How does Qualys detect the Operating System of the host scanned?

Document created by kb-author-1 Employee on May 19, 2010Last modified by Qualys Documentation on May 8, 2019
Version 4Show Document
  • View in full screen mode

Issue:

How does Qualys detect the Operating System of the host scanned?

 

 

Solution:

Qualys uses the following techniques to identify the Operating System:

 

- TCP fingerprint

- CIFS/NetBIOS

- Windows Registry (authenticated)

- Unix login (authenticated)

- SNMP

- Windows SRVSVC

- IKE (ISAKMP)

- CA Agent

- NTP

- WebCGI

- MSRPC

 

TCP fingerprinting happens early in the scanning/mapping process by sending specially crafted packets to the host and analyzing the replies. While this is a somewhat tricky process and not 100% accurate, it usually allows identifying the main operating system, sometimes even the service pack level.

 

In addition, Qualys also examines banners from the host. If the banner information matches the TCP fingerprint, it is used to refine the operating system results. If the banner contains useless or conflicting information, Qualys will rely on the TCP fingerprint instead.

 

The additional tests listed above are performed at a later point during the actual scanning process but not during mapping.

 

 

Qualys Support KnowledgeBase

http://community.qualys.com/community/kb

 

ID: 0001.001.613.000

1 person found this helpful

Attachments

    Outcomes