DHCP fingerprinting is a method of identifying devices on a network, this is done passively by devices. in this post, I will cover how it all works.

What is DHCP and How Does It Work?

DHCP (Dynamic Host Configuration Protocol) uses UDP, using ports 67 (server) and 68 (client). When a device connects to a network, it goes through a four-step process known as DORA:

  1. Discover: Device broadcasts a DHCPDISCOVER message
  2. Offer: DHCP server responds with a DHCPOFFER containing an available IP
  3. Request: Device requests the offered IP (DHCPREQUEST)
  4. Acknowledge: Server confirms the assignment (DHCPACK)

The Art of Fingerprinting

During this DORA process, devices leave subtle clues about their identity. Think of it like a digital fingerprint - every operating system and device type has its own unique way of performing these DHCP transactions. These differences allow us to identify:

  • Operating System and version
  • Device type
  • Vendor information

Understanding DHCP Packet Structure

A DHCP packet contains several key fields:

  • op: Indicates whether it's a request or reply
  • htype: Hardware type
  • hlen: Length of hardware address
  • xid: Transaction ID for matching requests and replies
  • chaddr: Client's MAC address
  • yiaddr: Client's assigned IP address
  • siaddr: Server IP address
  • giaddr: Gateway IP address (for DHCP relays)
  • flags: Broadcast/Unicast flags
  • options: Additional parameters (crucial for fingerprinting)

Key Fingerprinting Indicators

The most valuable information for fingerprinting comes from the options field, particularly:

1. Option 55 (Parameter Request List)

  • The most crucial fingerprinting element
  • Contains a specific order and set of parameters requested by the client
  • Different operating systems request different parameters in different orders

2. Option 60 (Vendor Class Identifier)

  • Provides information about the vendor or device type
  • Helps distinguish between PCs, phones, and other devices

3. Option 61 (Client Identifier)

  • Usually contains the MAC address plus additional data
  • Helps uniquely identify clients

4. Option 12 (Hostname)

  • The client's hostname
  • Can provide direct information about the device

5. Option 81 (Client FQDN)

  • The client's Fully Qualified Domain Name
  • Offers additional context about the device's role in the network

Advantages and Limitations

Advantages

  • Completely passive - generates no additional network traffic
  • Difficult to evade completely, even with MAC spoofing
  • Can be automated using pattern matching databases

Limitations and Considerations

  • DHCP relays can mask the original client's MAC address (though it remains in the chaddr field)
  • MAC spoofing can make some aspects of fingerprinting less reliable
  • Requires maintaining an up-to-date database of DHCP patterns

Practical Applications

For people in Threat Intelligence or any Blue Team role, DHCP fingerprinting provides a reliable way to:

  • Map out device types on a network
  • Identify potentially unauthorized or suspicious devices
  • Maintain an accurate inventory of network assets

On the contrary, Adversaries can create scripts to passively fingerprint all devices on a network whilst generating ZERO traffic, maintaining their OPSEC.

The technique can be valuable for red team operations due to its passive and undetectable nature - you're simply listening to traffic that's already present on the network.

Conclusion

DHCP fingerprinting is a subtle yet powerful technique for device identification. Regardless of your role, DHCP fingerprinting can benefit either side of the table.