Windows Operating System Detection via RDP

Tenable Network Security's research group has released a new Nessus plugin which can make use of the Remote Desktop Protocol (RDP) to accurately detect Windows Vista, 2000 Server, 2003 Server and XP Professional. The Remote Desktop Protocol is also sometimes referred to as Terminal Services. This protocol allows remote users and administrators to view the desktop of a Windows system offering this service to control the mouse, keyboard, run applications and otherwise run the system remotely.

Being able to communicate with RDP (which runs on port 3389) to determine the Windows operating system is very useful. Windows systems that are not part of a domain are often managed through RDP. If they have been hardened with a firewall to only offer the RDP service, this technique is an efficient way to identify the operating system.

As a form of detection, this type is perhaps the easiest for a human to perform, yet requires a high degree of skill and sophistication to perform this with a computer. You and I can usually simply look at a login screen and recognize the "Windows XP Pro", "Windows 2003" or other types of visual queues to identify an operating system. However, performing this type of analysis with a computer is non-trivial.

Consider the following login screen below:

You could probably tell this was some sort of Windows system before even trying to enlarge the above image.

Can you tell which version of Microsoft it is?

Can you tell which language this OS has been provisioned for?

Attempting to do this via RDP was an interesting challenge. The RDP protocol offers a variety of information including bitmaps and streams of text (which are really more bitmaps). One could imagine performing optical character recognition on the login screen bitmap logos or even creating a table of checksums for known bitmap images. Both of these techniques aren't reliable as many organizations and third part vendors (like Novell) can change the login bitmaps. Tenable was able to develop a technique to reliably fingerprint the information used to render text during the login process. This text can be used to identify and discriminate Windows XP Pro, Windows 2000, Windows 2003 and Vista operating systems.

Output from this plugin has also been integrated into the os_fingerprint.nasl script, which combines a wide variety of credentialed and non-credentialed operating system guessing techniques to accurately determine a remote operating system.

The plugin is currently available to Direct Feed and Security Center customers and works with the Nessus 3 vulnerability scanner on all available versions. Updating your plugins will automatically make this check available to your Nessus scanner.