- ssl
- vpn
- vdom-link
- loopbacks
- etc....
To enable the device-identification you only need to set the following on each interface that you want to id;
config sys interface
edit lan
set device-identification enable
end
And then wait for a few minutes before reviewing the output of the detected devices.
FGT100D (root) # diag user device os-summary
host operating systems discovered
OS count
unknown 8
Linux 13
NX-OS 9
Cisco Catalyst L3 S 1
Windows 88
The device id is simple to understand & follow.
e.g
( nexus switch learned via lldp )
type 16 'Router/NAT Device' src lldp c 1 gen 4
os 'NX-OS' version '' src lldp id 36 c 1
( a linux host learned via tcp-fingerprint )
vd root/0 00:00:ca:00:00:03 gen 13859 req 38 redir 0 last 0s wan1
ip 185.165.29.97
type 6 'Linux PC' src tcp c 0 gen 6
os 'Linux' version '3.11' src tcp id 364 c 1
( a windows product learned via IIS webservices)
type 8 'Windows PC' src http c 1 gen 14
os 'Windows' version 'NT 10.0' src http id 1850 c 1
( here's a user on mindsprings using pop3 unsecured )
c0:8c:60:b0:e7:00 gen 120009 req 0 redir 0 last 0s Inside
ip 10.5.5.55
type 8 'Windows PC' src http c 1 gen 35
os 'Windows' version '7 (x64)' src http id 2168 c 1
host 'CHO-0000002' src mwbs
user 'useronpop@mindspring.com' src pop3
( unknown )
00:01:d1:2d:12:43 gen 1501701 req 3c redir 0 last 0s DMZ
ip 1.1.1.1
os unknown sig 'W mss 4;T 255;D 1;S 60;O m1440 s t n w7;' src tcp
Now that you have understanding of what the device-id does, you can now grep out for the strings of windowOS or the strings of interest.
e.g
diag user device list | grep -i "Windows"
Here's a few windows XP hosts that was located
And here's a XP string
Now your security analyst and IT team members can target and eliminate the non-compliance hosts.
Ken Felix
NSE ( network security expert) and Route/Switching En gineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment