Can signature analysis of DHCP client behaviour identify WinXP clients?
Łukasz Siemiradzki
lukasz.siemiradzki at gmail.com
Sat Nov 9 11:09:32 UTC 2013
Ah sorry. I thought that the problem was to distinguish between windows and
the rest.
In this particular case you may try:
http://lcamtuf.coredump.cx/p0f3/
ŁS
W dniu sobota, 9 listopada 2013 użytkownik Glenn Satchell napisał:
> Windows 7 and Windows 8 also uses the same value unfortunately. Just
> confirmed from my dhcp server here at home
>
> regards,
> -glenn
>
> On Sat, November 9, 2013 9:23 am, Å ukasz Siemiradzki wrote:
> > Have you considered matching by vendor class identifier? IIRC for Windows
> > XP it is "MSFT 5.0".
> >
> > Å S
> >
> > W dniu piątek, 8 listopada 2013 użytkownik Niall O'Reilly napisał:
> >
> >>
> >> On 7 Nov 2013, at 16:08, Sten Carlsen wrote:
> >>
> >> > Did you consider nmap?
> >>
> >> Thanks again for the hint. It's useful in a different way.
> >>
> >> Nmap sees only systems which are active during the scan.
> >> DHCP fingerprinting leaves crumbs for picking up later.
> >>
> >> A colleague found
> >> http://www.packetfence.org/dhcp_fingerprints.conf
> >> which is a bit puzzling without some commentary. Happily, I was
> >> able to find
> >> http://chatteronthewire.org/download/chatter-dhcp.pdf
> >> .
> >>
> >> I'm now playing with this approach, using the following
> >> configuration
> >> fragment.
> >>
> >> class "DHCP-FP-WinXP" {
> >> match option dhcp-parameter-request-list;
> >> set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":",
> >> hardware),
> >> " ", "WinXP");
> >> }
> >> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
> >> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
> >> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
> >> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
> >> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
> >> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
> >> subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;
> >>
> >> ATB
> >> Niall
> >>
> >> _______________________________________________
> >> dhcp-users mailing list
> >> dhcp-users at lists.isc.org <javascript:;> <javascript:;>
> >> https://lists.isc.org/mailman/listinfo/dhcp-users
> >>
> >
> >
> > --
> >
> > "Omnes homines natura scire desiderant"
> > Aristotelis
> > _______________________________________________
> > dhcp-users mailing list
> > dhcp-users at lists.isc.org <javascript:;>
> > https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org <javascript:;>
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
--
"Omnes homines natura scire desiderant"
Aristotelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20131109/ca9c8a77/attachment.html>
More information about the dhcp-users
mailing list