[unisog] Identifying if node is a router or PC

Alexander Clouter alex-unisog at digriz.org.uk
Mon Jul 16 16:07:11 GMT 2007


Frank Bulk <frnkblk at iname.com> [20070714 15:53:42 -0500]:
> Does anyone know of a program, or preferably, a Perl module, that would
> allow me to identify if a node is a computer or a broadband router?
> Information beyond that (such as OS or broadband router model number) would
> be a bonus.
Funny you mention this, the other week I stumbled on routeprobe[1].  Have not 
tried it yet but it looks like the business.

> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
> seem to do that well on routers that are doing NAT.  I would even accept MAC
> address identification, too, if there was actually an updated list that
> extended beyond the standard OUI.
Well all that the OUI will tell you is who owns the kit, the manufacturer is 
free to use that address space however they please...unfortunately :-/

> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
> they don't appear to be any more helpful.
Already suggested the DHCP part of the rogue router is a great place to start 
having a nosey in.  I never thought of the 'client-hostname' field, but you 
might get some vendor identifier fields and also just looking at the request 
of which particular options and the order they are requested in is good 
enough to identify a particular bit of equipment.

Somewhere in the archives of the unisog mailing list[2] is information on 
this all, PacketFence could have the DHCP code yanked out of it or 
dhcprint[3] could be used too.

Good hunting :)


[1] http://www.stearns.org/routeprobe/
[2] http://lists.sans.org/pipermail/unisog/2006-May/026360.html
[3] http://erwin.wpi.edu/~fs/dhcprint/

> Regards,
> Frank
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

< Keep on keepin' on. >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20070716/1cdb5471/attachment.bin 

More information about the unisog mailing list