07-24-2013, 05:16 PM
Biasanya, untuk sniffing dan os fingerprinting jaringan kita gunakan tools yang berbeda, yaitu wireshark (sniffing) dan nmap (os fingerprinting). Ternyata 2 kegiatan itu bisa dilakukan dengan p0f.
Saya praktekkan di jaringan lokal laptop saya dengan virtualbox. Host Kali, guest Windows XP yang penampakannya
Keduanya saya sambungkan dengan wlan. IP wlan host = ip gateway guest = 10.42.0.1.
Sekarang saya akan gunakan p0f.
10.42.0.64 adalah ip guest.
Windows XP/2000 adalah os nya.
Guest browsing 173.194.126.126. Coba kita lihat buka apa dia?
Ternyata sowan ke mbah gugel.
Kita crosscheck pakai wireshark apa benar 10.42.0.64 (guest) mengakses 173.194.126.126? Ini capturenya
Sekalian kita buka nmap crosscheck apa os yang dia gunakan
Dan ternyata cocok, Microsoft Windows XP.
p0f juga bisa digunakan untuk fingerprinting file capture.
Sekian sharenya, mau hunting takjil dulu.
Code:
root@bumi:~# p0f -h
p0f: invalid option -- 'h'
Usage: p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ]
[ -w file ] [ -Q sock [ -0 ] ] [ -u user ] [ -FXVNDUKASCMROqtpvdlrx ]
[ -c size ] [ -T nn ] [ -e nn ] [ 'filter rule' ]
-f file - read fingerprints from file
-i device - listen on this device
-s file - read packets from tcpdump snapshot
-o file - write to this logfile (implies -t)
-w file - save packets to tcpdump snapshot
-u user - chroot and setuid to this user
-Q sock - listen on local socket for queries
-0 - make src port 0 a wildcard (in query mode)
-e ms - pcap capture timeout in milliseconds (default: 1)
-c size - cache size for -Q and -M options
-M - run masquerade detection
-T nn - set masquerade detection threshold (1-200)
-V - verbose masquerade flags reporting
-F - use fuzzy matching (do not combine with -R)
-N - do not report distances and link media
-D - do not report OS details (just genre)
-U - do not display unknown signatures
-K - do not display known signatures (for tests)
-S - report signatures even for known systems
-A - go into SYN+ACK mode (semi-supported)
-R - go into RST/RST+ACK mode (semi-supported)
-O - go into stray ACK mode (barely supported)
-r - resolve host names (not recommended)
-q - be quiet - no banner
-v - enable support for 802.1Q VLAN frames
-p - switch card to promiscuous mode
-d - daemon mode (fork into background)
-l - use single-line output (easier to grep)
-x - include full packet dump (for debugging)
-X - display payload string (useful in RST mode)
-C - run signature collision check
-t - add timestamps to every entry
'Filter rule' is an optional pcap-style BPF expression (man tcpdump).
Keduanya saya sambungkan dengan wlan. IP wlan host = ip gateway guest = 10.42.0.1.
Sekarang saya akan gunakan p0f.
Code:
10.42.0.64:1249 - Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC]
Signature: [65535:128:1:52:M1460,N,W1,N,N,S:.:Windows:?]
-> 173.194.126.126:443 (distance 0, link: ethernet/modem)
Windows XP/2000 adalah os nya.
Guest browsing 173.194.126.126. Coba kita lihat buka apa dia?
Ternyata sowan ke mbah gugel.
Kita crosscheck pakai wireshark apa benar 10.42.0.64 (guest) mengakses 173.194.126.126? Ini capturenya
Sekalian kita buka nmap crosscheck apa os yang dia gunakan
Dan ternyata cocok, Microsoft Windows XP.
p0f juga bisa digunakan untuk fingerprinting file capture.
Code:
p0f -s file
Sekian sharenya, mau hunting takjil dulu.