The Study of Different Approaches from 4 Well-Known Vendors
You may wonder “how does a blackbox penetration test tool know about my server information when it only has the server’s IP address?” The secret is a protocol, such as Sever Message Block (SMB), discloses that information in the response to your special requests.
In our last blog, we talked about the essential role that SMB plays in Operating System (OS) fingerprint recognition. In this blog, we will review how different vendors use SMB, and the pros and cons of each approach; and in the end, we summarize them into a few principles to follow in order to get an accurate OS recognition.
1. Nmap
First, let’s look at Nmap’s approach. Nmap basically uses “nse script – nmap/scripts/smb-os-discovery.nse” to realize this function. Its method is shown as follows: