How to detect all windows servers in network
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
How to detect all windows servers in network
by Ankur Konwar
::
Rate this Message:
My task is to detect all the windows nt 4.0 and windows 2000/higher servers in my WAN. How do I use nmap to detect only these two operating system computers. What ports differentiate windows nt 4.0 and windows 2000/higher. is there any way of diffentiating similarily between windows 2000 servers and windows 2003 servers?
Please help Ankur Konwar |
|
|
Re: How to detect all windows servers in network
by DePriest, Jason R.
::
Rate this Message:
On 2/20/07, Ankur Konwar wrote:
> > My task is to detect all the windows nt 4.0 and windows 2000/higher servers > in my WAN. How do I use nmap to detect only these two operating system > computers. What ports differentiate windows nt 4.0 and windows 2000/higher. > is there any way of diffentiating similarily between windows 2000 servers > and windows 2003 servers? > Please help > Ankur Konwar > -- While I cannot answer your specific question, Microsoft does have some potentially useful information on their website (I know, hard to believe). This lists the ports used by many of their applications which include the NetBIOS and SMB ports used for lots of server domain traffic. http://www.microsoft.com/technet/security/smallbusiness/topics/serversecurity/ref_net_ports_ms_prod.mspx There are also some helpful knowledge base articles. Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports http://support.microsoft.com/kb/150543 Service overview and network port requirements for the Windows Server system http://support.microsoft.com/kb/832017 I think the biggest difference between NT 4.0 and 2000/2003 is the addition of port 445 to the list. But there are circumstances where NT 4.0 could be using 445, too. If I were you, I would start with scanning for all systems that have ports 135/tcp and 137/tcp open and call them 'Probably Windows'. Then find all of those systems that also have port 445/tcp and call them 'Probably Windows 2000 or 2003' and the ones that don't have 445/tcp 'Probably Windows NT 4.0' Then give them a the -sV -O treatment to verify. At least you will be narrowing down the range of IPs you hit with a fill scan. -Jason _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org |
|
|
Re: How to detect all windows servers in network
by DePriest, Jason R.
::
Rate this Message:
On 2/20/07, Ankur Konwar wrote:
> > My task is to detect all the windows nt 4.0 and windows 2000/higher servers > in my WAN. How do I use nmap to detect only these two operating system > computers. What ports differentiate windows nt 4.0 and windows 2000/higher. > is there any way of diffentiating similarily between windows 2000 servers > and windows 2003 servers? > Please help > Ankur Konwar > -- Opps. I just realized you may have been looking for the distinction between a Workstation and a Server instead of Windows NT and Windows 2k/2k3. Well... since Workstations almost always run the Server service and Servers run the Workstation service, I don't know what to tell you. I just did a scan against a Windows 2000 Professional workstation and a Windows 2000 Server server: nmap -sS -sU -sV -O Here are some notable comparisons. * Both have 135/tcp, 139/tcp, 445/tcp, and 137/udp * Both have 1434/udp with identical signatures, even though one is MSDE and the other is full-blown MSSQL. * nmap comes to ~almost~ the same conclusion on both for the operating system Both - Device type: general purpose Running: Microsoft Windows NT/2K/XP TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: Incremental Service Info: OS: Windows 2000 Pro - OS details: Microsoft Windows XP Pro SP1/SP2 or 2000 SP4 2000 Server - OS details: Microsoft Windows 2000 SP4 or XP SP1 * The Server has port 1031/tcp open and the Pro system does not. * The Server has port 3389/tcp open and the Pro system does not. This is for remote desktop access and means that I have installed and enabled Terminal Services on this server. But not all servers will have this enabled and some workstations will have it enabled. * The Server has port 427/udp open and the Pro system does not. This seems to be a part of IBM Director software. So you could look for server management software like HP / Compaq Insight and IBM Director. But that assumes that every server system actually has this type of software installed. You would have to check out the sites for the individual server manufacturers and see what ports their software can use. You'd need to go back a few revisions, too since folks might not keep it updated. If all of the systems are in a domain and you have domain admin rights (or access to them), you could use Microsoft Sysinternals' psinfo tool and just query every system looking for those that come back as Product Type: Server. I don't think there is a magical port combination that will yield just servers and not workstations. -Jason _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org |
|
|
Re: How to detect all windows servers in network
by Brett Cunningham
::
Rate this Message:
I'm not sure what the workstation's OS you'd run the scan on, but if it's a
nix box, grep it! That, or we use OCS Inventory (see: http://ocsinventory.sourceforge.net/) which works very well. On 2/20/07, DePriest, Jason R. <jrdepriest@...> wrote: > > On 2/20/07, Ankur Konwar wrote: > > > > My task is to detect all the windows nt 4.0 and windows 2000/higher > servers > > in my WAN. How do I use nmap to detect only these two operating system > > computers. What ports differentiate windows nt 4.0 and windows > 2000/higher. > > is there any way of diffentiating similarily between windows 2000 > servers > > and windows 2003 servers? > > Please help > > Ankur Konwar > > -- > > Opps. I just realized you may have been looking for the distinction > between a Workstation and a Server instead of Windows NT and Windows > 2k/2k3. > > Well... since Workstations almost always run the Server service and > Servers run the Workstation service, I don't know what to tell you. > > I just did a scan against a Windows 2000 Professional workstation and > a Windows 2000 Server server: nmap -sS -sU -sV -O > Here are some notable comparisons. > * Both have 135/tcp, 139/tcp, 445/tcp, and 137/udp > * Both have 1434/udp with identical signatures, even though one is > MSDE and the other is full-blown MSSQL. > * nmap comes to ~almost~ the same conclusion on both for the operating > system > Both - > Device type: general purpose > Running: Microsoft Windows NT/2K/XP > TCP Sequence Prediction: Class=truly random > Difficulty=9999999 (Good luck!) > IPID Sequence Generation: Incremental > Service Info: OS: Windows > 2000 Pro - > OS details: Microsoft Windows XP Pro SP1/SP2 or 2000 SP4 > 2000 Server - > OS details: Microsoft Windows 2000 SP4 or XP SP1 > * The Server has port 1031/tcp open and the Pro system does not. > * The Server has port 3389/tcp open and the Pro system does not. This > is for remote desktop access and means that I have installed and > enabled Terminal Services on this server. But not all servers will > have this enabled and some workstations will have it enabled. > * The Server has port 427/udp open and the Pro system does not. This > seems to be a part of IBM Director software. > > So you could look for server management software like HP / Compaq > Insight and IBM Director. But that assumes that every server system > actually has this type of software installed. You would have to check > out the sites for the individual server manufacturers and see what > ports their software can use. You'd need to go back a few revisions, > too since folks might not keep it updated. > > If all of the systems are in a domain and you have domain admin rights > (or access to them), you could use Microsoft Sysinternals' psinfo tool > and just query every system looking for those that come back as > Product Type: Server. > > I don't think there is a magical port combination that will yield just > servers and not workstations. > > -Jason > > _______________________________________________ > Sent through the nmap-dev mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-dev > Archived at http://SecLists.Org > _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org |
| Free embeddable forum powered by Nabble | Forum Help |
