[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 15:53:03 GMT 2007


Paul:

You read the instructions?  You're unlike most end-users. =)

I have browsed through a few of those "Get Started" guides in my life
and can't recall a reference that recommended users to perform MAC
cloning, though it is in most users guides.

Even if I enticed the user to connect to one of our web pages and I 
extracted the COMPUTERNAME, how does that tell me if they're using
a broadband router?  Or are you saying I should do a comparison between
what's in the DHCP leases file and the java-script applet file?

Kind regards,

Frank

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
Sent: Monday, July 16, 2007 9:56 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

If they follow the instructions on their NAT Router they will likely mirror
their real MAC address to the NAT box (and it will claim that one) - this is
why I say the MAC addresses are likely forged.

Download and read some of the installation instruction for those devices
(and
you will see what I mean).

And you could entice the machines to look at a web page (maybe your own web
page could host a java-script applet that gets the computers COMPUTERNAME
and
HOSTNAME [in case it is linux] environment variable and send it back so it
is
logged with the IP address it came from).


Frank Bulk wrote:
> Paul:
>
> Thanks for the suggestion.  Because I work in a service provider
environment
> (I lurk for many of the good ideas and topics this groups discusses, much
> cleaner than NANOG) the clients aren't connecting to a Samba box.
>
> There's no reason to believe that the endpoints are forging the MAC
> address on their broadband router, though some may bother to do that.
>
> Besides MAC addresses, I'm also extracting the client-hostnames from
> dhcpd.leases.  Here are some examples:
>   client-hostname "WGR614";
>   client-hostname "WGR614v2";
>   client-hostname "WGR614v4";
>   client-hostname "WGR614v5";
>   client-hostname "WGR614v6";
>   client-hostname "WGR614v7";
>   client-hostname "WGT624";
>   client-hostname "WGT624v3";
>   client-hostname "WPN824";
>   client-hostname "WPNT834";
> This a good method with low false positives, but if they change their
> broadband router's host name it's an unknown.
>
> I know that Network Chemistry has a RogueScanner and I may need to revisit
> that product.
>
> Regards,
>
> Frank
>
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
> Sent: Monday, July 16, 2007 9:09 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Identifying if node is a router or PC
>
> Whatever does the identifying, would have to work by watching the packets
> for
>   DHCP and DNS (very closely, more than the standard DHCP logs), as most
of
> these devices will do DHCP themselves and will proxy dns (through their
own
> internal dns server) - it would have to fingerprint those packets (to try
> and
> id the manufacturer).  Other than that, the MAC address is easily (and
> likely
> ) forged on these devices, and the nature of NAT makes it very hard to
> fingerprint the machine by scanning (some of the ports you connect to may
go
> back to the client machine).  And of couse, even a Windows XP Home
computer
> can be a NAT router (very easily).
>
> On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
> the
> connecting machine (as the client knows it) and if you can entice your
> clients to at least try to connect to a machine running samba, you would
be
> able to watch for multiple Windows clients (names) coming through one IP
> address (something I should work on myself - thanks for getting me to
think
> about it).
>
> Also web logs may be able to help a little.
>
>
>
>
> Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number)
> would
>> be a bonus.
>>
>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>> seem to do that well on routers that are doing NAT.  I would even accept
> MAC
>> address identification, too, if there was actually an updated list that
>> extended beyond the standard OUI.
>>
>> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
>> they don't appear to be any more helpful.
>>
>> Regards,
>>
>> Frank
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>
> --
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly
> those of the author(s).  The content of this message has
> not been reviewed nor approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

--
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list