Only as reliable as your tools. It would be great if Nmap was always 100% accurate and it does a pretty good job especially if you are doing service detection as well with -sV. Obviously you won't have IIS running on a BSD box.

For Windows:

It's possible you could use a null session and user2sid to enumerate the SIDs and then do a compare with the entry at http://support.microsoft.com/kb/243330 of well-known SIDs to narrow down the OS list. Supposedly

If you can get shell you can use


or if you just want the OS version you can use


If you have an account on the box you can detect specific patches remotely with WMIC using


You may also have to specify username and password if you are using a different account.



That doesn't exactly answer your question I know since you want to know in scanning/enumeration. I'm not sure there is a 100% way to detect but if there is I'd love to know it!

Check out http://nmap.org/book/osdetect.html for more info

That's pretty cool. My kids are too young, but I have some friends with eligible kids that will enjoy this. Thanks for the link!

Sorry, I was poking fun. I think you meant 7200 RPM, not 72000.   

I would highly recommend you tell management why you think it's a bad idea via email and print out the response you get and keep it in a safe place for a rainy day. Sounds like a disaster waiting to happen, and Ziggy is right, the company could be faced with some serious legal issues but don't think for a minute that they won't throw you under the bus if it comes to that. Actually, scratch that first sentence. You should probably just find another job. I could not work in an environment that oppressive. I have to wonder if the employees are aware.

It may have changed in the last 3 years or so, but last time I looked at Spiceworks it was doing targeted marketing based on what it saw in your environment which raised a red flag with me. I don't feel the need to share the intimate details of my internal network with a 3rd party.

Sounds like a compelling reason for manual testing to me. That's job security folks!

If you know enough to ask that question then you know enough to try. Stop asking to be spoonfed and do some work yourself. This is an ethical hacking site and what you are asking for is not ethical.

Wow that's a pretty impressive speaker list for a new con. Heck that's not bad for an established con.

72k RPM hard drive? I bet that's a loud beast! 

I have always defined hacking as "An interaction with something with the intent to make it do something it was not designed or intended for" Hacking is just that interaction point and any activities that support those activities. That includes recon, scanning, etc. Writing up a report that correlates technology to business risk is not typically associated with hacking and is only associated with ethical hacking because EC-Council made a cert and called it that. This is one of my pet peeves in security, not just this but all the ways in which we completely confuse security jargon because of vendors incorrectly marketing products. Take privacy and confidentiality for instance. How many security professionals really know the difference? There is one.

Penetration testing is supported by ethical hacking activities but it is not the same thing.

I just want to point out that cloaking your SSID may actually foster insecurity, or at the very least create privacy concerns.

What do I mean? Surely hiding the SSID is security by obscurity at the very least which is poor security alone but good to provide an additional layer nonetheless, right?

I understand the sentiment but disagree and here's why.

Reason 1 - Consider Karma, you know that fun tool that answers to wireless probe requests for network X and says "Oh! Oh! that's me! that's me! here I am, connect to me!" Congrats, you've just opened yourself to an AP impersonation attack

Reason 2 - It doesn't actually provide any real security and creates complacence due to a false sense of security. Sure you've hidden it from random passersby and Netstumbler users but who are the real threats? if you are cloaking your SSID you are also probably using decent encryption and changed default passwords, and maybe even robust authentication depending on your geekitude. The threats that concern me are the skilled, dedicated attackers with a malicious objective. not the guy trying to leech free wifi. That skilled attacker is not going to stumble his way through my neighborhood, he's going to use Kismet or something similar and sniff the connection strings right out of the air and he's going to have my SSID either way.

Reason 3 - When you hard code the SSID in your config you are advertising your network SSID to anyone sniffing these connections as you walk the preferred network list probing for that hardcoded network. Ever hear of wigle.net? It's fun stuff. You can search for the GPS coordinates and mapping data for a given SSID or for networks within a certain geographical area.

For instance, I spend a lot of time in airports. Let's say I was to sniff the SSID of travelling public and find say "John Chapman's Network" I look it up on wigle.net and find out where John lives. He's not home. Sweet! Maybe I will look him up on Facebook and find out if he has a wife and kids or if there is details about travel plans or pictures of their big screen tv. Awesome! Let's drive to his house and rob him blind. Obviously I would never do that as I'm an ethical professional but you get the point. What if the SSID was for "Pornhouse Internet Cafe" or "Chicken ranch"? I'm sure the mythical private investigator following me on behalf of my wife would love to report those as well!

Cloaking is bad. Friends don't let friends cloak wireless.

To be honest, from everything I hear OSCP sets the bar really high. I have not done OSCP yet so can't speak from experience but am very familiar with their "Try harder" mindset as I have seen it frequently on irc and in their forums. So to expend as much effort as you did on OSCP whether you passed or not meant you had to do a lot of research and learning on your own. You obtain a MUCH stronger command of the material when it isn't spoonfed to you. SANS doesn't make you work hard for the knowledge, and consequently if you don't start using it as soon as you get home your retention will probably not be that great. The bonus here for SANS training is there is such a tremendous amount of information and it's explained in such a way that you really gain an understanding of the underlying technologies. I feel both formats have tremendous value, and are very complementary.

Something else you have to consider when looking at those high scores is the caliber of students attempting the certification. SANS is very expensive and few people not already working in the field can afford to attend. The same cannot be said of OSCP since the financial barrier for entry is much lower. I'm not sure if that's good or bad but it is a possible variable when calculating these statistics. (I'm not suggesting that OSCP students are less capable, but I personally feel that many may come to the program with less experience and wind up attempting something that is probably a bit more difficult. I don't mean that in a bad way.) Also by GIAC giving everyone who attempts certification 2 practice tests, that's just additional preparation. Those practice tests are VERY representative of the test.

While Assembly skills are highly valuable for malware analysis, don't discount the value of dynamic analysis. Good dynamic analysis requires almost no coding skills. Being able to execute a piece of malware in a sandboxed environment and using tools to analyze the behavior that is occurring on the box is extremely helpful. It won't be enough to write an AV signature, but for most folks doing this kind of work its enough to understand how the malware was delivered, what controls it exploited and how, what actions it took once it infected the machine and the impact to the organization, how it propagates (may not be the same vector as the initial infection - also need to make sure you aren't serving up malware to another organization), how to remove it in a way that does not compromise critical operations, how to prevent it from occurring again as well as determine any additional resources needed for the incident.

This is a huge amount of value that can be derived with very little to no code knowledge. Obviously parsing memory dumps and all kinds of other extremely technical activities can be extremely beneficial here but they aren't necessary to provide a decent analysis in many cases.

There seems to be a trend at EH.net where an experienced member will indicate what a world class pentester, malware analyst, etc needs to do their job. For the newbies here, of which I sometimes qualify, it can be very easy to get discouraged at the mountain of knowledge necessary that seems insurmountable. Sure, those lists are ideal but there are hundreds if not thousands of people working in these fields with a small subset of this entire knowledge and many of them are providing excellent value for their customers. And yes, some of them are charlatans. I was talking to an IBM ISS pentester the other day who told me many of the people on his team don't write exploits. they have people who can of course, but not everyone on the team has those skills and quite often the engagement does not allow time for it anyway. The point here is that in many cases it's a team environment. Not every person has to be able to be a ninja in every area. I think it's helpful to define a bare minimum baseline and I have seen some posts that do that and appreciate that but sometimes I think even that baseline gets set a little high.

The purpose of this post is not to discourage these "end game" threads or criticize those who have compiled these lists because that information is extremely valuable, but more to provide some encouragement to our less experienced folks. You have to start somewhere. Don't be scared. Take the leap!

The GIAC exams are not that difficult but part of it stems from the quality of the questions. Too many certification bodies think they need to be ambiguous or try to trip up the students with the wording of the question. GIAC doesnt do that. If you have a question with the output of a packet and the question asks you what the byte offset is for the beginning of the payload it should be pretty clear what the answer is if you know the material.

Also SANS does a really fantastic job at immersing the student in the technical concepts needed to succeed at the exam. I understand that you managed to self study and succeed, but how typical is that really? Making it a closed book exam would lower success rates, but when did you have to solve a real world problem and you didn't have google or at least man pages to help you out? Rote memorization does not prove anything at all beyond good memory, its the concepts that are important to understand and without that understanding the books won't help much.

The GSE does have a practical component and I don't think anyone can say that's an easy process to go through. I'd like to see GIAC adopt more practical components and more platinum level certifications. I think it would really add value. For instance, if you passed GPEN, GWAPT and GAWN, sit for a practical exam (GPWN maybe?) that requires blended attacks to succeed at a set of objectives and then write a report. Maybe include a scoping exercise in there as well. Pentesters should have to demonstrate that they can work with the target organization to define scope and help guide them when they don't know what they want (which is pretty common) by stepping back from the system level and focusing on critical or sensitive business processes and figuring out what systems support those processes directly or indirectly or factor into protection mechanisms. I don't know of any certifications out there that validate these skills. GPEN asks a few questions and covers this on day 1 of the course, but I don't know that those skills are really validated.

The problem with these certs is they test theoretical knowledge, and they test your ability to recognize when a technical answer is the right answer, but they don't test your ability to come up with a solution to a technical problem unless you have a practical exam or a paper. Anyone skilled at multiple choice exams with a understanding of the material can pass and succeed.

The Gold cert with a written paper is a great option but there's very little incentive for students to pursue that unless HR folks start asking for it. GIAC has changed recertification requirements in the last year to allow for an upgrade to Gold to allow for recertification (or take another SANS course) which is nice and provides some additional incentives. I think it was a mistake from a credibility standpoint for them to remove this as an option, but SANS/GIAC is a business, and the barrier for entry to their certifications was just too high before they removed that requirement. I don't know for certain that this was why they made the change but I suspect it was financially motivated. SANS is not cheap, but there's no questioning the quality of the training.