hR$dZddlZddlZddlZddlZddlZddlmZmZddl m Z ddl m Z ddl mZmZmZddlmZmZddlmZmZmZdd lmZmZmZmZmZdd lmZe j ddl!Z"gd Z#ee#d e _$ee#d e _%ee#de _&ee#de _'GddeZ(d\a)a*a+a,dZ-e-dZ.dZ/dZ0e j1j2dZ3dZ4e j1j2ddZ5 ddZ6dZ7dS) z+ Clone of p0f v2 passive OS fingerprinting N) KnowledgeBase select_path)conf)raw)IPTCP TCPOptions) NoPayloadPacket)warningScapy_Exception log_runtime)RandIntRandByteRandNum RandShort RandString)sniff)z/etc/p0fz/usr/share/p0fz /opt/localzp0f.fpzp0fa.fpzp0fr.fpzp0fo.fpceZdZdZdZdS)p0fKnowledgeBasec0tj||dSN)r__init__)selffilenames W/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/modules/p0fv2.pyrzp0fKnowledgeBase.__init__6stX.....c x t|j}n&#t$rtd|jYdSwxYw g|_|D]}|ddvr t |d}t|dkrCdfd|dd D}|j|d|d|d|d |d |d |d |d ddfn&#t$rtdd|_YnwxYw| dS)NzCan't open base %sr)# :cL|rt|S|Sr)isdigitint)xs ra2iz'p0fKnowledgeBase.lazy_init..a2iIs"yy{{&"1vv Hrc&g|] }|Sr)).0er's r z.p0fKnowledgeBase.lazy_init..Ms!000cc!ff000rz,Can't parse p0f database (new p0f version ?)) openrIOErrorr basetuplesplitlenappend Exceptionclose)rflinelir's @r lazy_initzp0fKnowledgeBase.lazy_init:s T]##AA    ($- 8 8 8 FF  DI C C7k))TZZ__--t99q==1000d1Q3i000   $q'2a5"Q%AQ"&q'47DGCRCL"BCCCC C"    B C C CDIII   s;;CD D#"D#N)__name__ __module__ __qualname__rr@r)rrrr5s2///rr)NNNNcttjattjattjattja dSr) rrp0f_basep0f_kdb p0fa_basep0fa_kdb p0fr_basep0fr_kdb p0fo_basep0fo_kdbr)rrp0f_load_knowledgebasesrM\sBt}--G//H//H//HHHrc|dzdkrtS|dzdkrtS|dzdvrtS|dzdkrtSdS)Nr/)r.)rFrHrJrL)flagss r p0f_selectdbrTgsW t|s     $ $   trc8 |}|t|}|tr|t rp|t}t|jt rn;|j}|tr|t pt|trt|jt stdt|jj }|j }t|}|dkr|tkrd}nd}|tkrd}d}d}d}d}|jjdzd z }|jjD]@} |d z}| dd kr,|d t%| d zd zz }| d }|dz}@| ddkr$|dt%| d zd zz }|dz}p| ddkr7| d ddkr|dz }n|dz }| d d dkrd}|dz}| ddkr |dz }|d z}| ddkr|dz }| ddkr|dz }|dkrd}t| dt$r!|dt&d | dzz }2|d| dzz }B|dd}|dkrd}|jj} |dkrI|dkr| |zdkrdt%| |z z} n$| |dzzdkrd t%| |dzz z} t%| } d} |tkr|jj d!zd!kr| d"z } |jj|jjkr| d#z } |jjdkr| d$z } |r| d%z } |jdkr| d&z } |jgkr| d'z } |jjdkr| d(z } |jjdkr| d)z } |jjdkr| d*z } |r| d z } |tkr|jj d+zdkr| d,z } n|jj dzdkr| d,z } |tkr$t|jjt4s| d-z } | dkrd} || ||j j||| ffS).NNot a TCP/IP packetd*rr3Fr/rQr-MSSM,WScaleW TimestampzT0,zT,T SAckOKzS,NOPzN,EOLzE,z?%i,.S(TrRKQ0PZIUXA FD)copy __class__rhaslayerrrgetlayer isinstancepayload TypeErrorrTrSttlr9rJrLdataofsoptionsstrr windowseqackidurgptrreservedr DF) pktdbr|ssooomssqqTqqPilenoptionwinqqs r packet2p0frys ((**C --C ! !C ,,r  s||C00ll2 ck3 ' '  k ,,r  s||C00 c2  /jc&B&B/-... ck' ( (B 'C SB Cxx >>BBB X~~  C C C C K 1 $ *D+% * *   !9   3VAY'#- -C)C AIDD AY( " " 3VAY'#- -C AIDD AY+ % %ay|q  u t ay|q   AIDD AY( " " 4KC AIDD AY%   4KCC AY%   4KCaxx&)S)) *v 1 fQi 888vq )) crc(C byy + C byy !88c QC#I&CC C"H  " "C38,---C c((C B X~~ ; t #t + + #IB  {#+/)) c  {! c   c  v{{ c  {b c  {Q c  {q   c  {! c   c  X~~ ; t #q ( ( #IB ; t #q ( ( #IB X~~j) accuracy, [list of guesses] zp0f base empty.r.r\r0r1r2r-) rget_baser r9r8rr:rr|)rrsigpbrmaxbrs rp0fr#s ooGB  [[]]  !"""  A c!fll3 1 $C 77 sA   88 HHadAaD!A$R"45 6 6 6 Hrc  t|}n#t$rYdSwxYw|gkrEdddttt |dzdzdf}n|d}d} t |}n#t$rYnwxYw|dkrd}|d|dzd z|dz}|/||d t |d z zd zz }n||d z }|d|dt |dzdzz }t|dS)z,Calls p0f and returns a user-friendly outputNUNKNOWN[r!r-z:?:?]rz%IP.src%:%TCP.sport% -  z (up: iz- hrs) -> %IP.dst%:%TCP.dport% (%TCP.flags%)z( -> %IP.dst%:%TCP.dport% (%TCP.flags%)r/z (distance )) rr;joinmaprr pkt2uptimesprintfprint)rruptimeress rprnp0fr:ss HH Bww chhs3 30B'C'CDDDwNPT U aD F C       {{ ++/!A$6| d "r!t+| d |j_!n| d d dkr?t+| d d d}|t1d d|zz|j_!n| d d dkr+|t+| d d dz|j_!nu| d d dkrTd-|D}|std.|d d t+| d d dz|j_!ntd/| d |z |_#|xj d| dzzc_ | d#dkr| d#D]}|d0krd |_$|d1krtA|j_%0|d2krtM|j_'O|d3krK|tPkr|jxj d4zc_ v|jxj tj)gd5zc_ |d6krD|tPkr9|tUj+t9tjd d78z}|d9kr|jj'|j_,d:| d#vr d |j_,n(|jj,d krtM|j_,|j-r|j-}|j-|S);aModifies pkt so that p0f will think it has been sent by a specific OS. If osdetails is None, then we randomly pick up a personality matching osgenre. If osgenre and signature are also None, we use a local signature (using p0f_getlocalsigs). If signature is specified (as a tuple), we use the signature. For now, only TCP Syn packets are supported. Some specifications of the p0f.fp file are not (yet) implemented.rVNc,g|]}|dk|S)r1r))r*r&osgenres rr,z#p0f_impersonate..s" / / /Aqtwarc,g|]}|dk|S)r2r))r*r& osdetailss rr,z#p0f_impersonate..s'5551Q49#4#4!#4#4#4rr.c&g|]}d|dv |Srir0r)r*r&s rr,z#p0f_impersonate..s!///3!A$;;!;;;rc&g|]}d|dv |Srr)rs rr,z#p0f_impersonate..s!3333ad??!???rzNo match in the p0f databaserr-c4t|tr|ndSr)ryr%)vals rz!p0f_impersonate..s*S#"6"6@33DrrZr^c&g|] }|Sr)r))r*oint_onlys rr,z#p0f_impersonate..s!MMMqxx{{MMMrr`)NNrer\r[rfirXrr/r_)minrT0)r`)rrrhlxlwr0l)rbrYN)rcNE)rdN?rYzunhandled TCP option %sc*g|]}|ddk|S)rrZr)rs rr,z#p0f_impersonate..s!333QQqTU]]q]]]rz5TCP window value requires MSS, and MSS option not setz#Unhandled window size specificationrmrorqrsrr)r"rrrgrt )loadrjrk).rurwrrrxryrzr{rTrSrp0f_getlocalsigsrJr randomrandintr9dictr~getr8r%r:rrr structunpackrcalcsize_fixr rrr$r|rrrrrLchoicer raw_layerr underlayer)rrr signature extrahopsmturrrpers orig_optsmss_hint wscale_hintts_hintr~rmaxmsscoefts_ats_boptname optstructrrrs `` @rp0f_impersonateris  ((**C ,,r  s||C00ll2 ck3 ' '  k ,,r  s||C00 c2  /jc&B&B/-... ck' ( (B $ [[]] :B / / / / / / /  65555R555B $[    # X~~ ; s "c ) )//R///BB33R333B ><=== fnQB! ,, -D S[())I@@Hx e,,--H(9==2233KMMMMIMM+|$L$LMMMGG Aw#~~7==%%Z *Z *C1v}}71:$$'CQ ,<,<>+x'89999v~a/H/H'IJJJJVs]]s122w<'>'>'>$'>'>'>'>"&Kqrr7c>>".+'>????(**'=>>>>Vs]]s122w<????$dWd@R-S-S-S&S(UVVVVNNHc#abb'll#;<<<<45555%!DDQZIA $:$:$:$:U$:$:$:$:$:#1:DD!>#/GHHDd1g%%DDQZ 8A $:$:$:$:U$:$:$:$:$:"1:DD">!Y77D dD\:;;;;~....}----}----Q3s122w<<:a=00(mCABBLL9!INNG$*M)2>K%%-%%%K%%{{{)C)CC%%%srX~~t~:fnQ6K6K+L+LMMMMs"%+/   d1g~~  A  !))  .n . Jrc0 tj}tjdd}|dkri fd}tjdd}d}t |dt|z|d }|D]}t|D] }|| tj |dn|dkrtj d ntj d tjtjtj } |d|fn#tj $rYnwxYw|d|f|d|f|tjd S) aThis function returns a dictionary of signatures indexed by p0f db (e.g., p0f_kdb, p0fa_kdb, ...) for the local TCP/IP stack. You need to have your firewall at least accepting the TCP packets from/to a high port (30000 <= x <= 40000) on your loopback interface. Please note that the generated signatures come from the loopback interface and may (are likely to) be different than those generated on "normal" interfaces.i0ui@rc|dvr|dg|d<dS|d|dvr)|d|ddSdS)Nrr-)r:)rresults r addresultz#p0f_getlocalsigs..addresultGsp1vV##"%a&s1vq6A//3q6N))#a&111110/rz 127.0.0.1z tcp and port r])ifacefiltercounttimeoutz fork errorr-)type)osforkrrrrouterrrwaitpidrerrortimesleepsocketAF_INET SOCK_STREAMconnectbindr<_exit) pidportrrrplrelts1rs @rrr7s '))C >% ' 'D Qww 2 2 2 2 2   --a0 T'B%YZ [ [ [  C!#   #  3 q,'''' 1 ]6>0B C C C  JJ T* + + + +|    D  d#$$$ K&'''    MsD++D=<D=)rW)NNNrrN)8__doc__rrrrr scapy.datarr scapy.configr scapy.compatrscapy.layers.inetrrr scapy.packetr r scapy.errorr r rscapy.volatilerrrrrscapy.sendrecvrr scapy.routescapy _p0fpathsrErGrIrKrrFrHrJrLrMrTrrcommandsregisterrrrrrr)rrrs  111111111111111111********==========LLLLLLLLLLLLLL : 8 8 8  Ix00 Y 22Y 22Y 22(!!!!!}!!!H)?%8X000$J7J7J7Z   :   ,8++++$BF26KKKK\44444r