How does QualysGuard detect the Operating System of the host scanned?

Document created by kb-author-1 Employee on May 19, 2010Last modified by eschamp on Jul 25, 2010
Version 3Show Document
  • View in full screen mode

Issue:

How does QualysGuard detect the Operating System of the host scanned?

 

 

Solution:

QualysGuard uses the following techniques to identify the Operating System:

 

- TCP fingerprint

- CIFS/NetBIOS

- Windows Registry (authenticated)

- Unix login (authenticated)

- SNMP

- Windows SRVSVC

- IKE (ISAKMP)

- CA Agent

- NTP

- WebCGI

- MSRPC

 

TCP fingerprinting happens early in the scanning/mapping process by sending specially crafted packets to the host and analyzing the replies. While this is a somewhat tricky process and not 100% accurate, it usually allows identifying the main operating system, sometimes even the service pack level.

 

In addition, QualysGuard also examines banners from the host. If the banner information matches the TCP fingerprint, it is used to refine the operating system results. If the banner contains useless or conflicting information, QualysGuard will rely on the TCP fingerprint instead.

 

The additional tests listed above are performed at a later point during the actual scanning process but not during mapping.

 

 

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

 

ID: 0001.001.613.000

Attachments

    Outcomes