hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Beginners Section
Ahmeket
Jun 4 2005, 12:54 PM
I was wondering if there are any ways to find out what operating system a machine runs remotely considering it has the needed ports opened.
tibbar
Jun 4 2005, 01:56 PM
search for nmap
seppel18
Jun 4 2005, 04:17 PM

look at the ports

139,445,3389 Windoze

22,3306 Linux

Look at the banners:

Microsoft/IIS 5.0 = Windows


Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b PHP/4.1.2 = Linux

Try X-Scan 3.2 ,works like nmap, but runs on Windows
deaz
Jun 4 2005, 05:16 PM
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/version
-sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: 1-1024,1080,6666,31337
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
--win_help Windows-specific features
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES
Pu$u
Jun 4 2005, 07:25 PM
QUOTE(seppel18 @ Jun 4 2005, 04:17 PM)
look at the ports

22,3306 Linux

*



3306 is not only for Linux
MySQL can be used on Windows, too.
Ahmeket
Jun 5 2005, 10:46 AM
What if they changed the default daemon ports on linux? As I understand the reason to search for port 22 is to see if sshd is running, but that port can easily be changed.
Terminal
Jun 5 2005, 01:57 PM
windows specific:

139 and 445 open then its windows nt ( xp/2k)

only 139 open and sharing is on ( u can visit \\ip ) then its win98 .

if 139 open and no netbios sharing then it can be any 98/2k/xp

3389 open means windows xp or 2000 server as 2k professional do not have terminal services ..




1025 = windows 2k/xp

dunno much abt 2k3
TedOb1
Jun 21 2005, 10:09 PM
many times you can tell using the ping command.

linux ttl = 64

windows ttl = 128

you must subtract 1 for each hop. for me a ping to yahoo has a time to live of 54 wich says it.s *nix.
whiskah
Jun 22 2005, 03:55 AM
xprobe
QUOTE
Xprobe2 is a remote active operating system fingerprinting tool which uses advanced techniques, some which where first to be introduced with Xprobe2, such as the usage of statistical analysis ('fuzzy logic') to match between probe response(s) to its signature database and others, in order to provide with accurate results regarding the underlying operating system of a probed element(s).
seppel18
Jun 22 2005, 06:23 AM
Port 5000 = XP wink.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.