Re: Identifying Windows O/S & SP

From: Jayson Anderson (sonick_at_sonick.com)
Date: 08/25/05

  • Next message: Geert VAN ACKER: "Re: Scan virtual hosts" 
    To: pen-test@securityfocus.com, L3wD <l3wd@earthlink.net>
Date: Wed, 24 Aug 2005 23:12:26 -0700

    [current]nmap -sS -sV -P0 -O -pTARGETEDGUESS(s) -v -nTARGET
    where TARGETEDGUESS = 1 educated guess per run

    Fingerprinting (service packs in particular) may or may not be evolved
    enough for your needs. TARGETEDGUESS should be chosen as carefully as
    you would if you were expecting to loudly fully negotiate a connection;
    primary criteria being that where a banner providing adequate
    enumeration information is possible/expected is best case, open port
    next best. Both one open and one closed/filtered are needed for more
    specific fingerprinting; high ports are good for a stealth(ier)
    closed-port detection.

    I'm sure there are more specialized packages out there, though it should
    be known that there is NEVER a *guarantee* the remote IDS is not going
    to take notice. Half-close provides as good a chance as any. The degree
    of noisiness most likely grows right along with specificity per
    package......

    Careful port target selection is paramount, detection should be expected
    in any case...any services providing a banner w/magic bullet
    identification in a fell swoop preferred...

    This is but one way to approach it..

    Jayson

    On Wed, 2005-08-24 at 18:52 -0400, L3wD wrote:
    > I am looking for a method of correctly identifying Windows O/S Versions and Service Packs remotely. Here are my restrictions:
    > - Performed Remotely (not in same broadcast domain)
    > - No Admin Rights on Remote Box
    > - No Username/Password on Remote Box
    > - VERY Few Packets Generated (excluding TCP 3-way handshake)
    > - Ability to **AVOID** IDS Detection
    >
    > My preferences are for something that is command line based, and can be run from a Linux platform. I'll take something GUI based or Windows based if that is all there is. Multiple tools are fine, as long as the number of packets generated are very low.
    >
    > I've taken a look at Winfingerprint 0.6.2 with only the Win32 OS Version option selected, but it generates 70+ packets which is too loud for my purposes.

  • Next message: Geert VAN ACKER: "Re: Scan virtual hosts"