[unisog] Identifying if node is a router or PC
david_laporte at harvard.edu
Mon Jul 16 16:14:40 GMT 2007
Sorry about that - I thought that name looked familiar :)
You'll need to have a presence on the network you want to fingerprint,
but you wouldn't need a SPAN due to the semi-broadcast nature of DHCP.
Frank Bulk wrote:
> Yes, I'm aware of PacketFence (I sent you a weeks worth of DHCP traffic
> some time ago to help you build out your fingerprints), but I wasn't
> sure if it would help me.
> Does the "dhcp_dumper" utility allow me to look against logs? Is there
> a way to capture the information PF needs to fingerprint without capturing
> network traffic?
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of David LaPorte
> Sent: Monday, July 16, 2007 10:22 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Identifying if node is a router or PC
> PacketFence, an open-source NAC solution I co-develop, does DHCP
> fingerprinting like you mention. We currently have 165 device
> fingerprints that include routers, APs, game consoles, operating
> systems, etc.
> PF may be a bit overkill, since the fingerprinting is just one part, but
> it ships with a "dhcp_dumper" utility that just does the fingerprinting.
> We also have a dhcp-finger utility (written in C, not perl) on the
> website that uses an XML-based configuration file. The PF file is a bit
> more up-to-date, but only if you need recent fingerprints for PS3,
> iPhone, Wii, etc.
> Paul FM wrote:
>> Whatever does the identifying, would have to work by watching the packets
>> DHCP and DNS (very closely, more than the standard DHCP logs), as most
>> these devices will do DHCP themselves and will proxy dns (through their
>> internal dns server) - it would have to fingerprint those packets (to try
>> id the manufacturer). Other than that, the MAC address is easily (and
>> ) forged on these devices, and the nature of NAT makes it very hard to
>> fingerprint the machine by scanning (some of the ports you connect to may
>> back to the client machine). And of couse, even a Windows XP Home
>> can be a NAT router (very easily).
>> On possible way is to use SAMBA as your watcher. Samba knows the NAME of
>> connecting machine (as the client knows it) and if you can entice your
>> clients to at least try to connect to a machine running samba, you would
>> able to watch for multiple Windows clients (names) coming through one IP
>> address (something I should work on myself - thanks for getting me to
>> about it).
>> Also web logs may be able to help a little.
>> Frank Bulk wrote:
>>> Does anyone know of a program, or preferably, a Perl module, that would
>>> allow me to identify if a node is a computer or a broadband router?
>>> Information beyond that (such as OS or broadband router model number)
>>> be a bonus.
>>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
>>> seem to do that well on routers that are doing NAT. I would even accept
>>> address identification, too, if there was actually an updated list that
>>> extended beyond the standard OUI.
>>> Any suggestions would be helpful. I've also looked at p0f and SinFP, and
>>> they don't appear to be any more helpful.
>>> unisog mailing list
>>> unisog at lists.dshield.org
> David LaPorte, CISSP, CCNP
> Security Manager, Network and Server Systems
> Harvard University Information Systems
> Email: david_laporte at harvard.edu
> PGP: 0x4DC3E508
> unisog mailing list
> unisog at lists.dshield.org
David LaPorte, CISSP, CCNP
Security Manager, Network and Server Systems
Harvard University Information Systems
Email: david_laporte at harvard.edu
More information about the unisog