Re: Remote info about computer
From: Joao Soares Veiga (msnews@rf.com.br)
Date: 01/14/03
- Next message: Joao Soares Veiga: "Re: Tracking sites visited"
- Previous message: x y: "Re: Logon Banner"
- In reply to: NusratRahman@cs.com: "Re: Remote info about computer"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Remote info about computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Joao Soares Veiga" <msnews@rf.com.br> Date: Tue, 14 Jan 2003 11:17:49 -0800
nmap will try to guess the OS from the TCP/IP
fingerprinting, which is not 100% accurate. As an
example, here's the nmap output when scanning one Win2k
machine (I'm running nmap on the Linux server):
yk /root # nmap -O -p137-139 xray
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on xray.rfcom (192.168.168.164):
(The 2 ports scanned but not shown below are in state:
closed)
Port State Service
139/tcp open netbios-ssn
Remote OS guesses: Windows Me or Windows 2000 RC1 through
final release, Windows Millenium Edition v4.90.3000
Nmap run completed -- 1 IP address (1 host up) scanned in
1 second
You can see that it can't decide between ME or 2k.
You could also use a sniffer (instead of a scanner) to
see the ubiquitous smb broadcasts to find out the OS with
a less intrusive and somehow more exact method (this at
least separates win98/me from win2k/nt/xp:
yk /root # tethereal -p -i eth1 -R browser
Capturing on eth1
14.892749 192.168.168.162 -> 192.168.168.255 BROWSER
Host Announcement NOVEMBER, Workstation, NT Workstation,
Potential Browser
70.022622 192.168.168.166 -> 192.168.168.255 BROWSER
Host Announcement PAPA, Workstation, Server, Windows for
Workgroups, Windows 95 or above
...
75.117526 192.168.168.163 -> 192.168.168.255 BROWSER
Local Master Announcement ZULU, Workstation, Server,
Domain Controller, Domain Member Server, Print Queue
Server, Xenix Server, NT Workstation, NT Server, Master
Browser, Domain Master Browser
...
359.963054 192.168.168.161 -> 192.168.168.255 BROWSER
Host Announcement JULIET, Workstation, Server, Windows
for Workgroups, Potential Browser, Windows 95 or above
(in this example, NOVEMBER is a WinXP Pro, PAPA is a
Win98, ZULU is a Linux/Samba, and JULIET is a WinMe)
You could also sniff the http traffic and look for the
user agent identification - but that would require that
the user browses the net.
This still wouldn't give you the AV files. Now there's
two ways (at least) of checking the AV:
1. Checking for the files (either sharing the user's
disks and running a script on the server to look for them
or installing something on the user's computers to
look&report to the server, or using something like snmp -
complicated).
2. Checking for the updates (if the users are behaving,
they should update their signature files. You could make
a script to sniff the traffic on your firewall for access
to the Norton update server, and check who is and who is
not updating regularly - this is easy to implement if you
have a Unix/Linux firewall; I have no clue if it's
possible on a Win box).
(there's actually another way, which is using one of the
many Win2k vulnerabilities to hack into their HDs and
look for the AV files you want to check) :)
Joao
>-----Original Message-----
>No plan of hacking.
>I have a network of 900 pc.
>Recently we replaced all of our PC with win2000 and
>Norton Antivirus
>I want to make it sure that all Pc connected to my
>network is OS=win2000 and all of them has Norton
>installed plus computer name to trace which Pc is not
>following the standard.
- Next message: Joao Soares Veiga: "Re: Tracking sites visited"
- Previous message: x y: "Re: Logon Banner"
- In reply to: NusratRahman@cs.com: "Re: Remote info about computer"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Remote info about computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
