[unisog] Identifying if node is a router or PC
numatrix at ufl.edu
Mon Jul 16 18:41:31 GMT 2007
It's not something I think you'd be interested in actually
implementing for a number of reasons (it's a nasty hack, unreliable,
and potentially illegal), but for the sake of discussion and
entertainment, I'll throw out one theoretical way you could scan from
inside to fingerprint the router.
their first plaintext HTTP session via a transparent proxy that tries
to automatically map and fingerprint any common router IPs using the
I know it's not practical, but it's fun to think about. :-)
Links to code that could achieve such scanning and fingerprinting via
a hijacked browser available in the slide notes at: http://
wantingseed.com/sprout/presentations if anyone is interested in
playing with it. (The demo.zip file contains a set of pages I used to
demonstrate taking over and re-programming some linksys routers from
the outside via hijacking an internal user's browser).
Jordan Wiens, CISSP
UF Network Security Engineer
On Jul 16, 2007, at 12:37 PM, Frank Bulk wrote:
> Alas, if I was only on the LAN side of the router, but I'm not. =(
> -----Original Message-----
> From: Dr. Neal Krawetz [mailto:hf at hackerfactor.com]
> Sent: Monday, July 16, 2007 11:31 AM
> To: Frank Bulk
> Cc: 'UNIversity Security Operations Group'
> Subject: Re: [unisog] Identifying if node is a router or PC
> Hi Frank,
> I've read some of the followup posts and they are really good.
> However, have you tried something a little more direct?
> E.g., if you are on the LAN side of the router, then you can usually
> connect to it on port 80 and see the basic-auth string. Some
> # This is a Dlink DI-604
> $ echo -e "GET / HTTP/1.0\n" | nc host1 80 | grep -e WWW-
> Authenticate -e
> Server: Embedded HTTP Server 3.52
> WWW-Authenticate: Basic realm="DI-604"
> # This is a Linksys WRT54G
> $ echo -e "GET / HTTP/1.0\n" | nc host2 80 | grep -e WWW-
> Authenticate -e
> Server: Intoto Http Server v1.0
> WWW-Authenticate: Basic realm="WRT54G"
> Even if you don't recognize the router, you can collect the basic-auth
> strings and go back and look at them later.
> You are definitely right about nmap and p0f not always being accurate.
> If two hosts are connected via the 4-port LAN interface on a Dlink,
> nmap -O will identify the Dlink and not the host. (Same for Linksys
> and SMC Baracade.)
> Neal Krawetz, Ph.D.
> Hacker Factor Solutions
> Author of "Introduction to Network Security" (Charles River Media,
> and "Hacking Ubuntu" (Wiley, 2007)
> On Sat, Jul 14, 2007 at 03:53:42PM -0500, Frank Bulk wrote:
>> Does anyone know of a program, or preferably, a Perl module, that
>> allow me to identify if a node is a computer or a broadband router?
>> Information beyond that (such as OS or broadband router model number)
>> be a bonus.
>> I looked at nmap, but based on my reading an anecdotal tests, it
>> seem to do that well on routers that are doing NAT. I would even
>> address identification, too, if there was actually an updated list
>> extended beyond the standard OUI.
>> Any suggestions would be helpful. I've also looked at p0f and
>> SinFP, and
>> they don't appear to be any more helpful.
> unisog mailing list
> unisog at lists.dshield.org
More information about the unisog