.

Reliably determine the Operating System and Service Pack

<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Wed Jan 12, 2011 9:50 am

Reliably determine the Operating System and Service Pack

How can you reliably determine the Operating system and Service Pack of a machine during the scanning/enumeration stage?
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Jan 12, 2011 10:33 am

Re: Reliably determine the Operating System and Service Pack

Only as reliable as your tools. It would be great if Nmap was always 100% accurate and it does a pretty good job especially if you are doing service detection as well with -sV. Obviously you won't have IIS running on a BSD box.

For Windows:

It's possible you could use a null session and user2sid to enumerate the SIDs and then do a compare with the entry at http://support.microsoft.com/kb/243330 of well-known SIDs to narrow down the OS list. Supposedly

If you can get shell you can use

  Code:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"


or if you just want the OS version you can use

  Code:
ver


If you have an account on the box you can detect specific patches remotely with WMIC using

  Code:
wmic /node:<target> qfe list full


You may also have to specify username and password if you are using a different account.


  Code:
wmic /user:<username> /password:<userpassword> /node:<target> qfe list full


That doesn't exactly answer your question I know since you want to know in scanning/enumeration. I'm not sure there is a 100% way to detect but if there is I'd love to know it!

Check out http://nmap.org/book/osdetect.html for more info
Last edited by tturner on Wed Jan 12, 2011 10:41 am, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Wed Jan 12, 2011 2:54 pm

Re: Reliably determine the Operating System and Service Pack

In a windows environment I occasionally get better results with the smb-os-discovery script in NMAP than simply using automated os detection.
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Jan 12, 2011 3:07 pm

Re: Reliably determine the Operating System and Service Pack

Thanks hell_razor. I was trying to figure out how to accomplish this via SMB null sessions other than user2sid and somehow missed the NMAP script option. I'll have to give that a try sometime.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

T_Bone

Full Member
Full Member

Posts: 199

Joined: Sat Feb 21, 2009 7:11 am

Post Sat Jan 15, 2011 11:52 am

Re: Reliably determine the Operating System and Service Pack

Thanks guys, thats certainly of some help :)
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Jan 16, 2011 8:55 pm

Re: Reliably determine the Operating System and Service Pack

If SMB is open, I've always found the SMB enumeration modules in Metasploit to be very accurate.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software