Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Probe for Windows 2008 R2

From: Rob Nicholls <robert () robnicholls co uk>
Date: Wed, 19 Jan 2011 14:53:28 +0000
Hi,
I can see two matches in the latest nmap-os-db file that are specific to 2008 R2: 

# Windows Server 2008 R2 Standard 7600
Fingerprint Microsoft Windows Server 2008 R2
Class Microsoft | Windows | 2008 | general purpose
SEQ(SP=EC-10A%GCD=1-6%ISR=104-110%TI=I%TS=7)
OPS(O1=M564NW8ST11%O2=M564NW8ST11%O3=M564NW8NNT11%O4=M564NW8ST11%O5=M564NW8ST11%O6=M564ST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=Y%DF=Y%T=7B-85%TG=80%W=2000%O=M564NW8NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
T5(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=O%A=S+%F=AR%O=%RD=0%Q=)
T6(R=N)
T7(R=N)
U1(DF=N%T=7B-85%TG=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=N)

# Windows Server 2008 R2 Enterprise 7600
Fingerprint Microsoft Windows Server 2008 R2
Class Microsoft | Windows | 2008 | general purpose
SEQ(SP=100-10A%GCD=1-6%ISR=106-110%TI=I%CI=I%II=I%SS=S%TS=7)
OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)
WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)
ECN(R=N)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=7B-85%TG=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=7B-85%TG=80%CD=Z)
But because of the strong similarities in the network stack between Vista, 2008, 2008 R2 and Windows 7, it's not typically possible for Nmap to distinguish between 2008 R2 and the other Windows variants (Windows 7 x64 and 2008 R2 share the same codebase, so have an identical network stack):
For example, a scan I've just completed of a 2008 R2 host has identified it as: 

Running: Microsoft Windows 2008|7|Vista
OS details: Microsoft Windows Server 2008, Microsoft Windows 7 Professional, Microsoft Windows Vista SP0 or SP1, Server 2008 SP1, or Windows 7
The only way I could tell that this is running 2008 R2 would be to look at the services (e.g. SMB, DNS, IIS) to identify version numbers. For example, Nmap will identify a 2008 host as running Microsoft DNS 6.0.6002 and a 2008 R2 host as running Microsoft DNS 6.1.7600. 

Rob

On Wed, 19 Jan 2011 18:44:37 +0530, viswanath emani wrote:

Hi,
Could you please let me know if there is a match available to identify 
Windows 2008 R2.

Regards,
Viswanath.
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: