Re: Win95 detection

[miguel.dilaj () pharma novartis com]

Hello Samuel,

I know the feeling. Sometimes nmap is not able to differentiate between 
Win9x/ME platforms (once ago I read that someone, probably Fyodor, said 
that the reason is that all have exactly the same TCP/IP stack).
> From my experience with OS detection tools, I remember one named queso, 
created by the spanish group Apostolz or something like that.
It was not very good, sometimes it gave totally wrong information, saying 
that a box was UNIX when it was Windows, but on the other hand when it 
HIT, it was far more accurate than nmap.
Said that, try to get hold of queso, use nmap first to identify the 
Win9x/ME boxes, then run queso against them, if queso says it's Novell, 
forget about that, but if it says Win95 instead of 98 or ME, probably it's 
being right.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG

PD: extract from 
http://www.opal.dhs.org/docs/remote-analysis/work/os-detection.html : "QueSO is quite hard to find. The upstream home 
page does not respond and 
the project seems abandoned. Anyway it performs well and is available in 
Debian (with the release from 1998) so it is usable.". Hope this info 
helps...






"Samuel Petreski" <petreski () ksu edu>
30/11/2004 21:52
Please respond to petreski

 
        To:     <security-basics () securityfocus com>
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        Win95 detection


I have been given the task to scan for hosts that are running Windows 95 
on
the network. I have tried scanning with Nmap and Nessus, however they 
cannot
distinguish the hosts between 95/98/ME. I was wondering if anyone has run
across a tool that is able to detect Win95 hosts on the network.

Thanks for your help.

Samuel Petreski


[ Attachment ''SMIME.P7S'' removed by Miguel Dilaj ]