User:Xnih/satori os fingerprinting

Satori is a passive OS identification/fingerprinting tool. Using winpcap it listens on the wire to all IP traffic, not just tcp/ip syn and syn-ack packets, and tries to utilize everything it hears to determine the OS of the devices it sees.

Features
Satori does passive os identification via a multitude of methods. The primary ones currently being actively updated are: TCP (p0f style fingerprinting), DHCP, Web and SMB.

Other methods are CDP, HPSP, ICMP, EIGRP, Hot Spare Router Protocol, MDNS, OSPF, Skinny, SNMP, STP, UPNP, IPX/SPX.

The most actively used one right now is DHCP fingerprinting which is starting to take off more and more in the past year or two as NAC solutions are picking up on it.

TCP fingerprinting has been around for years, p0f, siffon, etc, have all done this in the past, but these projects are no longer being updated. Satori uses p0fv2 format, or something close to it for its tcp fingerprinting. Some of the tests that p0fv2 did have not been entirely implemented into the tcp dll that Satori uses.

For a better rundown of each of most of the tests you can look here.

Tools using these fingerprinting techniques/files
Using Satori Fingerprinting files:
 * NetworkMiner - DHCP and TCP files

Using similar techniques:
 * p0f - did a lot of the initial ground work for passive fingerprinting
 * siffon
 * ettercap
 * packetfence - opensource NAC that uses Option55 data for DHCP fingerprinting

History
Latest history file can always be found here.