Linux – Detect if remote host is running Windows or Samba

linuxnmapsambawindows

From a Linux server, how can I quickly determine if a remote machine is running Windows or Samba?

I want to run commands on remote Windows machines (XP and 7) to list the installed software and versions. And I want to run these commands from a Linux server (using winexe).

To find the Windows hosts, I use this nmap command:

nmap -oG - -T4 -p T:445 192.168.1.0/24 | awk '{print $2, $3}'

However, I also get all the Samba servers and a few printers.

Is there a simple way, through additional nmap options or through a separate command, to get only the real Windows machines, and avoid sending irrelevant Windows commands to non-Windows servers and devices?

Update:

I followed pferate's suggestion and used -O. I hadn't tried it because I thought it would be slow and unreliable, but it works well in this situation. I now use this to detect real Windows machines:

nmap -oG - -T4 -p T:445 -O --max-os-tries 1 192.168.1.0/24 | grep '445/open/.* Windows' | awk '{print $2, $3}'

Best Answer

You can try using nmap's OS Detection option, -O.

nmap -O host

You can also try looking at the OS String or Server String for the host. Although it can be changed, the default Server string for Samba is Samba Server Version %v. I'm not sure what Windows' default server string is for all of the variants, but on Win7 SP1 I have Windows 7 Professional 6.1.

On my Linux Samba server the OS string is Unix and on Win7 SP1 it is Windows 7 Professional 7601 Service Pack 1.

$ smbclient -L host

Domain=[MYDOMAIN] OS=[Unix] Server=[Samba x.y.z]

        Sharename       Type      Comment
        ---------       ----      -------

Since these values can be changed, you can't trust it completely; but it can give you some initial insight.

Related Topic