Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Probe for Windows 2008 R2
From: Rob Nicholls <robert () robnicholls co uk>
Date: Wed, 19 Jan 2011 14:53:28 +0000

Hi,

I can see two matches in the latest nmap-os-db file that are specific to 2008 R2:

# Windows Server 2008 R2 Standard 7600
Fingerprint Microsoft Windows Server 2008 R2
Class Microsoft | Windows | 2008 | general purpose
SEQ(SP=EC-10A%GCD=1-6%ISR=104-110%TI=I%TS=7)
OPS(O1=M564NW8ST11%O2=M564NW8ST11%O3=M564NW8NNT11%O4=M564NW8ST11%O5=M564NW8ST11%O6=M564ST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%T=7B-85%TG=80%W=2000%O=M564NW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=O%A=S+%F=AR%O=%RD=0%Q=)
T6(R=N)
T7(R=N)
U1(DF=N%T=7B-85%TG=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=N)

# Windows Server 2008 R2 Enterprise 7600
Fingerprint Microsoft Windows Server 2008 R2
Class Microsoft | Windows | 2008 | general purpose
SEQ(SP=100-10A%GCD=1-6%ISR=106-110%TI=I%CI=I%II=I%SS=S%TS=7)
OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=N)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=7B-85%TG=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=7B-85%TG=80%CD=Z)

But because of the strong similarities in the network stack between Vista, 2008, 2008 R2 and Windows 7, it's not typically possible for Nmap to distinguish between 2008 R2 and the other Windows variants (Windows 7 x64 and 2008 R2 share the same codebase, so have an identical network stack):

For example, a scan I've just completed of a 2008 R2 host has identified it as:

Running: Microsoft Windows 2008|7|Vista
OS details: Microsoft Windows Server 2008, Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7

The only way I could tell that this is running 2008 R2 would be to look at the services (e.g. SMB, DNS, IIS) to identify version numbers. For example, Nmap will identify a 2008 host as running Microsoft DNS 6.0.6002 and a 2008 R2 host as running Microsoft DNS 6.1.7600.

Rob

On Wed, 19 Jan 2011 18:44:37 +0530, viswanath emani wrote:
Hi,

Could you please let me know if there is a match available to identify
Windows 2008 R2.

Regards,
Viswanath.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault