Understanding DHCP fingerprinting
How DHCP packets leak operating-system and device-type information without generating any extra traffic, why option 55 (Parameter Request List) is the strongest tell, and why the technique is useful to both red and blue teams.
DHCP fingerprinting is a method of identifying devices on a network, this is done passively by devices. In this post, I will cover how it all works.
What is DHCP and how does it work?
DHCP (Dynamic Host Configuration Protocol) uses UDP, using ports 67 (server) and 68 (client). When a device connects to a network, it goes through a four-step process known as DORA:
- Discover: Device broadcasts a DHCPDISCOVER message
- Offer: DHCP server responds with a DHCPOFFER containing an available IP
- Request: Device requests the offered IP (DHCPREQUEST)
- Acknowledge: Server confirms the assignment (DHCPACK)
The art of fingerprinting
During this DORA process, devices leave subtle clues about their identity. Think of it like a digital fingerprint, every operating system and device type has its own unique way of performing these DHCP transactions. These differences allow us to identify:
- Operating System and version
- Device type
- Vendor information
DHCP packet structure
A DHCP packet contains several key fields:
| Field | Meaning |
|---|---|
| op | Indicates whether it’s a request or reply |
| htype | Hardware type |
| hlen | Length of hardware address |
| xid | Transaction ID for matching requests and replies |
| chaddr | Client’s MAC address |
| yiaddr | Client’s assigned IP address |
| siaddr | Server IP address |
| giaddr | Gateway IP address (for DHCP relays) |
| flags | Broadcast/Unicast flags |
| options | Additional parameters (crucial for fingerprinting) |
Key fingerprinting indicators
The most valuable information for fingerprinting comes from the options field, particularly:
1. Option 55 (Parameter Request List)
- The most crucial fingerprinting element
- Contains a specific order and set of parameters requested by the client
- Different operating systems request different parameters in different orders
2. Option 60 (Vendor Class Identifier)
- Provides information about the vendor or device type
- Helps distinguish between PCs, phones, and other devices
3. Option 61 (Client Identifier)
- Usually contains the MAC address plus additional data
- Helps uniquely identify clients
4. Option 12 (Hostname)
- The client’s hostname
- Can provide direct information about the device
5. Option 81 (Client FQDN)
- The client’s Fully Qualified Domain Name
- Offers additional context about the device’s role in the network
Advantages and limitations
Advantages
- Completely passive, generates no additional network traffic
- Difficult to evade completely, even with MAC spoofing
- Can be automated using pattern matching databases
Limitations and considerations
- DHCP relays can mask the original client’s MAC address (though it remains in the
chaddrfield) - MAC spoofing can make some aspects of fingerprinting less reliable
- Requires maintaining an up-to-date database of DHCP patterns
Practical applications
For people in Threat Intelligence or any Blue Team role, DHCP fingerprinting provides a reliable way to:
- Map out device types on a network
- Identify potentially unauthorized or suspicious devices
- Maintain an accurate inventory of network assets
On the contrary, Adversaries can create scripts to passively fingerprint all devices on a network whilst generating ZERO traffic, maintaining their OPSEC.
The technique can be valuable for red team operations due to its passive and undetectable nature, you’re simply listening to traffic that’s already present on the network.
Conclusion
DHCP fingerprinting is a subtle yet powerful technique for device identification. Regardless of your role, DHCP fingerprinting can benefit either side of the table.