[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 16:33:20 GMT 2007


Yes, one other person (offline) pointed me there.  Of course, that solution
is script-based, though I could capture chunks of 5 minutes, analyze the
results, and store them in a database.

Frank 

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Michael Hornung
Sent: Monday, July 16, 2007 11:05 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] Identifying if node is a router or PC

Some people have obtained ecncouraging results at identifying NATs in a
network by monitoring TTLs and IPIDs.  See:

http://www.sflow.org/detectNAT/

But I'm not sure if your goal is to find all NATs, or specifically only
off-the-shelf "broadband routers".

_____________________________________________________
 Michael Hornung          Computing & Communications
 hornung at washington.edu   University of Washington

On Mon, 16 Jul 2007 at 10:53, Frank Bulk wrote:

|Paul:
|
|You read the instructions?  You're unlike most end-users. =)
|
|I have browsed through a few of those "Get Started" guides in my life
|and can't recall a reference that recommended users to perform MAC
|cloning, though it is in most users guides.
|
|Even if I enticed the user to connect to one of our web pages and I
|extracted the COMPUTERNAME, how does that tell me if they're using
|a broadband router?  Or are you saying I should do a comparison between
|what's in the DHCP leases file and the java-script applet file?
|
|Kind regards,
|
|Frank
|
|-----Original Message-----
|From: unisog-bounces at lists.dshield.org
|[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
|Sent: Monday, July 16, 2007 9:56 AM
|To: UNIversity Security Operations Group
|Subject: Re: [unisog] Identifying if node is a router or PC
|
|If they follow the instructions on their NAT Router they will likely mirror
|their real MAC address to the NAT box (and it will claim that one) - this
is
|why I say the MAC addresses are likely forged.
|
|Download and read some of the installation instruction for those devices
|(and
|you will see what I mean).
|
|And you could entice the machines to look at a web page (maybe your own web
|page could host a java-script applet that gets the computers COMPUTERNAME
|and
|HOSTNAME [in case it is linux] environment variable and send it back so it
|is
|logged with the IP address it came from).
|
|
|Frank Bulk wrote:
|> Paul:
|>
|> Thanks for the suggestion.  Because I work in a service provider
|environment
|> (I lurk for many of the good ideas and topics this groups discusses, much
|> cleaner than NANOG) the clients aren't connecting to a Samba box.
|>
|> There's no reason to believe that the endpoints are forging the MAC
|> address on their broadband router, though some may bother to do that.
|>
|> Besides MAC addresses, I'm also extracting the client-hostnames from
|> dhcpd.leases.  Here are some examples:
|>   client-hostname "WGR614";
|>   client-hostname "WGR614v2";
|>   client-hostname "WGR614v4";
|>   client-hostname "WGR614v5";
|>   client-hostname "WGR614v6";
|>   client-hostname "WGR614v7";
|>   client-hostname "WGT624";
|>   client-hostname "WGT624v3";
|>   client-hostname "WPN824";
|>   client-hostname "WPNT834";
|> This a good method with low false positives, but if they change their
|> broadband router's host name it's an unknown.
|>
|> I know that Network Chemistry has a RogueScanner and I may need to
revisit
|> that product.
|>
|> Regards,
|>
|> Frank
|>
|> -----Original Message-----
|> From: unisog-bounces at lists.dshield.org
|> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
|> Sent: Monday, July 16, 2007 9:09 AM
|> To: UNIversity Security Operations Group
|> Subject: Re: [unisog] Identifying if node is a router or PC
|>
|> Whatever does the identifying, would have to work by watching the packets
|> for
|>   DHCP and DNS (very closely, more than the standard DHCP logs), as most
|of
|> these devices will do DHCP themselves and will proxy dns (through their
|own
|> internal dns server) - it would have to fingerprint those packets (to try
|> and
|> id the manufacturer).  Other than that, the MAC address is easily (and
|> likely
|> ) forged on these devices, and the nature of NAT makes it very hard to
|> fingerprint the machine by scanning (some of the ports you connect to may
|go
|> back to the client machine).  And of couse, even a Windows XP Home
|computer
|> can be a NAT router (very easily).
|>
|> On possible way is to use SAMBA as your watcher.  Samba knows the NAME of
|> the
|> connecting machine (as the client knows it) and if you can entice your
|> clients to at least try to connect to a machine running samba, you would
|be
|> able to watch for multiple Windows clients (names) coming through one IP
|> address (something I should work on myself - thanks for getting me to
|think
|> about it).
|>
|> Also web logs may be able to help a little.
|>
|>
|>
|>
|> Frank Bulk wrote:
|>> Does anyone know of a program, or preferably, a Perl module, that would
|>> allow me to identify if a node is a computer or a broadband router?
|>> Information beyond that (such as OS or broadband router model number)
|> would
|>> be a bonus.
|>>
|>> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
|>> seem to do that well on routers that are doing NAT.  I would even accept
|> MAC
|>> address identification, too, if there was actually an updated list that
|>> extended beyond the standard OUI.
|>>
|>> Any suggestions would be helpful.  I've also looked at p0f and SinFP,
and
|>> they don't appear to be any more helpful.
|>>
|>> Regards,
|>>
|>> Frank
|>>
|>> _______________________________________________
|>> unisog mailing list
|>> unisog at lists.dshield.org
|>> https://lists.sans.org/mailman/listinfo/unisog
|>
|> --
|> ---------------------------------------------------------------------
|> The views and opinions expressed above are strictly
|> those of the author(s).  The content of this message has
|> not been reviewed nor approved by any entity whatsoever.
|> ---------------------------------------------------------------------
|> Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
|> ---------------------------------------------------------------------
|> _______________________________________________
|> unisog mailing list
|> unisog at lists.dshield.org
|> https://lists.sans.org/mailman/listinfo/unisog
|>
|> _______________________________________________
|> unisog mailing list
|> unisog at lists.dshield.org
|> https://lists.sans.org/mailman/listinfo/unisog
|
|--
|---------------------------------------------------------------------
|The views and opinions expressed above are strictly
|those of the author(s).  The content of this message has
|not been reviewed nor approved by any entity whatsoever.
|---------------------------------------------------------------------
|Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
|---------------------------------------------------------------------
|_______________________________________________
|unisog mailing list
|unisog at lists.dshield.org
|https://lists.sans.org/mailman/listinfo/unisog
|
|_______________________________________________
|unisog mailing list
|unisog at lists.dshield.org
|https://lists.sans.org/mailman/listinfo/unisog
|
|
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list