Can signature analysis of DHCP client behaviour identify WinXP clients?
Glenn Satchell
glenn.satchell at uniq.com.au
Sat Nov 9 10:48:10 UTC 2013
Windows 7 and Windows 8 also uses the same value unfortunately. Just
confirmed from my dhcp server here at home
regards,
-glenn
On Sat, November 9, 2013 9:23 am, Åukasz Siemiradzki wrote:
> Have you considered matching by vendor class identifier? IIRC for Windows
> XP it is "MSFT 5.0".
>
> ÅS
>
> W dniu piÄ
tek, 8 listopada 2013 użytkownik Niall O'Reilly napisaÅ:
>
>>
>> On 7 Nov 2013, at 16:08, Sten Carlsen wrote:
>>
>> > Did you consider nmap?
>>
>> Thanks again for the hint. It's useful in a different way.
>>
>> Nmap sees only systems which are active during the scan.
>> DHCP fingerprinting leaves crumbs for picking up later.
>>
>> A colleague found
>> http://www.packetfence.org/dhcp_fingerprints.conf
>> which is a bit puzzling without some commentary. Happily, I was
>> able to find
>> http://chatteronthewire.org/download/chatter-dhcp.pdf
>> .
>>
>> I'm now playing with this approach, using the following
>> configuration
>> fragment.
>>
>> class "DHCP-FP-WinXP" {
>> match option dhcp-parameter-request-list;
>> set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":",
>> hardware),
>> " ", "WinXP");
>> }
>> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
>> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
>> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
>> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
>> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
>> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
>> subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;
>>
>> ATB
>> Niall
>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org <javascript:;>
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>
>
>
> --
>
> "Omnes homines natura scire desiderant"
> Aristotelis
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list