Wireless Access

Hi All,

Has anyone got a list of DHCP fingerprints? I've had a quick google but couldn't fine one..

I've got iOS, Android & Blackberry (as CJoseph mentioned them here) but was hoping for Windows Phone 7 too and any other mobile devices...

I don't have the devices handy to get fingerprints..

We have a table at show and we were hoping that we could demo this feature.

Thanks
James

We have not had enough time to clean this up, so I apologize in advance. It also does not have Windows Phone 7. If you want to demonstrate at least detection, remember that the controller will detect and display the OS of any device in the user table for ArubaOS 6.0 and above:

Common OS/Devices - option 55 signatures

OS Match Option (dec/hex) Match Type Fingerprint
Android 2.x 55/0x37 starts-with 37017921030
Android 2.3 55/0x37 equals 3701792103061c333a3b Samsung Galaxy S with Android 2.3
Blackberry 55/0x37 equals 370103060F unknown model of Blackberry
iPad                 55/0x37 equals 370103060F77FC
Macbook 55/0x37 equals 370103060F775FFC2C2E2F Apple Mac Book (assumed OS X)
Maemo OS 55/0x37 equals 370103060c0f111c28292a Nokia N900 running Maemo OS
Nintendo DS 55/0x37 equals 37010306
Playstation 3 55/0x37 equals 3701031c060f
Symbian OS 55/0x37 equals 370C060F01031C78 Nokia N97 / SonyEricsson
Win Mobile 6.x 55/0x37 equals 370103060f2c2e2f Seen on HTC phones with Win Mobile 6.x
Win XP 55/0x37 equals 37010f03062c2e2f1f21f92b exact match on WinXP
Win Vista 55/0x37 equals 37010f03062c2ef1f2179f92b exact match on Vista
Win 7 (korean) 55/0x37 equals 37010f03062c2ef1f2179f92b exact match on Win7 (korean edition)
Win 7 (eng) 55/0x37 equals 37010f03062c2ef1f2179f92b exact match on Win7
Win (Multiple) 55/0x37 starts-with 37010F03062C2E2F1 Generic multi-version "windows"

Common OS/Devices - option 60 signatures

OS Match Option (dec/hex) Match Type Fingerprint
Android 2.x (multiple) 60/0x3c starts-with 3c6468637063642034 partial match on “dhcpcd 4” – caution: may match some linux
BlackBerry 60/0x3c equals 3c426c61636b4265727279 match 'BlackBerry' option
Maemo OS 60/0x3c starts-with 3c756468637020302e392e39 partial match on "udhcpd 0.9.9", used in Nokia N900 Phones
Windows CE 60/0x3c equals 3c4d6963726f736f66742057696e646f777320434500 match "Microsoft Windows CE" - this may match MANY devices
Windows (Multiple) 60/0x3c equals 3c4D53465420352E30 match multiple windows versions with “MSFT 5.0”

Not so common

OS Match Option (dec/hex) Match Type Fingerprint
Cisco 1750 55/0x37 equals 3701060F2C0321962B cisco 1750 VPN
Linux generic 55/0x37 starts-with 37011C02030F0677 Debian/Linux 2.6 generic
Linux (unknown) 55/0x37 equals 37011C02030F06770C2C2F1A792A tbd
Linux Debian 2.6.35 55/0x37 equals 37011c02030f06770c2c2f1a Backtrack 4 R2 dhclient
Palm PDA 55/0x37 equals 37011C02030F060C unknown model of Palm
Samsung s8000 55/0x37 starts-with 370102030405060708090C0D0F1011171A1C2A2C3233353638
Win CE Casio Scanner 55/0x37 equals 370103060F2C2E2F unknown model of Casio scanner
Win CE Symbol Scanner 55/0x37 equals 370103060F2C2E2F4243 unknown model of Symbol scanner 

Can anyone else confirm for me that the Mac OS X Mountain Lion fingerprint has changed from what Lion was?

 

This is what I'm getting in the network log for an iMac running OS X 10.8.1:

370103060f775ffc2c2e

 

Previous versions of OS X was very similar, but with an extra "2f" on the end:

370103060f775ffc2c2e2f

 

I guess if I wanted to cover all OS X versions with a rule - I could use the "starts-with" option instead of "equals".

 

Updated:  It looks like the change was actually made with OSX 10.7.  I imaged the same Macbook and the fingerprint changed from 10.6 -> 10.7, but stays the same for 10.8.

 

Thanks.

Steve

Excellent! That's more that I could have asked for.

---

Isn't this going to be such a pain in the behind to keep up to date its nearly unusable?
I mean, how am I to know whether a new BlackBerry or iPhone and probably the real pain, Androids will have the same fingerprint?

And can a skilled hacker 'spoof' these fingerprints or is this a non-issue?

We only put out a list of a few fingerprints because someone asked. I am not sure if we plan to maintain a list, because in the DHCP fingerprinting note we wrote, there is a way to find out the DHCP fingerprint of any device. Just like any other means of security, there is always someone who is willing to compromise it, so adding a layer of security on top of whatever method you are using is always recommended.

Has anyone got a Windows Phone 7 DHCP finger print handy? I don't have a phone to find one with but it'd be ideal if we had it available to demo at a roadshow we're doing in a weeks time..

I think we only have one guy using that OS at HQ, not sure of anyone else. We can see if we can borrow if for a bit and get back to you.

Also, we're in the process of writing up an app note on this topic, should be out in a few weeks with fingerprints and a howto on grabbing your own.

-awl

Folks,

I got access to one of the few Windows Phone 7 units floating around.

Device: Windows Phone 7
Make: Samsung
Model: SGH-i917
DHCP Option: 55
Fingerprint: 370103060f2c2e2f

Hope this is helpful

-Rajiv

More information about the phone:
Name/Model: Samsung SGH-i917
Carrier: AT&T Wireless
Software: Windows Phone 7
OS version: 7.0.7004.0
Firmware revision number: 2103.10.10.1
Harware revision number: 3.1.0.7
Radio sofware version: 2103.10.10.1
Radio hardware version: 0.0.0.3
Bootloader version: 4.10.0.1
Chip SOC version: 0.36.2.0

Rajiv, Thanks!

---

Folks,

I got access to one of the few Windows Phone 7 units floating around.

Device: Windows Phone 7
Make: Samsung
Model: SGH-i917
DHCP Option: 55
Fingerprint: 370103060f2c2e2f

Hope this is helpful

-Rajiv

More information about the phone:
Name/Model: Samsung SGH-i917
Carrier: AT&T Wireless
Software: Windows Phone 7
OS version: 7.0.7004.0
Firmware revision number: 2103.10.10.1
Harware revision number: 3.1.0.7
Radio sofware version: 2103.10.10.1
Radio hardware version: 0.0.0.3
Bootloader version: 4.10.0.1
Chip SOC version: 0.36.2.0

---

Excellent! Thank you.

Just a quick note that Aruba has posted an application note on the public website for DHCP and device fingerprinting:

http://www.arubanetworks.com/pdf/technology/AOS-DHCP-FingerPrint-AppNote.pdf

and some bad news for those thinking to implement dhcp fingerprinting on a captive portal SSID:

 

BUG-ID: 51691, 56746
DHCP Fingerprinting & Captive Portal cannot be used together.

 

 And from what I was told the fix for this will only be in release 6.2.x.x which is apparantly several months out.:smileysad:

DHCP Fingerprinting is working on my test 3200 using Captive Portal, I've been testing this for a week now and it works fine. The AOS version I'm using is 6.1.3.0.

 

This looks interesting, https://github.com/inverse-inc/fingerbank/blob/master/dhcp_fingerprints.conf

 

The values are in decimal though.

 

:smileyhappy:

 

 

Hi All, if the controller (in my case a 620) is capable of matching the device type to the options, it would be a great idea to allow us to create a rule based on those device types instead of the fingerprint values?

The idea being that various types of iPhones may end up with different fingerprints but still be iPhones .. and the controller could be given an update which would then have all the new fingerprints

thanks

We do not have that today. For now, all iPhones have the same signature....

Any word on whether we are able to fine-tune DHCP fingerprinting with signatures that can tell the difference between an iPhone, iPod, and AppleTV. 

 

I wonder - why is it that the controller(s) can see the Device Type differences between AppleTV, iPhone, iPod, iPad, etc... but our DHCP fingerprints cannot?

 

Thank you --

I suppose theres an internal process that happens similar to ClearPass. Possibly by pairing MAC address ranges with DHCP Option fingerprints. I'm not sure, but that would be my guess. I would also assume that since this process is completely internal, and it seems to be similar to ClearPass - it is not something we can utilize with only controllers.

 

I'm not an Aruba expert - but thats my guess. 

As Colin mentioned, you manually set up the rules today. We're in the final stages of preparing an app note written by Rajiv from an earlier post that will walk you through some of the use cases and how to discover and configure the feature fully.

-awl