MuonFP is an enterprise ready, TCP passive fingerprinter written in Rust that has no external dependencies such as WireShark or other open source software.

Sundruid

Last update: Sep 22, 2024

Overview

MuonFP is a TCP passive fingerprinter written in Rust that has no external dependencies such as WireShark or other open source software.

The program will create an network tap on the interface specified and log all pcaps to a rotating file scheme in the directory of your choice. SYN and SYN-ACK packets that can be fingerprinted will be logged in a separate file and directory of your choice.

Fingerprint Format

The fingerprint is generated from the pseudo-unique configurations within the TCP settings, specifically during the SYN and SYN-ACK handshake stages. This fingerprint, shaped by the underlying operating system and software stack of the manufacturer, creates a distinct signature that can be traced and analyzed for various purposes. These purposes may include network security, device identification, and traffic monitoring, offering a relatively unique identifier that can be used to profile and track devices across different networks.

Example:

26847:2-4-8-1-3:1460:8

This fingerprint is composed of the following elements extracted from the TCP packet header during the connection negotiation process:

TCP Window Size
TCP Options as found in the KIND settings that include a number and are kept in strict order as this is quasi unique
TCP Maximum Segment Size (MSS) which can provide interesting info including use of VPNs
TCP Window Scale, which is a scaling factor used for TCP Window Size and allows for larger TCP windows

0.1.3 Update

Uses muonfp.conf to provide configurable file paths for logging with filesize limits
Rotating logging
Converted muonfp fingerprinting output to json single line delimited format, added timestamp field
Refactored code files to ease maintenance

Install Instructions (example in Debian)

  mkdir muonfp  
  cd muonfp   
  curl -O -L https://github.com/sundruid/muonfp/releases/download/0.1.3/muonfp013.tar.gz
  tar -xvf muonfp013.tar.gz
  sudo ./install.sh

/etc/muonfp.conf

interface=en0                          # do an 'ip addr show' to find interface name
fingerprints=/var/log/fingerprints     # your directory of choice
pcap=/var/log/pcaps                    # your directory of choice, you can set to /dev/null if you do not want pcaps
max_file_size=10                       # max file size before log rotation occurs in MB

If you do not want to install as a service, do NOT run the install.sh script and instead adjust the .conf file with the locations you want to store data and execute at the CLI.

Compile instructions

Install Rust via their instructions:
https://www.rust-lang.org/tools/install

Clone the repo: 
git clone https://github.com/sundruid/muonfp.git

cd into the directory and execute:
cargo build --release

Your binary will be target/release/muonfp

Interested in a Firewall for fingerprinting? Checkout sundruid/fpfw that will automatically block based on fingerprint using nftables.

[email protected]

A high performance TCP SYN port scanner.

Armada A High-Performance TCP SYN scanner What is Armada? Armada is a high performance TCP SYN scanner. This is equivalent to the type of scanning tha

259 Dec 19, 2022

A tcp over http2 + tls proxy

mtunnel A tcp over http2 + tls proxy. Usage 1. get certificates, by following steps. 2. make your config client config: { "local_addr": "127.0.0.1

9 Sep 5, 2022

🤖 brwrs is a new protocol running over TCP/IP that is intended to be a suitable candidate for terminal-only servers

brwrs is a new protocol running over TCP/IP that is intended to be a suitable candidate for terminal-only servers (plain text data). That is, although it can be accessed from a browser, brwrs will not correctly interpret the browser's GET request.

3 Jul 30, 2021

TCP is so widely used, however QUIC may have a better performance.

TCP is so widely used, however QUIC may have a better performance. For softwares which use protocols built on TCP, this program helps them take FULL advantage of QUIC.

15 Jun 10, 2022

Library + CLI-Tool to measure the TTFB (time to first byte) of HTTP requests. Additionally, this crate measures the times of DNS lookup, TCP connect and TLS handshake.

TTFB: CLI + Lib to Measure the TTFB of HTTP/1.1 Requests Similar to the network tab in Google Chrome or Mozilla Firefox, this crate helps you find the

24 Dec 1, 2022

Comments

Panic on initialization (MacOS M1) thru tun interface

Not sure what info would be the most helpful but:

$ ./muonfp utun4
Listening on interface: utun4
thread 'main' panicked at /Users/andrew/.cargo/registry/src/index.crates.io-6f17d22bba15001f/pnet_datalink-0.29.0/src/bpf.rs:404:44:
misaligned pointer dereference: address must be a multiple of 0x4 but is 0x140809e0e
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread caused non-unwinding panic. aborting.
Abort trap: 6

This bug happened on a virtual interface that's basically a tap. Let me know what I can provide to help troubleshoot.

$ rustc --version
rustc 1.76.0 (07dca489a 2024-02-04)
$ uname -a
Darwin marathon 23.5.0 Darwin Kernel Version 23.5.0: Wed May  1 20:12:58 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6000 arm64

opened by andrew-morris 1

Releases(v0.1.3_RHEL)

v0.1.3_RHEL(Sep 17, 2024)

Install as a service for RHEL

Source code(tar.gz)
Source code(zip)
muonfp_RHEL.tar.gz(3.15 MB)
0.1.3(Sep 12, 2024)

Packaged with install script that creates a debian service and logs output to /var/log directory. This is compiled for Debian and tested on Debian v12.

Source code(tar.gz)
Source code(zip)
muonfp013.tar.gz(3.11 MB)