the operating system is Linux 3.11 or newer. Just below that, it was able to identify
that the server is nginx. It is able to determine this from looking at the HTTP head‐
ers.
Example 3-15. Output from p0f
.-
[
192.168.2.149/48244 -> 104.197.85.63/80
(
http request
)
]
-
|
|
client
=
192.168.2.149/48244
|
app
=
???
|
lang
=
English
|
params
=
none
|
raw_sig
=
1:Host,User-Agent,Accept
=[
*/*
]
,Accept-Language
=[
en-US,en;
q
=
0.5
]
,
Accept-Encoding
=[
gzip,deflate
]
,?Referer,?Cookie,Connection
=
[
keep-alive
]
:Accept-Charset,Keep-Alive:Mozilla/5.0
(
X11; Linux
x86_64; rv:52.0
)
Gecko/20100101 Firefox/52.0
|
`
----
.-
[
192.168.2.149/48254 -> 104.197.85.63/80
(
syn
)
]
-
|
|
client
=
192.168.2.149/48254
|
os
=
Linux 3.11 and newer
|
dist
=
0
|
params
=
none
|
raw_sig
=
4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`
----
.-
[
192.168.2.149/48254 -> 104.197.85.63/80
(
http response
)
]
-
|
|
server
=
104.197.85.63/80
|
app
=
nginx 1.x
|
lang
=
none
|
params
=
dishonest
|
raw_sig
=
1:Server,Date,Content-Type,?Content-Length,?Last-Modified,Connection
=
[
keep-alive
]
,Keep-Alive
=[
timeout
=
20
]
,?ETag,X-Type
=[
static/known
]
,
?Cache-Control,?Vary,Access-Control-Allow-Origin
=[
*
]
,Accept-Ranges
=
[
bytes
]
::nginx
|
One of the challenges of using
p0f
is that it relies on observing traffic that is going by
the system. You need to interact with the systems on which you want to perform pas‐
sive reconnaissance. Since you are interacting with publicly available services, it’s
unlikely you will be noticed, and the remote system will have no idea that you are
using
p0f
against it. There is no active engagement with the remote services in order
to prompt for more details. You will get only what the services that you engage with
are willing to provide.
The side you are most apt to get information on is the local end. This is because it can
look up information from the MAC address, providing vendor details so you can see
