Can signature analysis of DHCP client behaviour identify WinXP clients?

A.L.M.Buxey at lboro.ac.uk A.L.M.Buxey at lboro.ac.uk
Mon Nov 11 14:54:13 UTC 2013


Hi,

> I'm trying to chase down the residual WinXP boxes on our campus,
> and wonder whether signature analysis of DHCP requests can help.

might work for you.... eg using the fingerprints:

subclass "VendorIdent" 1:f:3:6:2c:2e:2f:1f:21:f9:2b {
	 set os-ident ="Windows/XP";
}
subclass "VendorIdent" 6:3:1:f:42:43:d:2c {
	 set os-ident ="Windows/XP 2";
}
subclass "VendorIdent" 1:3:6:f:33:2c {
	 set os-ident ="Windows/XP SP2 (hotfix 885270)";
}
subclass "VendorIdent" 6:3:1:f:42:43:d:2c:c {
	 set os-ident ="Windows/XP pro";
}


check out http://www.fingerbank.org/ - PacketFence NAC system also
uses these. we started using these fingerprints way back when it was a Finnish
project IIRC.

http://www.helsinki.fi/atk/yhteydet/fingerprints.txt


you might also want to look at using any internet web server or proxy - if you log the
Agent ten they'll also stick out quite nicely...handy if you use eg squid proxy
or have internal servers that all people generally use - eg apache powered intranet.

alan


More information about the dhcp-users mailing list