[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 16:28:40 GMT 2007


Alex:

'routeprobe' seems to be checking things from the inside out, as opposed to
the outside (me) looking in (broadband user)

Right, OUI is not good enough, though apparently there are some
organizations that have attempted to get things down to a more granular
level.

PacketFence is the closest to what I need, it appears, but I'm not sure at
this time if I can massage it in a way that works for us.

Regards,

Frank

-----Original Message-----
From: Alexander Clouter [mailto:alex-unisog at digriz.org.uk] 
Sent: Monday, July 16, 2007 11:07 AM
To: frnkblk at iname.com
Cc: UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

Hi,

Frank Bulk <frnkblk at iname.com> [20070714 15:53:42 -0500]:
>
> Does anyone know of a program, or preferably, a Perl module, that would
> allow me to identify if a node is a computer or a broadband router?
> Information beyond that (such as OS or broadband router model number)
would
> be a bonus.
> 
Funny you mention this, the other week I stumbled on routeprobe[1].  Have
not 
tried it yet but it looks like the business.

> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
> seem to do that well on routers that are doing NAT.  I would even accept
MAC
> address identification, too, if there was actually an updated list that
> extended beyond the standard OUI.
> 
Well all that the OUI will tell you is who owns the kit, the manufacturer is

free to use that address space however they please...unfortunately :-/

> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
> they don't appear to be any more helpful.
> 
Already suggested the DHCP part of the rogue router is a great place to
start 
having a nosey in.  I never thought of the 'client-hostname' field, but you 
might get some vendor identifier fields and also just looking at the request

of which particular options and the order they are requested in is good 
enough to identify a particular bit of equipment.

Somewhere in the archives of the unisog mailing list[2] is information on 
this all, PacketFence could have the DHCP code yanked out of it or 
dhcprint[3] could be used too.

Good hunting :)

Alex

[1] http://www.stearns.org/routeprobe/
[2] http://lists.sans.org/pipermail/unisog/2006-May/026360.html
[3] http://erwin.wpi.edu/~fs/dhcprint/

> Regards,
> 
> Frank
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-- 
 _____________________
< Keep on keepin' on. >
 ---------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||



More information about the unisog mailing list