Re: How to detect all windows servers in network

["DePriest, Jason R." <jrdepriest () gmail com>]

On 2/20/07, Ankur Konwar  wrote:
> My task is to detect all the windows nt 4.0 and windows 2000/higher servers
> in my WAN. How do I use nmap to detect only these two operating system
> computers. What ports differentiate windows nt 4.0 and windows 2000/higher.
> is there any way of diffentiating similarily between windows 2000 servers
> and windows 2003 servers?
> Please help
> Ankur Konwar
> --

While I cannot answer your specific question, Microsoft does have some
potentially useful information on their website (I know, hard to
believe).

This lists the ports used by many of their applications which include
the NetBIOS and SMB ports used for lots of server domain traffic.
http://www.microsoft.com/technet/security/smallbusiness/topics/serversecurity/ref_net_ports_ms_prod.mspx

There are also some helpful knowledge base articles.

Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports
http://support.microsoft.com/kb/150543

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/kb/832017

I think the biggest difference between NT 4.0 and 2000/2003 is the
addition of port 445 to the list.  But there are circumstances where
NT 4.0 could be using 445, too.

If I were you, I would start with scanning for all systems that have
ports 135/tcp and 137/tcp open and call them 'Probably Windows'.
Then find all of those systems that also have port 445/tcp and call
them 'Probably Windows 2000 or 2003' and the ones that don't have
445/tcp 'Probably Windows NT 4.0'

Then give them a the -sV -O treatment to verify.  At least you will be
narrowing down the range of IPs you hit with a fill scan.

-Jason

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org