[unisog] Identifying if node is a router or PC

Bruce Curtis bruce.curtis at ndsu.edu
Mon Jul 16 18:11:43 GMT 2007


   We run ISC DHCP server here and we have turned on the feature to  
have vendor class identifiers reported in the leases file.  Looks  
like this will give you some info in addition to the client-hostname.

   Here is the line required in the dhcpd.conf file.

#  Force vendor class identifier options to be reported in the leases  
file.

set vendor_class  = option vendor-class-identifier;


   And here is the line in the leases file that shows that this is a  
Windows XP machine.

set vendor_class = "MSFT 5.0";

   And some other devices that report:

   set vendor_class = "MSFT 98";
   set vendor_class = "XBOX 1.0";
   set vendor_class = "Xbox 360";
   set vendor_class = "Linux 2.6.18.1 i686";
   set vendor_class = "AirStation Series BUFFALO INC.";



On Jul 16, 2007, at 9:33 AM, Frank Bulk wrote:

> Paul:
>
> Thanks for the suggestion.  Because I work in a service provider  
> environment
> (I lurk for many of the good ideas and topics this groups  
> discusses, much
> cleaner than NANOG) the clients aren't connecting to a Samba box.
>
> There's no reason to believe that the endpoints are forging the MAC
> address on their broadband router, though some may bother to do that.
>
> Besides MAC addresses, I'm also extracting the client-hostnames from
> dhcpd.leases.  Here are some examples:
>   client-hostname "WGR614";
>   client-hostname "WGR614v2";
>   client-hostname "WGR614v4";
>   client-hostname "WGR614v5";
>   client-hostname "WGR614v6";
>   client-hostname "WGR614v7";
>   client-hostname "WGT624";
>   client-hostname "WGT624v3";
>   client-hostname "WPN824";
>   client-hostname "WPNT834";
> This a good method with low false positives, but if they change their
> broadband router's host name it's an unknown.
>
> I know that Network Chemistry has a RogueScanner and I may need to  
> revisit
> that product.
>
> Regards,
>
> Frank
>
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
> Sent: Monday, July 16, 2007 9:09 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Identifying if node is a router or PC
>
> Whatever does the identifying, would have to work by watching the  
> packets
> for
>   DHCP and DNS (very closely, more than the standard DHCP logs), as  
> most of
> these devices will do DHCP themselves and will proxy dns (through  
> their own
> internal dns server) - it would have to fingerprint those packets  
> (to try
> and
> id the manufacturer).  Other than that, the MAC address is easily (and
> likely
> ) forged on these devices, and the nature of NAT makes it very hard to
> fingerprint the machine by scanning (some of the ports you connect  
> to may go
> back to the client machine).  And of couse, even a Windows XP Home  
> computer
> can be a NAT router (very easily).
>
> On possible way is to use SAMBA as your watcher.  Samba knows the  
> NAME of
> the
> connecting machine (as the client knows it) and if you can entice your
> clients to at least try to connect to a machine running samba, you  
> would be
> able to watch for multiple Windows clients (names) coming through  
> one IP
> address (something I should work on myself - thanks for getting me  
> to think
> about it).
>
> Also web logs may be able to help a little.
>
>
>
>
> Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that  
>> would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number)
> would
>> be a bonus.
>>
>> I looked at nmap, but based on my reading an anecdotal tests, it  
>> doesn't
>> seem to do that well on routers that are doing NAT.  I would even  
>> accept
> MAC
>> address identification, too, if there was actually an updated list  
>> that
>> extended beyond the standard OUI.
>>
>> Any suggestions would be helpful.  I've also looked at p0f and  
>> SinFP, and
>> they don't appear to be any more helpful.
>>
>> Regards,
>>
>> Frank
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>
> --
> ---------------------------------------------------------------------
> The views and opinions expressed above are strictly
> those of the author(s).  The content of this message has
> not been reviewed nor approved by any entity whatsoever.
> ---------------------------------------------------------------------
> Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
> ---------------------------------------------------------------------
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>


---
Bruce Curtis                         bruce.curtis at ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University



More information about the unisog mailing list