Results 1 to 2 of 2

Thread: Fingerprinting With BT5 & NMap

  1. #1
    Join Date
    Jan 2010

    Default Fingerprinting With BT5 & NMap

    I have been researching the use of NMap's OS fingerprinting while using BT5. And I am curious what others are using to get a better result or more finite result.

    My test setup is this:
    2 VMs - Windows 2000 SP4 and BT5
    Using Nmap version 5.59BETA1 with BT5

    nmap -sS -A -T4 <target>
    root@bt:~# nmap -sS -A -T4
    Starting Nmap 5.59BETA1 ( ) at 2011-10-17 12:55 PDT
    Nmap scan report for
    Host is up (0.00041s latency).
    Not shown: 996 closed ports
    135/tcp  open  mstask       Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
    1025/tcp open  msrpc        Microsoft Windows RPC
    MAC Address: 00:0C:29:AB:3F:47 (VMware)
    Device type: general purpose
    Running: Microsoft Windows 2000|XP
    OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1
    Network Distance: 1 hop
    Service Info: OS: Windows
    Host script results:
    |_nbstat: NetBIOS name: TEST-9VB1J0F9GS, NetBIOS user: ADMINISTRATOR, NetBIOS MAC: 00:0c:29:ab:3f:47 (VMware)
    |_smbv2-enabled: Server doesn't support SMBv2 protocol
    | smb-os-discovery: 
    |   OS: Windows 2000 (Windows 2000 LAN Manager)
    |_  System time: 2011-10-17 12:55:13 UTC-7
    1   0.41 ms
    OS and Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 7.87 seconds
    I tried turning on some debug with -d and -dd but does seem to reveal the proper fingerprint to determine SP4 is running

  2. #2
    Good friend of the forums scottm99's Avatar
    Join Date
    Feb 2010

    Default Re: Fingerprinting With BT5 & NMap

    I'm not sure it's possible to definitively say what service pack a windows box is running. The most accurate results I've had were using a variety of methods/scans to figure out what was running on a target box. Metasploit has some good auxiliary modules that may help, and you could use Nessus as well. Regarding nmap, try using --scanflags option for custom scans, and don't forget about the -f & -g options.
    If I could figure out how to scuba dive & hack at the same time, there would be nothing I couldn't do...

Similar Threads

  1. os x fingerprinting
    By radupopescu in forum Beginners Forum
    Replies: 2
    Last Post: 09-29-2010, 11:54 AM
  2. OS Fingerprinting not going to db_hosts
    By ceefus in forum Beginners Forum
    Replies: 2
    Last Post: 09-11-2010, 08:09 PM
  3. Fooling OS fingerprinting?
    By radix in forum OLD Pentesting
    Replies: 0
    Last Post: 01-31-2010, 08:06 PM
  4. OS Detection/Fingerprinting Tools
    By thorin in forum OLD Pentesting
    Replies: 5
    Last Post: 04-23-2009, 06:50 PM
  5. os fingerprinting
    By benzslr123 in forum OLD Newbie Area
    Replies: 7
    Last Post: 11-01-2008, 11:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts