[unisog] Identifying if node is a router or PC

Frank Bulk frnkblk at iname.com
Mon Jul 16 16:37:26 GMT 2007

Alas, if I was only on the LAN side of the router, but I'm not. =(


-----Original Message-----
From: Dr. Neal Krawetz [mailto:hf at hackerfactor.com] 
Sent: Monday, July 16, 2007 11:31 AM
To: Frank Bulk
Cc: 'UNIversity Security Operations Group'
Subject: Re: [unisog] Identifying if node is a router or PC

Hi Frank,

I've read some of the followup posts and they are really good.
However, have you tried something a little more direct?

E.g., if you are on the LAN side of the router, then you can usually
connect to it on port 80 and see the basic-auth string.  Some examples:

# This is a Dlink DI-604
$ echo -e "GET / HTTP/1.0\n" | nc host1 80 | grep -e WWW-Authenticate -e
Server: Embedded HTTP Server 3.52
WWW-Authenticate: Basic realm="DI-604"

# This is a Linksys WRT54G
$ echo -e "GET / HTTP/1.0\n" | nc host2 80 | grep -e WWW-Authenticate -e
Server: Intoto Http Server v1.0
WWW-Authenticate: Basic realm="WRT54G"

Even if you don't recognize the router, you can collect the basic-auth
strings and go back and look at them later.

You are definitely right about nmap and p0f not always being accurate.
If two hosts are connected via the 4-port LAN interface on a Dlink, then
nmap -O will identify the Dlink and not the host.  (Same for Linksys
and SMC Baracade.)

Neal Krawetz, Ph.D.
Hacker Factor Solutions
Author of "Introduction to Network Security" (Charles River Media, 2006)
and "Hacking Ubuntu" (Wiley, 2007)

On Sat, Jul 14, 2007 at 03:53:42PM -0500, Frank Bulk wrote:
> Does anyone know of a program, or preferably, a Perl module, that would
> allow me to identify if a node is a computer or a broadband router?
> Information beyond that (such as OS or broadband router model number)
> be a bonus.
> I looked at nmap, but based on my reading an anecdotal tests, it doesn't
> seem to do that well on routers that are doing NAT.  I would even accept
> address identification, too, if there was actually an updated list that
> extended beyond the standard OUI.
> Any suggestions would be helpful.  I've also looked at p0f and SinFP, and
> they don't appear to be any more helpful.
> Regards,
> Frank

More information about the unisog mailing list