[unisog] Identifying if node is a router or PC

Jordan Wiens numatrix at ufl.edu
Mon Jul 16 18:41:31 GMT 2007

It's not something I think you'd be interested in actually  
implementing for a number of reasons (it's a nasty hack, unreliable,  
and potentially illegal), but for the sake of discussion and  
entertainment, I'll throw out one theoretical way you could scan from  
inside to fingerprint the router.

When a MAC first shows up on the network, inject javascript into  
their first plaintext HTTP session via a transparent proxy that tries  
to automatically map and fingerprint any common router IPs using the  
browser itself.

I know it's not practical, but it's fun to think about.  :-)

Links to code that could achieve such scanning and fingerprinting via  
a hijacked browser available in the slide notes at: http:// 
wantingseed.com/sprout/presentations if anyone is interested in  
playing with it. (The demo.zip file contains a set of pages I used to  
demonstrate taking over and re-programming some linksys routers from  
the outside via hijacking an internal user's browser).

Jordan Wiens, CISSP
UF Network Security Engineer

On Jul 16, 2007, at 12:37 PM, Frank Bulk wrote:

> Alas, if I was only on the LAN side of the router, but I'm not. =(
> Frank
> -----Original Message-----
> From: Dr. Neal Krawetz [mailto:hf at hackerfactor.com]
> Sent: Monday, July 16, 2007 11:31 AM
> To: Frank Bulk
> Cc: 'UNIversity Security Operations Group'
> Subject: Re: [unisog] Identifying if node is a router or PC
> Hi Frank,
> I've read some of the followup posts and they are really good.
> However, have you tried something a little more direct?
> E.g., if you are on the LAN side of the router, then you can usually
> connect to it on port 80 and see the basic-auth string.  Some  
> examples:
> # This is a Dlink DI-604
> $ echo -e "GET / HTTP/1.0\n" | nc host1 80 | grep -e WWW- 
> Authenticate -e
> "Server:"
> Server: Embedded HTTP Server 3.52
> WWW-Authenticate: Basic realm="DI-604"
> # This is a Linksys WRT54G
> $ echo -e "GET / HTTP/1.0\n" | nc host2 80 | grep -e WWW- 
> Authenticate -e
> "Server:"
> Server: Intoto Http Server v1.0
> WWW-Authenticate: Basic realm="WRT54G"
> Even if you don't recognize the router, you can collect the basic-auth
> strings and go back and look at them later.
> You are definitely right about nmap and p0f not always being accurate.
> If two hosts are connected via the 4-port LAN interface on a Dlink,  
> then
> nmap -O will identify the Dlink and not the host.  (Same for Linksys
> and SMC Baracade.)
>                                         -Neal
> --
> Neal Krawetz, Ph.D.
> Hacker Factor Solutions
> http://www.hackerfactor.com/
> Author of "Introduction to Network Security" (Charles River Media,  
> 2006)
> and "Hacking Ubuntu" (Wiley, 2007)
> On Sat, Jul 14, 2007 at 03:53:42PM -0500, Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that  
>> would
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number)
> would
>> be a bonus.
>> I looked at nmap, but based on my reading an anecdotal tests, it  
>> doesn't
>> seem to do that well on routers that are doing NAT.  I would even  
>> accept
>> address identification, too, if there was actually an updated list  
>> that
>> extended beyond the standard OUI.
>> Any suggestions would be helpful.  I've also looked at p0f and  
>> SinFP, and
>> they don't appear to be any more helpful.
>> Regards,
>> Frank
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list