Can signature analysis of DHCP client behaviour identify WinXP clients?
Niall O'Reilly
niall.oreilly at ucd.ie
Fri Nov 8 12:51:13 UTC 2013
On 7 Nov 2013, at 16:08, Sten Carlsen wrote:
> Did you consider nmap?
Thanks again for the hint. It's useful in a different way.
Nmap sees only systems which are active during the scan.
DHCP fingerprinting leaves crumbs for picking up later.
A colleague found http://www.packetfence.org/dhcp_fingerprints.conf
which is a bit puzzling without some commentary. Happily, I was
able to find http://chatteronthewire.org/download/chatter-dhcp.pdf.
I'm now playing with this approach, using the following configuration
fragment.
class "DHCP-FP-WinXP" {
match option dhcp-parameter-request-list;
set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":", hardware), " ", "WinXP");
}
subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;
ATB
Niall
More information about the dhcp-users
mailing list