Nmap Development mailing list archives
Re: Probe data for windows vista and 2008
From: Brandon Enright <bmenrigh () ucsd edu>
Date: Tue, 4 Mar 2008 09:43:46 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 4 Mar 2008 02:59:49 +0000 or thereabouts swapna prasad <swapna_prasad () hotmail com> wrote:
Thanks Rob, I use services on ports(e.g. 135,137, 139, 445 and 3389) to distinguish between OS, IIS 7.0 is for both Windows vista and 2008 so it wouldn't be possible to distinguish one from the other, is there any other service that would be useful in this regard.
Swapna, If you are going to try to determine the version of Windows being used by looking at port patterns and service fingerprints rather than OS detection there are a few techniques to use. These methods are inherently less reliable and more easily spoofed but can often provide decent insight into a Windows box. Here is the info anyways: Windows 98: tcp/139 open tcp/445 *not* open tcp/3389 *not* open TCP Sequence Prediction = 1 (Trivial Joke) Windows ME tcp/139 open tcp/445 *not* open tcp/3389 *not* open TCP Sequence Prediction > 1 (Worthy Challenge) Windows XP (pre MS05-019, pre SP2): tcp/135 open tcp/139 open tcp/445 open tcp/5000 open (UPnP) TCP Sequence Prediction low (in the "Worthy Challenge" class) Windows XP (post MS05-019, pre SP2): tcp/135 open tcp/139 open tcp/445 open tcp/5000 open (UPnP) TCP Sequence Prediction high (in the "Good Luck" class) Windows XP (post SP2) tcp/135 open tcp/139 open tcp/445 open tcp/5000 *not* open tcp/2869 might be open (Microsoft HTTPAPI httpd 1.0) if it is, machine is *not* Vista tcp/5357 *not* open tcp/<1025-6000> might be open and listed as "Microsoft Windows RPC" Windows Vista tcp/135 open tcp/139 open tcp/445 open tcp/5000 *not* open tcp/2869 *not* open tcp/5357 might be open (Microsoft HTTPAPI httpd 2.0) if it is, machine is *not* XP tcp/<much greater than 6000> might be open and listed as "Microsoft Windows RPC" Obviously you can't do the RPC check less than or greater than 6000 without doing a full 64k scan. I'd suggest that if you can't do a full scan, you do the following: nmap -sV -O2 -p135,139,445,1025,1026,2869,3389,5000,5357 <host> You should be able to run nearly all of that logic only scanning those ports. If you don't do -O2 you'll lose your 98/ME difference check. If you don't do -sV you won't be able to tell if the services that have ports open really are what they should be which will hurt reliability, especially on the popular port 5000. You can, of course, also check for things like IIS version (21, 25, 80). Also, if you want to try to check for Windows 2000, the logic overlaps quite a bit with XP but you can try this: Windows 2000: tcp/135 open tcp/139 open tcp/445 open tcp/1025 likely to be open (RPC) tcp/1026 likely to be open (task server - c:\winnt\system32\Mstask.exe) tcp/2869 *not* open tcp/5000 *not* open Hopefully this information will help you track Windows better. Brandon -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFHzRnbqaGPzAsl94IRAgswAJ9+7D2b9ckLcdLfD5LZCjj1bzqapACeM5ZT N/Zjs/pQDwcDsJiSePgawPQ= =AaoJ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Probe data for windows vista and 2008 swapna prasad (Mar 03)
- RE: Probe data for windows vista and 2008 Rob Nicholls (Mar 03)
- RE: Probe data for windows vista and 2008 swapna prasad (Mar 03)
- RE: Probe data for windows vista and 2008 Rob Nicholls (Mar 03)
- Re: Probe data for windows vista and 2008 Brandon Enright (Mar 04)
- RE: Probe data for windows vista and 2008 swapna prasad (Mar 03)
- RE: Probe data for windows vista and 2008 Rob Nicholls (Mar 03)