Can signature analysis of DHCP client behaviour identify WinXP clients?

Niall O'Reilly niall.oreilly at
Fri Nov 8 12:51:13 UTC 2013

On 7 Nov 2013, at 16:08, Sten Carlsen wrote:

> Did you consider nmap?

	Thanks again for the hint.  It's useful in a different way.

	Nmap sees only systems which are active during the scan.
	DHCP fingerprinting leaves crumbs for picking up later.

	A colleague found
	which is a bit puzzling without some commentary.  Happily, I was
	able to find

	I'm now playing with this approach, using the following configuration

    class "DHCP-FP-WinXP" {
      match option dhcp-parameter-request-list;
      set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":", hardware), " ", "WinXP");
    subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
    subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
    subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
    subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
    subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
    subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
    subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;


More information about the dhcp-users mailing list