-
Notifications
You must be signed in to change notification settings - Fork 25
Home
nmap is an active scanner, it has to send packets out to determine the OS. For it to be able to determine the OS, the system has to respond to those packets. If the local FW is enabled on the device nmap is scanning, it will fail to be able to detect the OS running on the device.
Satori on the other hand is a passive program, it utilizes the packets it sees the system sending out already to determine the OS. Both programs have their specific uses and short comings. Satori ultimately needs to be able to see traffic from a system you're trying to fingerprint or determine the OS on. In some cases, such as SMB or DHCP, it just needs to be on the same segment and then it will see the broadcast packets that the system sends out. In other cases, such as TCP or HTTP it needs to be able to see the traffic that isn't designated to the system running satori, so you'll need to have a span or tap setup and feed that network traffic to satori.
p0f is probably one of the other main passive fingerprinting tools out there. They are now up to version 3 of that product. I have the general code in place for satori to utilize their older fingerprint files from v1 and v2 I believe, but I have not looked at their v3 format at all. The code to utilize their older fingerprint files has not been completed in the python rewrite just yet. I believe it is probably 95% or more done, but as those fingerprints are so old anymore it has not been worth my time just yet to complete and troubleshoot the code. Older versions just fingerprinted the tcp stack though, it did not utilize http user agent or server strings, nor did it do smb or dhcp fingerprinting.
prads is another one that has been utilized by a number of different tools over the years. It does both tcp os fingerprinting and service fingerprinting.
At this time no, but if there is enough interest in it, I may add it in the future. I've also been a fan of p0f, but not knowing when I'll have free time I can't commit to adding it.
A buddy wrote a program years ago and has kept it fairly up to date over the years. If you are on windows and don't want to just edit it with notepad++ or something else you can check out his program here: https://cycocrew.pagesperso-orange.fr/delphi/applications.html
As of this writing it is: Fingerprint Editor 1.00.16 or newer should be used.
That program still points at our old chatteronthewire.org site so this doesn't work, how to I fix that?
This is only needed if you are running 1.00.15 or older, please upgrade to 1.00.16 and then the following is not needed, but is left for historic reasons.
Modify the FingerprintEditor.def file and change it to to the following to grab the latest files from the github repo, replacing the links with: https://raw.githubusercontent.com/xnih/satori/master/fingerprints/[whatever].xml