Printable View
I understand that you can change the mac address. I estimate that in my environment 1 out of 5 Routers installed might spoof the mac. I'd like to expose 2 or 3 people and make examples out of them. Most of these people are not aware of the policy.
Anyways, thanks for the info on passive fingerprinting.
P0f is excellent. I have it running constantly outside my firewall to glean every last little bit of info about an attacker. It's really ratehr accurate too in the tests I have run against it. It will ID the routers even if they are mac spoofing.
I really hate to bring up a thread that has been dormant for months, but has anyone else out there ever done any work on this? I am trying to identify anyone running home gateway/routers on our network and this is one of the more informative pieces of information I have come across.
I was looking into using nMap, but it takes a serious amount of time (especially when multiplied by thousands of machines). The happens because each port is looked at during the OS fingerprinting. If it were possible to narrow it down to a few ports and only have to make the scan on those few ports, this might be a more feasible option. Let me know what you think or if you have any other suggestions. Thanks!
I would still recommend p0f from here placed just inside the gateway(s). Being on the inside you should get an accurate indication of the machine type of any machine that tries to reach the public network. Monitor it every day or so to see if you get anything come up with anything other than a viable OS guess.