We're out on a mission to find and eradicate XP boxes on our intranet.
Now we're wondering what the fastest (scan) method might be --XP boxes connected to our active directory have already been identified, but now we need to find the remaining, isolated machines.
Some article seem to indicate that scanning for port 445 is the thing to do, some recommend 137-139 and maybe 3389.
I hope you're aware of your networks you need to scan, since you're not aware of your workstation :)
Try with:
nmap --script smb-os-discovery -p 445 networkaddress/mask
It will give you OS version for every host it finds in the scanned network. Parse the output and you'll have the info you need.
As noted in this article, the DHCP server is a good place to start. The logs should show what operating system is getting the IP address, so you can just do a search for Windows XP. Also, you can use a network scanner, such as nmap or Angry IP Scanner. They should have an option to display the host OS.
