RE: Probe data for windows vista and 2008

["Rob Nicholls" <robert () everythingeverything co uk>]

Hi Swapna

Once Vista SP1 has been applied, which systems will hopefully start to get
later this month, both Vista and 2008 will have exactly the same build
number (6001) and use the same kernel. In fact, once you enable Themes and
Windows Audio and a few other things, and add WMP, you can make 2008
look/run just like Vista (noticeably faster, or maybe it's just my
imagination?) with the added benefit of things like RAID5 support (although
I wasn't able to fool it into supporting Windows Media Center). It's also
weird to see 2008 RTM claiming to be SP1:
http://www.everythingeverything.co.uk/files/windows_2008_rtm.png

AFAIK there are very little differences between services on Vista and 2008,
except for certain hardcoded limitations like IIS 7 on Vista is limited in
the number of concurrent requests it can process (which IIRC is better
than/different to XP's restricted IIS behaviour, which I think is based on
the number of simultaneous connections rather than requests) - you could
perhaps send a large number of requests and try and detect timings to see if
it's being throttled, but it wouldn't be that reliable, especially if you
didn't have a direct connection to the server.

Related to IIS, the FTP server that comes with Vista and 2008 is essentially
the same FTP service from IIS 6.0, although I haven't made a note what
version number it claims to be (assuming it doesn't default to suppressing
the default banner, which you can also set for IIS6). With the "out of band"
release of FTP 7, Microsoft now offers an FTPS solution (NB: not SFTP),
which might help detect the version of FTP server. I think FTP 7 can only be
installed on 2008, but I haven't double checked this yet (I haven't had a
chance to install it on my VM of 2008 yet), so it might be possible to use
this fact to differentiate between Vista and 2008, but you may still hit the
problem of 2008 servers still using the old default version of FTP that
comes with 2008. Once work gets less busy, I'll try and look into this in a
bit more detail.

I think SMB2 should be identical protocols between 2008 and Vista; however
there may be a slight variation in the version number, as MS07-063 upped the
version a while back from 2.001 to 2.002 because of a remote code execution
vulnerability, so it might be possible to detect pre-patched Vista machines
versus patched Vista and 2008 servers (but I'd hope that most Vista users
will have installed this patch by now). There are some more details at this
link, which I think might hint at the limited amount of SMB information
there is to go on (the last image is perhaps the most useful):
http://blogs.technet.com/swi/archive/2007/12/27/ms07-063-insecure-smbv2-sign
ing-algorithm.aspx

As for Terminal Services, I don't remember Nmap detecting a version/protocol
number for previous versions (I'll have to fire up my VM of 2008 RTM at some
point and see if there's a noticeable difference when connecting using
mstsc.exe, it might be possible to check whether something like NLA is
enabled, but that still wouldn't distinguish between Vista or 2008 - or
2003?). Half the time the easiest thing to do is manually connect to the
server to see what you can see (a lot of older Windows servers will happily
display a background created by BGInfo, revealing useful details about the
server). With NLA enforced, unless you can provide valid credentials, you'll
be unable to get it to bring up that initial screen that will display the
precise version of the OS. So I suspect without valid credentials, you will
be completely stuck. It may be possible to gain more info if people allow
any/non-secure versions to connect, which people might do if they're slowly
migrating to Vista/2008 from XP/2003. It might be nice if it were possible
to supply credentials to Nmap and get it to determine the OS from that, but
I suspect Nmap (or more likely an NSE script) would somehow have to gain an
OCR-like capability (and native support for RDP, including NLA?) to gain any
more information.
 
It is possible that some of the NSE scripts are/will be able updated to
identify precise version numbers, especially if you can provide credentials
in order to gain more meaningful output from certain services. Hopefully now
that 2008 has reached RTM, people will be able to put more effort into
updating signatures and scripts, and new ways of detecting differences will
be discovered/thought up. 

Regards,


Rob


-----Original Message-----
From: swapna prasad [mailto:swapna_prasad () hotmail com] 
Sent: 04 March 2008 03:00
To: nmap-dev () insecure org
Subject: RE: Probe data for windows vista and 2008


Thanks Rob, I use services on ports(e.g. 135,137, 139, 445 and 3389) to
distinguish between OS, IIS 7.0 is for both Windows vista and 2008 so it
wouldn't be possible to distinguish one from the other, is there any other
service that would be useful in this regard. 
Thanks> From: robert () everythingeverything co uk> To:
swapna_prasad () hotmail com; nmap-dev () insecure org> Subject: RE: Probe data
for windows vista and 2008> Date: Tue, 4 Mar 2008 02:38:52 +0000> > Hi
Swapna,> > Vista and Server 2008 are operating systems (and already have
fingerprints> in the nmap-os-db file), they are not services themselves. I
believe the> nmap-service-probes file contains regular expressions that
should correctly> identify the version number of the services, such as IIS
7, that come with> Vista and Server 2008.> > Regards,> > Rob> > >
-----Original Message-----> From: swapna prasad
[mailto:swapna_prasad () hotmail com] > Sent: 04 March 2008 02:29> To:
nmap-dev () insecure org; sales () insecure com> Subject: Probe data for windows
vista and 2008> Importance: High> > > Hi,> > I have downloaded the latest
nmap from this site and in the> nmap_service_probe file. I don't see any
probe data entries for Windows> Vista and Windows 2008. Can you please let
me know where I can get these> information.> > Thanks in advance> Swapna> >
_________________________________________________________________> Connect
and share in new ways with Windows Live.>
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008>
> _______________________________________________> Sent through the nmap-dev
mailing list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at
http://SecLists.Org> 
_________________________________________________________________
Climb to the top of the charts! Play the word scramble challenge with star
power.
http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_jan

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org