The Tenable research team recently published a few new plugins that contribute to how Nessus performs OS identification. When scanning devices and systems I am always amazed at how many different services will hint at, or even flat out reveal, the operating system and version.
HNAP is the Home Network Administration Protocol developed by Cisco Systems. It is designed to allow remote support personnel to manage devices on users networks using a SOAP-based protocol. An unfortunate side-effect is the information being leaked across the network that can be accessed without authentication. A new plugin was developed to collect this information and use it to determine the remote operating system:
The above identification is 100% accurate; the device is in fact a Linksys WET610n (it is actually a wireless bridge, the WAP610n is the access point but they run the same base firmware).
Apples' file sharing protocol (AFP) can be enabled on Mac OS X and other operating systems to share files similar to Microsoft's SMB service.
By sending AFP a specially formatted request it will return the operating system type and version.
The Universal Plug and Play (UPnP) protocol was created to easily allow devices on the network to discover each other and find services to share data. Devices using UPnP announce themselves on the network, and typically leak the operating system running on the device. For example, I have this device on my local network, that responds to UPnP requests with the following output:
friendlyName:Roku Streaming Player
modelDescription:Roku Streaming Player Network Media
modelName:Roku Streaming Player N1101
For network discovery UPnP can be a fantastic resource, and in this case provided us with detailed information right down to the serial number.
Enjoy the latest OS identification plugins that will assist you with knowing what is connected to your network!