[unisog] Identifying if node is a router or PC

Bruce Curtis bruce.curtis at ndsu.edu
Mon Jul 16 22:02:31 GMT 2007


On Jul 16, 2007, at 4:37 PM, Frank Bulk wrote:

> Forgive my ignorance, but where did you find this documented?  I  
> googled
> around and wasn't able to find a match.


   Looks like it is in dhcp-options.5.  I think we first used it for  
some SUN workstations but have since used it for IP phones and access  
points.

http://www.daemon-systems.org/man/dhcp-options.5.html

"option vendor-class-identifier string;

             This option is used by some DHCP clients to  identify   
the  vendor
             type  and possibly the configuration of a DHCP client.   
The infor-
             mation is a string of bytes whose contents  are   
specific  to  the
             vendor  and  are not specified in a standard.   To see  
what vendor
             class identifier clients are sending, you can write the   
following
             in your DHCP server configuration file:

             set vendor-string = option vendor-class-identifier;

             This  will result in all entries in the DHCP server  
lease database
             file for clients that sent vendor-class-identifier  
options  having
             a set statement that looks something like this:

             set vendor-string = "SUNW.Ultra-5_10";

             The  vendor-class-identifier  option  is normally used  
by the DHCP
             server to determine the options that are returned in   
the  vendor-
             encapsulated-options  option.   Please see the VENDOR  
ENCAPSULATED
             OPTIONS section later in this manual page for further  
information."

>
> Is the 'set vendor_class' part important, or can it be 'set  
> i_want_stuff'?



   The line in the config means "I want stuff".

set vendor_class  = option vendor-class-identifier;

   You can also test based on the data.  You can even give IPs from  
different pools based on the vendor class info.

# Vendor specific opitions for Avaya

class "AvayaPhones" {
        match if option vendor-class-identifier = "ccp.avaya.com" ;
        option  time-offset 21600;
        option  time-servers 134.129.111.111;
}

if option vendor-class-identifier = "ccp.avaya.com" {
                 vendor-option-space Avaya;
}


#class "SunRayWorkstations" {
#       match if option vendor-class-identifier = "SUNW.NewT.SUNW" ;
#       default-lease-time 86400;
#}
#
#if option vendor-class-identifier = "SUNW.NewT.SUNW" {
#                vendor-option-space SunRay;
#}
#


http://diet-pc.sourceforge.net/examples/isc_dhcpd_30.txt

http://osdir.com/ml/network.dhcp.isc.dhcp-server/2002-11/msg00223.html



>
> Kind regards,
>
> Frank
>
> -----Original Message-----
> From: unisog-bounces at lists.dshield.org
> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Bruce Curtis
> Sent: Monday, July 16, 2007 1:12 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Identifying if node is a router or PC
>
>
>    We run ISC DHCP server here and we have turned on the feature to
> have vendor class identifiers reported in the leases file.  Looks
> like this will give you some info in addition to the client-hostname.
>
>    Here is the line required in the dhcpd.conf file.
>
> #  Force vendor class identifier options to be reported in the leases
> file.
>
> set vendor_class  = option vendor-class-identifier;
>
>
>    And here is the line in the leases file that shows that this is a
> Windows XP machine.
>
> set vendor_class = "MSFT 5.0";
>
>    And some other devices that report:
>
>    set vendor_class = "MSFT 98";
>    set vendor_class = "XBOX 1.0";
>    set vendor_class = "Xbox 360";
>    set vendor_class = "Linux 2.6.18.1 i686";
>    set vendor_class = "AirStation Series BUFFALO INC.";
>
>
>
> On Jul 16, 2007, at 9:33 AM, Frank Bulk wrote:
>
>> Paul:
>>
>> Thanks for the suggestion.  Because I work in a service provider
>> environment
>> (I lurk for many of the good ideas and topics this groups
>> discusses, much
>> cleaner than NANOG) the clients aren't connecting to a Samba box.
>>
>> There's no reason to believe that the endpoints are forging the MAC
>> address on their broadband router, though some may bother to do that.
>>
>> Besides MAC addresses, I'm also extracting the client-hostnames from
>> dhcpd.leases.  Here are some examples:
>>   client-hostname "WGR614";
>>   client-hostname "WGR614v2";
>>   client-hostname "WGR614v4";
>>   client-hostname "WGR614v5";
>>   client-hostname "WGR614v6";
>>   client-hostname "WGR614v7";
>>   client-hostname "WGT624";
>>   client-hostname "WGT624v3";
>>   client-hostname "WPN824";
>>   client-hostname "WPNT834";
>> This a good method with low false positives, but if they change their
>> broadband router's host name it's an unknown.
>>
>> I know that Network Chemistry has a RogueScanner and I may need to
>> revisit
>> that product.
>>
>> Regards,
>>
>> Frank
>>
>> -----Original Message-----
>> From: unisog-bounces at lists.dshield.org
>> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Paul FM
>> Sent: Monday, July 16, 2007 9:09 AM
>> To: UNIversity Security Operations Group
>> Subject: Re: [unisog] Identifying if node is a router or PC
>>
>> Whatever does the identifying, would have to work by watching the
>> packets
>> for
>>   DHCP and DNS (very closely, more than the standard DHCP logs), as
>> most of
>> these devices will do DHCP themselves and will proxy dns (through
>> their own
>> internal dns server) - it would have to fingerprint those packets
>> (to try
>> and
>> id the manufacturer).  Other than that, the MAC address is easily  
>> (and
>> likely
>> ) forged on these devices, and the nature of NAT makes it very  
>> hard to
>> fingerprint the machine by scanning (some of the ports you connect
>> to may go
>> back to the client machine).  And of couse, even a Windows XP Home
>> computer
>> can be a NAT router (very easily).
>>
>> On possible way is to use SAMBA as your watcher.  Samba knows the
>> NAME of
>> the
>> connecting machine (as the client knows it) and if you can entice  
>> your
>> clients to at least try to connect to a machine running samba, you
>> would be
>> able to watch for multiple Windows clients (names) coming through
>> one IP
>> address (something I should work on myself - thanks for getting me
>> to think
>> about it).
>>
>> Also web logs may be able to help a little.
>>
>>
>>
>>
>> Frank Bulk wrote:
>>> Does anyone know of a program, or preferably, a Perl module, that
>>> would
>>> allow me to identify if a node is a computer or a broadband router?
>>> Information beyond that (such as OS or broadband router model  
>>> number)
>> would
>>> be a bonus.
>>>
>>> I looked at nmap, but based on my reading an anecdotal tests, it
>>> doesn't
>>> seem to do that well on routers that are doing NAT.  I would even
>>> accept
>> MAC
>>> address identification, too, if there was actually an updated list
>>> that
>>> extended beyond the standard OUI.
>>>
>>> Any suggestions would be helpful.  I've also looked at p0f and
>>> SinFP, and
>>> they don't appear to be any more helpful.
>>>
>>> Regards,
>>>
>>> Frank
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org
>>> https://lists.sans.org/mailman/listinfo/unisog
>>
>> --
>> ---------------------------------------------------------------------
>> The views and opinions expressed above are strictly
>> those of the author(s).  The content of this message has
>> not been reviewed nor approved by any entity whatsoever.
>> ---------------------------------------------------------------------
>> Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
>> ---------------------------------------------------------------------
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog
>>
>
>
> ---
> Bruce Curtis                         bruce.curtis at ndsu.edu
> Certified NetAnalyst II                701-231-8527
> North Dakota State University
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>


---
Bruce Curtis                         bruce.curtis at ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University



More information about the unisog mailing list