[ News | What is Siphon? | Download | Mirrors | FAQ | Contact Information | Changelog  | Links ]

08-02-00: New page layout in effect.  Lecture at DEFCON 8 was a success, many new ideas were shared and hopefully will be delivered to you next release. 
Paper will be available soon.

What is Siphon?:
      The Siphon Project is a portable passive network mapping suite. In the latest public version, Siphon passively maps TCP ports and performs passive operating system detection.  Through the magic of RFC ambiguity and programmer uniqueness, different machines exhibit telltale characteristics that enable Siphon to make a fairly accurate guess at what operating system is running on machines sending packets out over the wire. The beauty of this method is that our tool does not need to send out a slew of non-RFC compliant packets that trip intrusion detection systems. In fact, we send out no packets at all. Whereas nmap crashes some machines and network hardware when performing its active OS detection tests, Siphon would never crash remote machines. This tool could be used on active production networks to detect that a Linux machine suddenly appeared in your all Sun shop. As a side note, if used in conjunction with firewalling arp on the machine you run Siphon from, it will be difficult to detect. Siphon is available for UNIX and Win32. 

Filename Checksum Description
siphon-v.666.tar.gz MD5 Checksum UNIX Source Code (7 KB)
siphon-v.666.zip MD5 Checksum Win32 Source Code and Binary (44 KB) by Mike Davis
siphon-report.pl MD5 Checksum Perl Report Generator (nmap-style)
osprints.conf MD5 Checksum OS Prints Database as of 08-02-00

United States
  • http://siphon.datanerds.net 
  • FAQ:

    Coming Soon, We swear it...


    Direct all questions and new os fingerprints to siphon@subterrain.net
    All Win32 Siphon questions go to Michael Davis


    Soon enough...


  • Lance Spitzner. "Passive Fingerprinting: IDing remote hosts, without them knowing". View paper
  • Coretez Geovanni. "Passive Mapping: An Offensive Use of IDS". April 11, 2000. View paper
  • Max Vision. "Passive Host Fingerprinting". View paper

  • All Content Copyright (c) 2000 Subterrain Security Group