[unisog] Identifying if node is a router or PC
alex-unisog at digriz.org.uk
Mon Jul 16 16:07:11 GMT 2007
Frank Bulk <frnkblk at iname.com> [20070714 15:53:42 -0500]:
> Does anyone know of a program, or preferably, a Perl module, that would
> allow me to identify if a node is a computer or a broadband router?
> Information beyond that (such as OS or broadband router model number) would
> be a bonus.
Funny you mention this, the other week I stumbled on routeprobe. Have not
tried it yet but it looks like the business.
> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
> seem to do that well on routers that are doing NAT. I would even accept MAC
> address identification, too, if there was actually an updated list that
> extended beyond the standard OUI.
Well all that the OUI will tell you is who owns the kit, the manufacturer is
free to use that address space however they please...unfortunately :-/
> Any suggestions would be helpful. I've also looked at p0f and SinFP, and
> they don't appear to be any more helpful.
Already suggested the DHCP part of the rogue router is a great place to start
having a nosey in. I never thought of the 'client-hostname' field, but you
might get some vendor identifier fields and also just looking at the request
of which particular options and the order they are requested in is good
enough to identify a particular bit of equipment.
Somewhere in the archives of the unisog mailing list is information on
this all, PacketFence could have the DHCP code yanked out of it or
dhcprint could be used too.
Good hunting :)
> unisog mailing list
> unisog at lists.dshield.org
< Keep on keepin' on. >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.sans.org/pipermail/unisog/attachments/20070716/1cdb5471/attachment.bin
More information about the unisog