Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Identifying Windows O/S & SP
From: Jayson Anderson <sonick () sonick com>
Date: Wed, 24 Aug 2005 23:12:26 -0700

[current]nmap -sS -sV -P0 -O -pTARGETEDGUESS(s) -v -nTARGET
where TARGETEDGUESS = 1 educated guess per run

Fingerprinting (service packs in particular) may or may not be evolved
enough for your needs. TARGETEDGUESS should be chosen as carefully as
you would if you were expecting to loudly fully negotiate a connection;
primary criteria being that where a banner providing adequate
enumeration information is possible/expected is best case, open port
next best. Both one open and one closed/filtered are needed for more
specific fingerprinting; high ports are good for a stealth(ier)
closed-port detection.

I'm sure there are more specialized packages out there, though it should
be known that there is NEVER a *guarantee* the remote IDS is not going
to take notice. Half-close provides as good a chance as any. The degree
of noisiness most likely grows right along with specificity per

Careful port target selection is paramount, detection should be expected
in any case...any services providing a banner w/magic bullet
identification in a fell swoop preferred...

This is but one way to approach it..


On Wed, 2005-08-24 at 18:52 -0400, L3wD wrote:
    I am looking for a method of correctly identifying Windows O/S Versions and Service Packs remotely. Here are my 
- Performed Remotely (not in same broadcast domain)
- No Admin Rights on Remote Box
- No Username/Password on Remote Box
- VERY Few Packets Generated (excluding TCP 3-way handshake)
- Ability to **AVOID** IDS Detection

    My preferences are for something that is command line based, and can be run from a Linux platform. I'll take 
something GUI based or Windows based if that is all there is. Multiple tools are fine, as long as the number of 
packets generated are very low.

    I've taken a look at Winfingerprint 0.6.2 with only the Win32 OS Version option selected, but it generates 70+ 
packets which is too loud for my purposes.

Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]