[current]nmap -sS -sV -P0 -O -pTARGETEDGUESS(s) -v -nTARGET
where TARGETEDGUESS = 1 educated guess per run
Fingerprinting (service packs in particular) may or may not be evolved
enough for your needs. TARGETEDGUESS should be chosen as carefully as
you would if you were expecting to loudly fully negotiate a connection;
primary criteria being that where a banner providing adequate
enumeration information is possible/expected is best case, open port
next best. Both one open and one closed/filtered are needed for more
specific fingerprinting; high ports are good for a stealth(ier)
closed-port detection.
I'm sure there are more specialized packages out there, though it should
be known that there is NEVER a *guarantee* the remote IDS is not going
to take notice. Half-close provides as good a chance as any. The degree
of noisiness most likely grows right along with specificity per
package......
Careful port target selection is paramount, detection should be expected
in any case...any services providing a banner w/magic bullet
identification in a fell swoop preferred...
This is but one way to approach it..
Jayson
On Wed, 2005-08-24 at 18:52 -0400, L3wD wrote:
I am looking for a method of correctly identifying Windows O/S Versions
and Service Packs remotely. Here are my restrictions:
- Performed Remotely (not in same broadcast domain)
- No Admin Rights on Remote Box
- No Username/Password on Remote Box
- VERY Few Packets Generated (excluding TCP 3-way handshake)
- Ability to **AVOID** IDS Detection
My preferences are for something that is command line based, and can be
run from a Linux platform. I'll take something GUI based or Windows based if
that is all there is. Multiple tools are fine, as long as the number of
packets generated are very low.
I've taken a look at Winfingerprint 0.6.2 with only the Win32 OS Version
option selected, but it generates 70+ packets which is too loud for my
purposes.
signature.asc
Description: This is a digitally signed message part
