Can signature analysis of DHCP client behaviour identify WinXP clients?

Glenn Satchell glenn.satchell at uniq.com.au
Sat Nov 9 10:48:10 UTC 2013


Windows 7 and Windows 8 also uses the same value unfortunately. Just
confirmed from my dhcp server here at home

regards,
-glenn

On Sat, November 9, 2013 9:23 am, Łukasz Siemiradzki wrote:
> Have you considered matching by vendor class identifier? IIRC for Windows
> XP it is "MSFT 5.0".
>
> ŁS
>
> W dniu piÄ
tek, 8 listopada 2013 użytkownik Niall O'Reilly napisał:
>
>>
>> On 7 Nov 2013, at 16:08, Sten Carlsen wrote:
>>
>> > Did you consider nmap?
>>
>>         Thanks again for the hint.  It's useful in a different way.
>>
>>         Nmap sees only systems which are active during the scan.
>>         DHCP fingerprinting leaves crumbs for picking up later.
>>
>>         A colleague found
>> http://www.packetfence.org/dhcp_fingerprints.conf
>>         which is a bit puzzling without some commentary.  Happily, I was
>>         able to find
>> http://chatteronthewire.org/download/chatter-dhcp.pdf
>> .
>>
>>         I'm now playing with this approach, using the following
>> configuration
>>         fragment.
>>
>>     class "DHCP-FP-WinXP" {
>>       match option dhcp-parameter-request-list;
>>       set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":",
>> hardware),
>> " ", "WinXP");
>>     }
>>     subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
>>     subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
>>     subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
>>     subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
>>     subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
>>     subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
>>     subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;
>>
>>         ATB
>>         Niall
>>
>> _______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org <javascript:;>
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>>
>
>
> --
>
> "Omnes homines natura scire desiderant"
>                                            Aristotelis
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users




More information about the dhcp-users mailing list