Nmap Development mailing list archives
Re: Precise OS detection of Windows over port 445?
From: Richard Miles <richard.k.miles () googlemail com>
Date: Thu, 3 Jun 2010 17:57:57 +0000
With admin it's possible, the trick is get it without account or with a restricted user, I mean, the language of the system. Thanks On Thu, Jun 3, 2010 at 4:56 PM, rilian4 rilian4 <rilian4 () gmail com> wrote:
Using Ron's ubiquitous psexec.nse script, I can get the service pack from a windows box assuming I have admin credentials for the box. The following output uses a custom .lua, psexec.nse and psinfo.exe from sysinternals.com. The .lua will upload the file to the target, run it and remove it. psinfo can also dump all the hotfixes and give you lots of generic system information as well. nmap -p445 --script=smb-psexec --script-args=smbuser= adminuser,smbpass=yourpass,config=./psinfo target.ip.address Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-03 09:55 PDT NSE: Script Scanning completed. Nmap scan report for target.hostname (my.ip.address) Host is up (0.00033s latency). PORT STATE SERVICE 445/tcp open microsoft-ds MAC Address: 00:1C:C0:4E:3A:E7 (Intel Corporate) Host script results: | smb-psexec: | psinfo |_ Service pack: 3 Nmap done: 1 IP address (1 host up) scanned in 8.38 seconds Not sure if this helps but thought I'd throw it in there for you all. Aaron On Thu, Jun 3, 2010 at 7:58 AM, Ron <ron () skullsecurity net> wrote:On Thu, 3 Jun 2010 08:39:35 -0600 David Fifield <david () bamsoftware com> wrote:Try adding "-O --script=smb-os-discovery" to your command line. When conditions are good, the OS detection is very accurate, but it might be overly specific. smb-os-discovery will always be correct unless the remote system is actively lying. You can also try a UDP scan to port 161 with the snmp-win32-* scripts. David Fifieldsmb-os-discovery reads the information directly from Windows, it isn't a guess, so it should be 100% accurate. But, not all versions of Windows will advertise details like service pack, so you might not be able to narrow it down enough. Metasploit has some way of detecting the service pack that Nmap doesn't -- I've been meaning to look into that for awhile. -- Ron Bowes http://www.skullsecurity.org http://www.twitter.com/iagox86 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Precise OS detection of Windows over port 445? Richard Miles (Jun 03)
- Re: Precise OS detection of Windows over port 445? David Fifield (Jun 03)
- Re: Precise OS detection of Windows over port 445? Ron (Jun 03)
- Re: Precise OS detection of Windows over port 445? Richard Miles (Jun 03)
- Re: Precise OS detection of Windows over port 445? rilian4 rilian4 (Jun 03)
- Re: Precise OS detection of Windows over port 445? Richard Miles (Jun 03)
- Re: Precise OS detection of Windows over port 445? Ron (Jun 03)
- Re: Precise OS detection of Windows over port 445? David Fifield (Jun 03)