Can signature analysis of DHCP client behaviour identify WinXP clients?
Łukasz Siemiradzki
lukasz.siemiradzki at gmail.com
Fri Nov 8 22:23:02 UTC 2013
Have you considered matching by vendor class identifier? IIRC for Windows
XP it is "MSFT 5.0".
ŁS
W dniu piątek, 8 listopada 2013 użytkownik Niall O'Reilly napisał:
>
> On 7 Nov 2013, at 16:08, Sten Carlsen wrote:
>
> > Did you consider nmap?
>
> Thanks again for the hint. It's useful in a different way.
>
> Nmap sees only systems which are active during the scan.
> DHCP fingerprinting leaves crumbs for picking up later.
>
> A colleague found
> http://www.packetfence.org/dhcp_fingerprints.conf
> which is a bit puzzling without some commentary. Happily, I was
> able to find http://chatteronthewire.org/download/chatter-dhcp.pdf
> .
>
> I'm now playing with this approach, using the following
> configuration
> fragment.
>
> class "DHCP-FP-WinXP" {
> match option dhcp-parameter-request-list;
> set dhcp-fingerprint = concat(binary-to-ascii(16, 8, ":", hardware),
> " ", "WinXP");
> }
> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b;
> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
> subclass "DHCP-FP-WinXP" 01:0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b;
> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc;
> subclass "DHCP-FP-WinXP" 0f:03:06:2c:2e:2f:1f:21:f9:2b:fc:0c;
> subclass "DHCP-FP-WinXP" 1c:02:03:0f:06:0c:2c:2f;
>
> ATB
> Niall
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org <javascript:;>
> https://lists.isc.org/mailman/listinfo/dhcp-users
>
--
"Omnes homines natura scire desiderant"
Aristotelis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/dhcp-users/attachments/20131108/489cce81/attachment.html>
More information about the dhcp-users
mailing list