xp 2k detect

1. .386
2. .model flat, stdcall
3. option casemap: none
4. include \masm32\include\windows.inc
5. include \masm32\include\user32.inc
6. include \masm32\include\kernel32.inc
7. include \masm32\include\shell32.inc
8. include \masm32\include\wsock32.inc
9. include \masm32\include\masm32.inc
10. includelib \masm32\lib\shell32.lib
11. includelib \masm32\lib\user32.lib
12. includelib \masm32\lib\kernel32.lib
13. includelib \masm32\lib\wsock32.lib
14. includelib \masm32\lib\masm32.lib
15.  
16. .data
17.  usage   db  "                                    ",13,10,\
18.              "[*]------------------------------[*]",13,10,\
19.              "[*]       XP/2K OS Detector      [*]",13,10,\
20.              "[*]    by: illwill & phr0stic    [*]",13,10,\
21.              "[*]------------------------------[*]",13,10,13,10,0
22. usage2   db  "[*] Usage:   detect.exe <ip>     [*]",13,10,\
23.              "[*] Example: detect 192.168.0.2  [*]",13,10,0
24.  req1    db 00h,00h,00h,85h,0FFh,53h,4Dh,42h,72h,00h,00h,00h,00h,18h,53h,0C8h,00h,00h ; 18
25.          db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,0FFh,0FEh,00h,00h,00h,00h,00h,62h ; 20
26.          db 00h,02h,50h,43h,20h,4Eh,45h,54h,57h,4Fh,52h,4Bh,20h,50h,52h,4Fh,47h,52h,41h,4Dh,20h ; 21
27.          db 31h,2Eh,30h,00h,02h,4Ch,41h,4Eh,4Dh,41h,4Eh,31h,2Eh,30h,00h,02h,57h ; 17
28.          db 69h,6Eh,64h,6Fh,77h,73h,20h,66h,6Fh,72h,20h,57h,6Fh,72h,6Bh,67h,72h,6Fh,75h,70h,73h,20h,33h ; 23
29.          db 2Eh,31h,61h,00h,02h,4Ch,4Dh,31h,2Eh,32h,58h,30h,30h,32h,00h ; 15
30.          db 02h,4Ch,41h,4Eh,4Dh,41h,4Eh,32h,2Eh,31h,00h,02h,4Eh,54h,20h,4Ch,4Dh,20h,30h,2Eh,31h,32h,00 ; 23
31.  
32.  
33.  req2    db 00h,00h,00h,0A4h,0FFh,53h,4Dh,42h,73h,00h,00h,00h,00h,18h,07h,0C8h,00h,00h,00h,00h,00h
34.          db 00h,00h,00h,00h,00h,00h,00h,00h,00h,0FFh,0FEh,00h,00h,10h,00h,0Ch,0FFh
35.          db 00h,0A4h,00h,04h,11h,0Ah,00h,00h,00h,00h,00h,00h,00h,20h,00h,00h,00h,00h,00h,0D4h
36.          db 00h,00h,80h,69h,00h,4Eh,54h,4Ch,4Dh,53h,53h,50h,00h,01h,00h,00h,00h,97h
37.          db 82h,08h,0E0h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,57h
38.          db 00h,69h,00h,6Eh,00h,64h,00h,6Fh,00h,77h,00h,73h,00h,20h,00h,32h,00h
39.          db 30h,00h,30h,00h,30h,00h,20h,00h,32h,00h,31h,00h,39h,00h,35h
40.          db 00h,00h,00h,57h,00h,69h,00h,6Eh,00h,64h,00h,6Fh,00h,77h,00h,73h,00h,20h,00h,32h,00h
41.          db 30h,00h,30h,00h,30h,00h,20h,00h,35h,00h,2Eh,00h,30h,00h,00h,00h,00h,00
42.  
43.  
44.  req3    db 00h,00h,00h,0DAh,0FFh,53h,4Dh,42h,73h,00h,00h,00h,00h,18h,07h,0C8h,00h,00h,00h,00h ; 20
45.          db 00h,00h,00h,00h,00h,00h,00h,00h,00h,00h,0FFh,0FEh,00h,08h,20h,00h,0Ch,0FFh ; 18
46.          db 00h,0DAh,00h,04h,11h,0Ah,00h,00h,00h,00h,00h,00h,00h,57h,00h,00h,00h,00h,00h,0D4h ; 20
47.          db 00h,00h,80h,9Fh,00h,4Eh,54h,4Ch,4Dh,53h,53h,50h,00h,03h,00h,00h,00h,01h ; 18
48.          db 00h,01h,00h,46h,00h,00h,00h,00h,00h,00h,00h,47h,00h,00h,00h,00h,00h,00h,00h,40h,00h ; 21
49.          db 00h,00h,00h,00h,00h,00h,40h,00h,00h,00h,06h,00h,06h,00h,40h,00h,00h ; 17
50.          db 00h,10h,00h,10h,00h,47h,00h,00h,00h,15h,8Ah,88h,0E0h,48h,00h,4Fh,00h,44h,00h ; 19
51.          db 00h,81h,19h,6Ah,7Ah,0F2h,0E4h,49h,1Ch,28h,0AFh,30h,25h,74h,10h,67h,53h,57h,00h ; 19
52.          db 69h,00h,6Eh,00h,64h,00h,6Fh,00h,77h,00h,73h,00h,20h,00h,32h,00h,30h,00h,30h ; 19
53.          db 00h,30h,00h,20h,00h,32h,00h,31h,00h,39h,00h,35h,00h,00h,00h,57h,00h,69h,00h ; 19
54.          db 6Eh,00h,64h,00h,6Fh,00h,77h,00h,73h,00h,20h,00h,32h,00h,30h,00h,30h,00h,30h ;19
55.          db 00h,20h,00h,35h,00h,2Eh,00h,30h,00h,00h,00h,00h,00 ; 13
56.  STARTme   db "[+] Finding Host %s",0Dh,0Ah,0
57.  HostYay   db "[+] Connected to %s",0Dh,0Ah,0
58.  HostErr   db "[-] Cannot connect to %s",0Dh,0Ah,0
59.  LoginRcv  db "[+] %s",0Dh,0Ah,0
60.  win2k     db "[?] The box seems to be Windows 2000",0Dh,0Ah,0
61.  winxp     db "[?] The box seems to be Windows XP",0Dh,0Ah,0
62.  SendError db "[-] Socket Error When Sending Data.",0Dh,0Ah,0
63.  RcvError  db "[-] Socket Error When Receiving Data.",0Dh,0Ah,0
64.  bytesent  db "[+] Bytes Sent: %ld",0Dh,0Ah,0
65.  
66. .data?
67.     IPAddress  db 128 dup(?)
68.     buffer     db 128 dup(?)
69.     sock       dd ?
70.     sin        sockaddr_in <?>
71.     wsadata      WSADATA <?>
72.     buff_sock  db 1600 dup (?)
73.  hOutput         dd ?
74. consoleInfo CONSOLE_SCREEN_BUFFER_INFO <>
75.  
76. .code
77. @@start:
78.     push EDI
79.     invoke GetStdHandle, STD_OUTPUT_HANDLE
80.     mov hOutput, eax
81.     INVOKE GetConsoleScreenBufferInfo, hOutput, ADDR consoleInfo
82.          movzx EDI,consoleInfo.wAttributes
83.     invoke SetConsoleTextAttribute, hOutput, FOREGROUND_GREEN  or \
84.                                              FOREGROUND_INTENSITY
85.     invoke GetCL, 1, addr IPAddress
86.     cmp eax, 1
87.     jnz @@usage
88.   invoke StdOut, addr usage
89.     invoke WSAStartup, 101h, offset wsadata
90.     test eax, eax
91.     jnz @@start
92.     invoke socket, AF_INET, SOCK_STREAM, 0
93.     mov sock, eax
94.     mov sin.sin_family, AF_INET
95.     invoke htons, 445
96.     mov sin.sin_port, ax
97.     invoke inet_addr, addr IPAddress
98.     mov sin.sin_addr, eax
99.     invoke wsprintf, addr buffer, addr STARTme, addr IPAddress
100.     invoke StdOut, addr buffer
101.     invoke connect, sock, addr sin, sizeof sin
102.     cmp eax, SOCKET_ERROR
103.     jz @@connect_err
104.     invoke wsprintf,addr buffer,addr HostYay,addr IPAddress
105.     invoke StdOut, addr buffer
106.  
107.     invoke send, sock, addr req1, 137, 0
108.     invoke RtlZeroMemory, addr buff_sock, sizeof buff_sock
109.     invoke recv, sock, addr buff_sock, sizeof buff_sock, 0
110.     test eax, eax
111.     jle @@recv_err
112.     invoke send, sock, addr req2, 168, 0
113.     invoke RtlZeroMemory, addr buff_sock, sizeof buff_sock
114.     invoke recv, sock, addr buff_sock, sizeof buff_sock, 0
115.     test eax, eax
116.     jle @@recv_err
117.     invoke send, sock, addr req3, 222, 0
118.     invoke wsprintf, addr buffer, addr bytesent, eax
119.     invoke StdOut, addr buffer
120.     invoke RtlZeroMemory, addr buff_sock, sizeof buff_sock
121.     invoke recv, sock, addr buff_sock, sizeof buff_sock, 0
122.     test eax, eax
123.     jle @@recv_err
124.     mov al, [byte ptr buff_sock+68]
125.     cmp al, '0'
126.     je @@2k
127.     invoke StdOut, addr winxp
128.     jmp @@err
129.  
130. @@2k:
131.     invoke StdOut, addr win2k
132.     jmp @@err
133.  
134. @@recv_err:
135.     invoke StdOut, addr RcvError
136.     jmp @@err
137.  
138. @@send_err:
139.     invoke StdOut, addr SendError
140.     jmp @@err
141.  
142. @@connect_err:
143.     invoke wsprintf,addr buffer,addr HostErr,addr IPAddress
144.     invoke  StdOut,addr buffer
145.     jmp @@err
146.  
147. @@usage:
148.     invoke StdOut, addr usage
149.   invoke StdOut, addr usage2
150.    
151.  
152. @@err:
153.     invoke closesocket, sock
154.     invoke WSACleanup
155. invoke SetConsoleTextAttribute, hOutput, EDI
156. pop EDI
157.     invoke ExitProcess, 0
158.     ret
159. end @@start
160.  
161. ; to tell xp from win2k you'll get 5.0 or 5.1 the 1 or 0 is the 68th digit
162. ;   u SMBs    ÿ+               ¦  ?  u     J  W i n d o w s   5 . 1   W i n d o w s   2 0 0 0   L A N   M a n a g e r
163.  
164. ;this is response from win2k3
165. ;   # SMBs? [ ÿê               ¦
166.  
167. ;this is windows 7 ultimate the 64th digit is 7
168. ;   ë SMBs    ÿ+               ¦  ?  ë     ^ NW i n d o w s   7   U l t i m a t e   7 6 0 0   W i n d o w s   7   U l t i m a t e   6 . 1