[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 16:07:46 GMT 2007


Yes, I'm aware of PacketFence (I sent you a weeks worth of DHCP traffic 
some time ago to help you build out your fingerprints), but I wasn't 
sure if it would help me.

Does the "dhcp_dumper" utility allow me to look against logs?  Is there
a way to capture the information PF needs to fingerprint without capturing
network traffic?


-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of David LaPorte
Sent: Monday, July 16, 2007 10:22 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

PacketFence, an open-source NAC solution I co-develop, does DHCP
fingerprinting like you mention.  We currently have 165 device
fingerprints that include routers, APs, game consoles, operating
systems, etc.

PF may be a bit overkill, since the fingerprinting is just one part, but
it ships with a "dhcp_dumper" utility that just does the fingerprinting.
   We also have a dhcp-finger utility (written in C, not perl) on the
website that uses an XML-based configuration file.  The PF file is a bit
more up-to-date, but only if you need recent fingerprints for PS3,
iPhone, Wii, etc.



Paul FM wrote:
> Whatever does the identifying, would have to work by watching the packets
>   DHCP and DNS (very closely, more than the standard DHCP logs), as most
> these devices will do DHCP themselves and will proxy dns (through their
> internal dns server) - it would have to fingerprint those packets (to try
> id the manufacturer).  Other than that, the MAC address is easily (and
> ) forged on these devices, and the nature of NAT makes it very hard to
> fingerprint the machine by scanning (some of the ports you connect to may
> back to the client machine).  And of couse, even a Windows XP Home
> can be a NAT router (very easily).
> On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
> connecting machine (as the client knows it) and if you can entice your
> clients to at least try to connect to a machine running samba, you would
> able to watch for multiple Windows clients (names) coming through one IP
> address (something I should work on myself - thanks for getting me to
> about it).
> Also web logs may be able to help a little.
> Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number)
>> be a bonus.
>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>> seem to do that well on routers that are doing NAT.  I would even accept
>> address identification, too, if there was actually an updated list that
>> extended beyond the standard OUI.
>> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
>> they don't appear to be any more helpful.
>> Regards,
>> Frank
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog

David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
Email: david_laporte at harvard.edu
  PGP: 0x4DC3E508

unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list