("SAckOK", b""), ("Timestamp", (177816630, 0)), ("NOP", None), ("WScale", 7)],
)
tcp_result: TCPResult = fingerprint_tcp(linux_packet)
# HTTP Fingerprinting
apache_payload = b"HTTP/1.1 200 OK\r\nDate: Fri, 10 Jun 2011 13:27:01 GMT\r\nServer: Apache\r\nLast-Modified: Thu, 09 Jun 2011 17:25:43 GMT\r\nExpires: Mon, 13 Jun 2011 17:25:43 GMT\r\nETag: 963D6BC0ED128283945AF1FB57899C9F3ABF50B3\r\nCache-Control: max-age=272921,public,no-transform,must-revalidate\r\nContent-Length: 491\r\nConnection: close\r\nContent-Type: application/ocsp-response\r\n\r\n"
http_result: HTTPResult = fingerprint_http(apache_payload)
Sources
Authors
- Itay Margolin - Nisitay