Skip to content

Nisitay/pyp0f

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits

docs

docs

 
 

examples

examples

 
 

pyp0f

pyp0f

 
 

scripts

scripts

 
 

tests

tests

 
 

.flake8

.flake8

 
 

.gitattributes

.gitattributes

 
 

.gitignore

.gitignore

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

MANIFEST.in

MANIFEST.in

 
 

README.md

README.md

 
 

pyproject.toml

pyproject.toml

 
 

Repository files navigation

pyp0f

Native implementation of p0f v3 in typed Python 3.

Documentation: https://github.com/Nisitay/pyp0f/blob/master/docs/README.md

Source Code: https://github.com/Nisitay/pyp0f

pyp0f is able to accurately guess the source OS or user application of a given packet with passive fingerprinting, as well as impersonate packets so that p0f will think it has been sent by a specific OS.

Motivation

  • pyp0f is platform independent (using Scapy), while p0f can be cumbersome to run on some platforms (such as Windows).
  • The implementation and concepts behind p0f are very sophisticated, but the tool is written in C which makes it harder to understand and extend. Performance is expected to be slower in Python, but pyp0f still performs well enough (see Performance benchmarks)
  • p0f heavily depends on full packet flow details, while pyp0f attempts to use as little information as possible. For example, you may be able to fingerprint a SYN+ACK packet from a session without having the matching SYN packet.
  • pyp0f aims to be highly configurable and used as a library, without limiting its effectiveness to one packet format/library, as opposed to p0f which runs on a seperate process and you query the results using an API.

Installation

$ pip install pyp0f

Features

  • Full p0f fingerprinting (MTU, TCP, HTTP)
  • p0f spoofing - impersonation (MTU, TCP)
  • TCP timestamps uptime detection

In Progress

  • Flow tracking
  • NAT detection

Getting Started

from scapy.layers.inet import IP, TCP
from pyp0f.database import DATABASE
from pyp0f.fingerprint import fingerprint_mtu, fingerprint_tcp, fingerprint_http
from pyp0f.fingerprint.results import MTUResult, TCPResult, HTTPResult

DATABASE.load()  # Load the fingerprints database

# MTU Fingerprinting
google_packet = IP() / TCP(options=[("MSS", 1430)])
mtu_result: MTUResult = fingerprint_mtu(google_packet)

# TCP Fingerprinting
linux_packet = IP(tos=0x10, flags=0x02, ttl=58) / TCP(
    seq=1,
    window=29200,
    options=[("MSS", 1460), ("SAckOK", b""), ("Timestamp", (177816630, 0)), ("NOP", None), ("WScale", 7)],
)
tcp_result: TCPResult = fingerprint_tcp(linux_packet)

# HTTP Fingerprinting
apache_payload = b"HTTP/1.1 200 OK\r\nDate: Fri, 10 Jun 2011 13:27:01 GMT\r\nServer: Apache\r\nLast-Modified: Thu, 09 Jun 2011 17:25:43 GMT\r\nExpires: Mon, 13 Jun 2011 17:25:43 GMT\r\nETag: 963D6BC0ED128283945AF1FB57899C9F3ABF50B3\r\nCache-Control: max-age=272921,public,no-transform,must-revalidate\r\nContent-Length: 491\r\nConnection: close\r\nContent-Type: application/ocsp-response\r\n\r\n"
http_result: HTTPResult = fingerprint_http(apache_payload)

Sources

Authors

About

p0f v3 with impersonation spoofing, written in Python - Accurately guess the OS of a packet with passive fingerprinting.

Topics

python security fingerprint traffic-analysis python3 scapy network-analysis network-security os-detection p0f passive-os-fingerprint passive-fingerprinting os-fingerprinting python-p0f

Resources

Readme

License

MIT license
Activity

Stars

41 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 2

0.3.0 Latest
Sep 28, 2023
+ 1 release

Languages