[unisog] Identifying if node is a router or PC

Paul FM paulfm at me.umn.edu
Mon Jul 16 14:56:04 GMT 2007


If they follow the instructions on their NAT Router they will likely mirror 
their real MAC address to the NAT box (and it will claim that one) - this is 
why I say the MAC addresses are likely forged.

Download and read some of the installation instruction for those devices (and 
you will see what I mean).

And you could entice the machines to look at a web page (maybe your own web 
page could host a java-script applet that gets the computers COMPUTERNAME and 
HOSTNAME [in case it is linux] environment variable and send it back so it is 
logged with the IP address it came from).


Frank Bulk wrote:
> Paul:
> 
> Thanks for the suggestion.  Because I work in a service provider environment
> (I lurk for many of the good ideas and topics this groups discusses, much 
> cleaner than NANOG) the clients aren't connecting to a Samba box.
> 
> There's no reason to believe that the endpoints are forging the MAC 
> address on their broadband router, though some may bother to do that.
> 
> Besides MAC addresses, I'm also extracting the client-hostnames from 
> dhcpd.leases.  Here are some examples:
>   client-hostname "WGR614";
>   client-hostname "WGR614v2";
>   client-hostname "WGR614v4";
>   client-hostname "WGR614v5";
>   client-hostname "WGR614v6";
>   client-hostname "WGR614v7";
>   client-hostname "WGT624";
>   client-hostname "WGT624v3";
>   client-hostname "WPN824";
>   client-hostname "WPNT834";
> This a good method with low false positives, but if they change their
> broadband router's host name it's an unknown.
> 
> I know that Network Chemistry has a RogueScanner and I may need to revisit
> that product.
> 
> Regards,
> 
> Frank
> 
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
> Sent: Monday, July 16, 2007 9:09 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Identifying if node is a router or PC
> 
> Whatever does the identifying, would have to work by watching the packets
> for
>   DHCP and DNS (very closely, more than the standard DHCP logs), as most of
> these devices will do DHCP themselves and will proxy dns (through their own
> internal dns server) - it would have to fingerprint those packets (to try
> and
> id the manufacturer).  Other than that, the MAC address is easily (and
> likely
> ) forged on these devices, and the nature of NAT makes it very hard to
> fingerprint the machine by scanning (some of the ports you connect to may go
> back to the client machine).  And of couse, even a Windows XP Home computer
> can be a NAT router (very easily).
> 
> On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
> the
> connecting machine (as the client knows it) and if you can entice your
> clients to at least try to connect to a machine running samba, you would be
> able to watch for multiple Windows clients (names) coming through one IP
> address (something I should work on myself - thanks for getting me to think
> about it).
> 
> Also web logs may be able to help a little.
> 
> 
> 
> 
> Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number)
> would
>> be a bonus.
>>
>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>> seem to do that well on routers that are doing NAT.  I would even accept
> MAC
>> address identification, too, if there was actually an updated list that
>> extended beyond the standard OUI.
>>
>> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
>> they don't appear to be any more helpful.
>>
>> Regards,
>>
>> Frank
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
> 
> --
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly
> those of the author(s).  The content of this message has
> not been reviewed nor approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------


More information about the unisog mailing list