[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 14:33:36 GMT 2007


Paul:

Thanks for the suggestion.  Because I work in a service provider environment
(I lurk for many of the good ideas and topics this groups discusses, much 
cleaner than NANOG) the clients aren't connecting to a Samba box.

There's no reason to believe that the endpoints are forging the MAC 
address on their broadband router, though some may bother to do that.

Besides MAC addresses, I'm also extracting the client-hostnames from 
dhcpd.leases.  Here are some examples:
  client-hostname "WGR614";
  client-hostname "WGR614v2";
  client-hostname "WGR614v4";
  client-hostname "WGR614v5";
  client-hostname "WGR614v6";
  client-hostname "WGR614v7";
  client-hostname "WGT624";
  client-hostname "WGT624v3";
  client-hostname "WPN824";
  client-hostname "WPNT834";
This a good method with low false positives, but if they change their
broadband router's host name it's an unknown.

I know that Network Chemistry has a RogueScanner and I may need to revisit
that product.

Regards,

Frank

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
Sent: Monday, July 16, 2007 9:09 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

Whatever does the identifying, would have to work by watching the packets
for
  DHCP and DNS (very closely, more than the standard DHCP logs), as most of
these devices will do DHCP themselves and will proxy dns (through their own
internal dns server) - it would have to fingerprint those packets (to try
and
id the manufacturer).  Other than that, the MAC address is easily (and
likely
) forged on these devices, and the nature of NAT makes it very hard to
fingerprint the machine by scanning (some of the ports you connect to may go
back to the client machine).  And of couse, even a Windows XP Home computer
can be a NAT router (very easily).

On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
the
connecting machine (as the client knows it) and if you can entice your
clients to at least try to connect to a machine running samba, you would be
able to watch for multiple Windows clients (names) coming through one IP
address (something I should work on myself - thanks for getting me to think
about it).

Also web logs may be able to help a little.




Frank Bulk wrote:
> Does anyone know of a program, or preferably, a Perl module, that would
> allow me to identify if a node is a computer or a broadband router?
> Information beyond that (such as OS or broadband router model number)
would
> be a bonus.
>
> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
> seem to do that well on routers that are doing NAT.  I would even accept
MAC
> address identification, too, if there was actually an updated list that
> extended beyond the standard OUI.
>
> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
> they don't appear to be any more helpful.
>
> Regards,
>
> Frank
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

--
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list