Nmap Development mailing list archives
RE: Probe data for windows vista and 2008
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Tue, 4 Mar 2008 04:25:58 -0000
Hi Swapna Once Vista SP1 has been applied, which systems will hopefully start to get later this month, both Vista and 2008 will have exactly the same build number (6001) and use the same kernel. In fact, once you enable Themes and Windows Audio and a few other things, and add WMP, you can make 2008 look/run just like Vista (noticeably faster, or maybe it's just my imagination?) with the added benefit of things like RAID5 support (although I wasn't able to fool it into supporting Windows Media Center). It's also weird to see 2008 RTM claiming to be SP1: http://www.everythingeverything.co.uk/files/windows_2008_rtm.png AFAIK there are very little differences between services on Vista and 2008, except for certain hardcoded limitations like IIS 7 on Vista is limited in the number of concurrent requests it can process (which IIRC is better than/different to XP's restricted IIS behaviour, which I think is based on the number of simultaneous connections rather than requests) - you could perhaps send a large number of requests and try and detect timings to see if it's being throttled, but it wouldn't be that reliable, especially if you didn't have a direct connection to the server. Related to IIS, the FTP server that comes with Vista and 2008 is essentially the same FTP service from IIS 6.0, although I haven't made a note what version number it claims to be (assuming it doesn't default to suppressing the default banner, which you can also set for IIS6). With the "out of band" release of FTP 7, Microsoft now offers an FTPS solution (NB: not SFTP), which might help detect the version of FTP server. I think FTP 7 can only be installed on 2008, but I haven't double checked this yet (I haven't had a chance to install it on my VM of 2008 yet), so it might be possible to use this fact to differentiate between Vista and 2008, but you may still hit the problem of 2008 servers still using the old default version of FTP that comes with 2008. Once work gets less busy, I'll try and look into this in a bit more detail. I think SMB2 should be identical protocols between 2008 and Vista; however there may be a slight variation in the version number, as MS07-063 upped the version a while back from 2.001 to 2.002 because of a remote code execution vulnerability, so it might be possible to detect pre-patched Vista machines versus patched Vista and 2008 servers (but I'd hope that most Vista users will have installed this patch by now). There are some more details at this link, which I think might hint at the limited amount of SMB information there is to go on (the last image is perhaps the most useful): http://blogs.technet.com/swi/archive/2007/12/27/ms07-063-insecure-smbv2-sign ing-algorithm.aspx As for Terminal Services, I don't remember Nmap detecting a version/protocol number for previous versions (I'll have to fire up my VM of 2008 RTM at some point and see if there's a noticeable difference when connecting using mstsc.exe, it might be possible to check whether something like NLA is enabled, but that still wouldn't distinguish between Vista or 2008 - or 2003?). Half the time the easiest thing to do is manually connect to the server to see what you can see (a lot of older Windows servers will happily display a background created by BGInfo, revealing useful details about the server). With NLA enforced, unless you can provide valid credentials, you'll be unable to get it to bring up that initial screen that will display the precise version of the OS. So I suspect without valid credentials, you will be completely stuck. It may be possible to gain more info if people allow any/non-secure versions to connect, which people might do if they're slowly migrating to Vista/2008 from XP/2003. It might be nice if it were possible to supply credentials to Nmap and get it to determine the OS from that, but I suspect Nmap (or more likely an NSE script) would somehow have to gain an OCR-like capability (and native support for RDP, including NLA?) to gain any more information. It is possible that some of the NSE scripts are/will be able updated to identify precise version numbers, especially if you can provide credentials in order to gain more meaningful output from certain services. Hopefully now that 2008 has reached RTM, people will be able to put more effort into updating signatures and scripts, and new ways of detecting differences will be discovered/thought up. Regards, Rob -----Original Message----- From: swapna prasad [mailto:swapna_prasad () hotmail com] Sent: 04 March 2008 03:00 To: nmap-dev () insecure org Subject: RE: Probe data for windows vista and 2008 Thanks Rob, I use services on ports(e.g. 135,137, 139, 445 and 3389) to distinguish between OS, IIS 7.0 is for both Windows vista and 2008 so it wouldn't be possible to distinguish one from the other, is there any other service that would be useful in this regard. Thanks> From: robert () everythingeverything co uk> To: swapna_prasad () hotmail com; nmap-dev () insecure org> Subject: RE: Probe data for windows vista and 2008> Date: Tue, 4 Mar 2008 02:38:52 +0000> > Hi Swapna,> > Vista and Server 2008 are operating systems (and already have fingerprints> in the nmap-os-db file), they are not services themselves. I believe the> nmap-service-probes file contains regular expressions that should correctly> identify the version number of the services, such as IIS 7, that come with> Vista and Server 2008.> > Regards,> > Rob> > > -----Original Message-----> From: swapna prasad [mailto:swapna_prasad () hotmail com] > Sent: 04 March 2008 02:29> To: nmap-dev () insecure org; sales () insecure com> Subject: Probe data for windows vista and 2008> Importance: High> > > Hi,> > I have downloaded the latest nmap from this site and in the> nmap_service_probe file. I don't see any probe data entries for Windows> Vista and Windows 2008. Can you please let me know where I can get these> information.> > Thanks in advance> Swapna> > _________________________________________________________________> Connect and share in new ways with Windows Live.> http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008>
_______________________________________________> Sent through the nmap-dev
mailing list> http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://SecLists.Org> _________________________________________________________________ Climb to the top of the charts! Play the word scramble challenge with star power. http://club.live.com/star_shuffle.aspx?icid=starshuffle_wlmailtextlink_jan _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Probe data for windows vista and 2008 swapna prasad (Mar 03)
- RE: Probe data for windows vista and 2008 Rob Nicholls (Mar 03)
- RE: Probe data for windows vista and 2008 swapna prasad (Mar 03)
- RE: Probe data for windows vista and 2008 Rob Nicholls (Mar 03)
- Re: Probe data for windows vista and 2008 Brandon Enright (Mar 04)
- RE: Probe data for windows vista and 2008 swapna prasad (Mar 03)
- RE: Probe data for windows vista and 2008 Rob Nicholls (Mar 03)