Can signature analysis of DHCP client behaviour identify WinXP clients?

Łukasz Siemiradzki lukasz.siemiradzki at gmail.com
Sat Nov 9 11:09:32 UTC 2013


Ah sorry. I thought that the problem was to distinguish between windows and
the rest.
In this particular case you may try:
http://lcamtuf.coredump.cx/p0f3/

ŁS

W dniu sobota, 9 listopada 2013 użytkownik Glenn Satchell napisał:

> Windows 7 and Windows 8 also uses the same value unfortunately. Just
> confirmed from my dhcp server here at home
>
> regards,
> -glenn
>
> On Sat, November 9, 2013 9:23 am, Å ukasz Siemiradzki wrote:
> > Have you considered matching by vendor class identifier? IIRC for Windows
> > XP it is "MSFT 5.0".
> >
> > Å S
> >
> > W dniu piątek, 8 listopada 2013 użytkownik Niall O'Reilly napisał:
> >
> >>
> >> On 7 Nov 2013, at 16:08, Sten Carlsen wrote:
> >>
> >> > Did you consider nmap?
> >>
> >>         Thanks again for the hint.  It's useful in a different way.
> >>
> >>         Nmap sees only systems which are active during the scan.
> >>         DHCP fingerprinting leaves crumbs for picking up later.
> >>
> >>         A colleague found
> >> http://www.packetfence.org/dhcp_fingerprints.conf
> >>         which is a bit puzzling without some commentary.  Happily, I was
> >>         able to find
> >> http://chatteronthewire.org/download/chatter-dhcp.pdf
> >> .
> >>
> >>         I'm now playing with this approach, using the following
> >> configuration
> >>         fragment.
> >>
> >>     class "DHCP-FP-WinXP" {
> >>       match option dhcp-parameter-request-list;
> >>       set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":",
> >> hardware),
> >> " ", "WinXP");
> >>     }
> >>     subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
> >>     subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
> >>     subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
> >>     subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
> >>     subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
> >>     subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
> >>     subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;
> >>
> >>         ATB
> >>         Niall
> >>
> >> _______________________________________________
> >> dhcp-users mailing list
> >> dhcp-users at lists.isc.org <javascript:;> <javascript:;>
> >> https://lists.isc.org/mailman/listinfo/dhcp-users
> >>
> >
> >
> > --
> >
> > "Omnes homines natura scire desiderant"
> >                                            Aristotelis
> > _______________________________________________
> > dhcp-users mailing list
> > dhcp-users at lists.isc.org <javascript:;>
> > https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org <javascript:;>
> https://lists.isc.org/mailman/listinfo/dhcp-users
>


-- 

"Omnes homines natura scire desiderant"
                                           Aristotelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20131109/ca9c8a77/attachment.html>


More information about the dhcp-users mailing list