How to use DHCP-requests for passive OS fingerprinting

Overview

Most devices are able to use dynamic host configuration protocoll for ip configuration. Allthrough there is a option to identify the client (OPTION: 60 Vendor class identifier MSFT 5.0) it is not suitable to destinguis the Operating System, because "MSFT 5.0" is used bye most windows versions. But you can use the pattern of requested options (OPTION: 55 Parameter Request List) for fingerprinting.

Enable logging of the DHCP-options relevant for fingerprinting

Add this to your dhcpd.conf

...
on commit {
    log(info,
      concat("Client ",
        binary-to-ascii(16, 8, ":", substring(hardware, 1, 6)),
        " requests ",
        binary-to-ascii(16, 8, ":", option dhcp-parameter-request-list),
        "-",
        pick-first-value(option vendor-class-identifier, "no vendor-id"))
      );
}
...

This will strip leading zeros in the MAC adress! (a fix)

Matching table DHCP2OS

• http://www.helsinki.fi/atk/yhteydet/fingerprints.txt
• https://fingerbank.inverse.ca/
• http://kuscholarworks.ku.edu/bitstream/handle/1808/584/fingerprints.txt?sequence=9&isAllowed=y
• Some additional fingerprints

Further reading and links

• http://chatteronthewire.org/ and paper as pdf
• http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting