NAME
sinfp3.pl - more than a passive and active OS fingerprinting tool
SYNOPSIS
o Information about signature database updates and more:
o https://www.secure-side.com/lists/mailman/listinfo/sinfp
sinfp3.pl [options] -target ip|ip6|hostname -port port|portList
Examples:
# Single port active fingerprinting
sinfp3.pl -target example.com -port 80 -input-ipport -verbose 1
# Single port IPv6 active fingerprinting
sinfp3.pl -target example.com -port 80 -input-ipport -verbose 1 -6
# SynScan active fingerprinting of a single target
sinfp3.pl -target example.com -port top100 -verbose 1
# SynScan IPv6 active fingerprinting of a single target
sinfp3.pl -target example.com -port top100 -verbose 1 -6
# SynScan active fingerprinting of a target subnet
sinfp3.pl -target 192.0.43.0/24 -port top100 -verbose 1
# Passive fingerprinting
sinfp3.pl -mode-passive -search-active -input-sniff -verbose 1
# Passive IPv6 fingerprinting
sinfp3.pl -mode-passive -search-active -input-sniff -verbose 1 -6
# Active fingerprinting of LAN
sinfp3.pl -input-arpdiscovery -verbose 1
# Active fingerprinting of IPv6 LAN
sinfp3.pl -input-arpdiscovery -verbose 1 -6
# Simply SynScan the target
sinfp3.pl -target example.com -port full -mode-null -search-null -db-null -verbose 1
OPTIONS
- Global:
-
- -version
-
Print sinfp3.pl version.
- -help
-
This help message.
- -target ip|ip6|hostname
-
Target. This is used to auto-detect some global parameters like device or ip.
- -port port|portList|top10|top100|top1000|all
-
Target port. Default for top10 ports for plugins able to handle multiple ports. This format is documented in `perldoc Net::SinFP3::Global' expandPorts method.
- -port-src port
-
Source port to use. Not supported by all plugins.
- -6
-
Use IPv6 fingerprinting where available. Default to off.
- -jobs number
-
Maximum number of jobs in parallel. Default: 10.
- -dns-resolve
-
Do DNS resolution for target. Default to yes.
- -dns-reverse
-
Do a reverse DNS lookup for targets. Default to no.
- -device name
-
Network device to use. Default to auto-detect.
- -thread
-
Use threaded worker model (discouraged). Fork is used by default (and in Perl, it is better than ithreads).
- -retry times
-
Re-launch probes specified number of time. Default: 3.
- -timeout seconds
-
Time in seconds before timing out. Default: 3.
- -pps number
-
Number of packet per seconds. Default: 200.
- -ip-src ip
-
The source IPv4 address to use. Default to auto-detect.
- -ip6-src ip6
-
The source IPv6 address to use. Default to auto-detect.
- -mac-src mac
-
The source MAC address to use. Default to auto-detect.
- -subnet-src subnet
-
The source IPv4 subnet address to use. Default to auto-detect.
- -subnet6-src subnet
-
The source IPv6 subnet address to use. Default to auto-detect.
- -ip-gateway ip
-
The gateway IPv4 address to use. Default to auto-detect.
- -ip6-gateway ip6
-
The gateway IPv6 address to use. Default to auto-detect.
- -mac-gateway mac
-
The gateway MAC address to use. Default to auto-detect.
- -verbose level
-
Use the following verbose level number. Between 0 and 3, from the less verbose to the most verbose. Default to 1.
- -threshold score
-
Use the specified threshold for plugins supporting it. Default to no threshold (0).
- -best-score
-
Only gather results for the best matches. Default to not.
- Manually select all plugins and their options:
-
- -input plugin
-
Use specified plugin for input. Default input plugin is Net::SinFP3::Input::SynScan.
- -input-arg plugin-arg
-
Parameter to the specified input plugin. Must use multiple times to give multiple parameters.
- -db plugin
-
Use specified plugin for db. Default DB plugin is Net::SinFP3::DB::SinFP3. Example: "sinfp3.pl -db SinFP3 -db-arg file=sinfp3.db".
- -db-arg plugin-arg
-
Parameter to the specified db plugin. Must use multiple times to give multiple parameters.
- -mode plugin
-
Use specified plugin for mode. Default mode plugin is Net::SinFP3::Mode::Active.
- -mode-arg plugin-arg
-
Parameter to the specified mode plugin. Must use multiple times to give multiple parameters.
- -search plugin
-
Use specified plugin for search. Default search plugin is Net::SinFP3::Search::Active.
- -search-arg plugin-arg
-
Parameter to the specified search plugin. Must use multiple times to give multiple parameters.
- -output plugin
-
Use specified plugin for output. Default output plugin is Net::SinFP3::Output::Console.
- -output-arg plugin-arg
-
Parameter to the specified output plugin. Must use multiple times to give multiple parameters.
- Plugin loading options:
-
- input-null
-
Turn off input plugin.
- input-arpdiscover
-
Use ARP scanning on the local subnet to discover targets. Works also with -6 argument.
- input-pcap
-
Take a pcap file (or files) as input.
- input-synscan
-
Perform a TCP SYN scan to find open ports. Default plugin.
- input-ipport
-
Use only target IP or hostname and one port.
- input-sniff
-
Listen on the network to capture frames.
- input-signature
-
Will ask the end-user to past an active signature as a string.
- input-signaturep
-
Will ask the end-user to past a passive signature as a string.
- mode-null
-
Turn off mode plugin.
- mode-active
-
Run using active plugin. This does active OS fingerprinting via SinFP3 engine.
- mode-passive
-
Run using passive plugin. This does passive OS fingerprinting via SinFP3 engine.
- db-null
-
Turn off DB plugin.
- db-sinfp3
-
Use Net::SinFP3::DB::SinFP3 database plugin. Default plugin.
- search-null
-
Turn off search plugin.
- search-active
-
Perform a search through a database in active mode. Default plugin.
- search-passive
-
Perform a search through a database in passive mode.
- log-null
-
Turn off log plugin.
- log-console
-
Log messages to the console. Default plugin.
- output-null
-
Turn off output plugin.
- output-console
-
Render output to the console. Default plugin.
- output-dumper
-
Prints a dump to the console.
- output-osonly
-
Only outputs operating system, and not full details of the fingerprint.
- output-osversionfamily
-
Only outputs operating system and its version family, and not full details of the fingerprint.
- output-pcap
-
Saves a trace to a pcap file. You can reply it afterwards using Net::SinFP3::Input::Pcap.
- output-csv
-
Saves fingerprinting results a csv file. You can use -csv-file to choose the output file.
- output-ubigraph
-
Takes a CSV file and display results using Ubigraph. You must use a CSV file as generated by Net::SinFP3::Output::CSV. You can use -csv-file to choose the input file.
- Plugin specific options:
-
- -db-update
-
Will update the database for the selected Net::SinFP3::DB plugin.
- -db-file file
-
Database file to use. Default is plugin dependant.
- -sniff-promiscuous
-
Use promiscuous mode while sniffing. Default to true.
- -pcap-anonymize
-
Replaces IP source and destination addresses (and update IP/TCP checksums) to anonymize a pcap output. Default to not.
- -pcap-append
-
Append to an already existing pcap file. Default to not.
- -pcap-filter pcap
-
Use specified pcap filter. Use it where available.
- -csv-file file
-
Use input taken from specified CSV file.
- -pcap-file file|fileList
-
Use input taken from specified pcap file or fileList. FileList uses Perl glob function.
- -active-3
-
Run all probes in active mode (default).
- -active-2
-
Run only probes P1 and P2 in active mode (stealthier).
- -active-1
-
Run only probe P2 in active mode (even stealthier).