How does Qualys detect the Operating System of the host scanned?
Qualys uses the following techniques to identify the Operating System:
- TCP fingerprint
- Windows Registry (authenticated)
- Unix login (authenticated)
- Windows SRVSVC
- IKE (ISAKMP)
- CA Agent
TCP fingerprinting happens early in the scanning/mapping process by sending specially crafted packets to the host and analyzing the replies. While this is a somewhat tricky process and not 100% accurate, it usually allows identifying the main operating system, sometimes even the service pack level.
In addition, Qualys also examines banners from the host. If the banner information matches the TCP fingerprint, it is used to refine the operating system results. If the banner contains useless or conflicting information, Qualys will rely on the TCP fingerprint instead.
The additional tests listed above are performed at a later point during the actual scanning process but not during mapping.
Qualys Support KnowledgeBase