[unisog] Identifying if node is a router or PC

David LaPorte david_laporte at harvard.edu
Mon Jul 16 16:14:40 GMT 2007


Sorry about that - I thought that name looked familiar :)

You'll need to have a presence on the network you want to fingerprint,
but you wouldn't need a SPAN due to the semi-broadcast nature of DHCP.

Dave

Frank Bulk wrote:
> David:
> 
> Yes, I'm aware of PacketFence (I sent you a weeks worth of DHCP traffic 
> some time ago to help you build out your fingerprints), but I wasn't 
> sure if it would help me.
> 
> Does the "dhcp_dumper" utility allow me to look against logs?  Is there
> a way to capture the information PF needs to fingerprint without capturing
> network traffic?
> 
> Frank
> 
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of David LaPorte
> Sent: Monday, July 16, 2007 10:22 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Identifying if node is a router or PC
> 
> PacketFence, an open-source NAC solution I co-develop, does DHCP
> fingerprinting like you mention.  We currently have 165 device
> fingerprints that include routers, APs, game consoles, operating
> systems, etc.
> 
> PF may be a bit overkill, since the fingerprinting is just one part, but
> it ships with a "dhcp_dumper" utility that just does the fingerprinting.
>    We also have a dhcp-finger utility (written in C, not perl) on the
> website that uses an XML-based configuration file.  The PF file is a bit
> more up-to-date, but only if you need recent fingerprints for PS3,
> iPhone, Wii, etc.
> 
> http://www.packetfence.org
> 
> best,
> Dave
> 
> Paul FM wrote:
>> Whatever does the identifying, would have to work by watching the packets
> for
>>   DHCP and DNS (very closely, more than the standard DHCP logs), as most
> of
>> these devices will do DHCP themselves and will proxy dns (through their
> own
>> internal dns server) - it would have to fingerprint those packets (to try
> and
>> id the manufacturer).  Other than that, the MAC address is easily (and
> likely
>> ) forged on these devices, and the nature of NAT makes it very hard to
>> fingerprint the machine by scanning (some of the ports you connect to may
> go
>> back to the client machine).  And of couse, even a Windows XP Home
> computer
>> can be a NAT router (very easily).
>>
>> On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
> the
>> connecting machine (as the client knows it) and if you can entice your
>> clients to at least try to connect to a machine running samba, you would
> be
>> able to watch for multiple Windows clients (names) coming through one IP
>> address (something I should work on myself - thanks for getting me to
> think
>> about it).
>>
>> Also web logs may be able to help a little.
>>
>>
>>
>>
>> Frank Bulk wrote:
>>> Does anyone know of a program, or preferably, a Perl module, that would
>>> allow me to identify if a node is a computer or a broadband router?
>>> Information beyond that (such as OS or broadband router model number)
> would
>>> be a bonus.
>>>
>>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>>> seem to do that well on routers that are doing NAT.  I would even accept
> MAC
>>> address identification, too, if there was actually an updated list that
>>> extended beyond the standard OUI.
>>>
>>> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
>>> they don't appear to be any more helpful.
>>>
>>> Regards,
>>>
>>> Frank
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org
>>> https://lists.sans.org/mailman/listinfo/unisog
> 
> --
> David LaPorte, CISSP, CCNP
> Security Manager, Network and Server Systems
> Harvard University Information Systems
> -----------------------------------------------
> Email: david_laporte at harvard.edu
>   PGP: 0x4DC3E508
>        4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
-----------------------------------------------
Email: david_laporte at harvard.edu
  PGP: 0x4DC3E508
       4A1F058DB2B32FEF10A14F6BD370A6AD4DC3E508



More information about the unisog mailing list