3. If port 135 and port 22 are open on the same server, how does the mid server differentiate which server it is ? And, can a specific server be both Windows server and the linux server at the same time ?

Akash Kadam
Tera Contributor

‎07-12-2022 10:10 PM

If port 135 and port 22 are open on the same server, how does the mid server differentiate which server it is ? And, can a specific server be both Windows server and the linux server at the same time ?

Labels:
0 Helpfuls
  • 1,118 Views
3 REPLIES 3

Aman Kumar S
Kilo Patron

‎07-12-2022 10:51 PM

Hey,

During port scan phase, the shazam probes are sent via mid server to check which ports the devices are responding to.

Now in your scenario, lets say the device responds to both 135 and 22, it will look up "Discovery port probes" to check for the highest classification priority. Now, lets say port 135(WMI) and 22(SSH),  since WMI has higher classification priority, the device will be identified as Windows and classification probes are sent for windows devices.

Refer to below link:
Port probes

Feel free to mark correct, If I answered your query.

Will be helpful for future visitors looking for similar questions 🙂

 

Best Regards
Aman Kumar

Aman Kumar S
Kilo Patron
In response to Aman Kumar S

‎07-17-2022 09:50 AM

Hey @Akash Kadam 

Didn't hear back on this?

Is your issue resolved? If yes, feel free to mark helpful/correct, so it will be helpful for others looking for similar query.

Best Regards
Aman Kumar
0 Helpfuls

Rahul Priyadars
Tera Sage
Tera Sage

‎07-12-2022 11:33 PM

Port probes are used in Discovery by the Shazzam probe to detect protocol activity on open ports on devices it encounters.

When a port probe encounters a protocol in use, the Shazzam sensor checks the port probe record to determine which classification probe to launch. The common protocols WMI, SSH, SNMP, and HTTP in the base system have priority numbers that control the order in which they are launched.

The priority is as follows:

  • 1 - WMI
  • 2 - SSH
  • 3 - SNMP
  • 4 - HTTP

In the base system, the WMI probe is always launched first, and if it is successful on a device, no other port probes are launched for that device. If the WMI probe is not successful, then the SSH probe is launched to gather information on the device. If it is not successful, the SNMP probe is launched. This method allows Discovery to classify a device correctly if the device is running more than one protocol (for example, SSH, SNMP, and HTTP).

Regards

RP