Nmap Version Scan, determining the version and available services

Chưa phân loại
The action of collecting more information as possible about a target is usually called “footprinting” by IT specialists.While Nmap default scans ports looking for available services it is possible to force the scan to try to detect software versions running on the target increasing the footprinting accuracy.

The reasons why it is so important to detect services and software version on the target device is because some services share the same ports, therefore in order to discriminate services, detecting the software running behind the port may become critical.

Yet, the main reason most sysadmins will run a version scan is to detect security holes or vulnerabilities belonging to outdated or specific software versions.

A regular Nmap scan can reveal opened ports, by default it won’t show you services behind it, you can see a 80 port opened, yet you may need to know if Apache, Nginx or IIS is listening.

By adding version detection NSE (Nmap Scripting Engine) can also contrast the identified software with vulnerabilities databases (see “How to use Vuls”).

How Nmap services and version detection works?

In order to detect services Nmap uses the database called nmap-services including possible services per port, the list can be found at https://svn.nmap.org/nmap/nmap-services, if you have a customized port configuration you can edit the file located at /usr/share/nmap/nmap-services. To enable service detection the flag -A is used.

To detect software versions Nmap has another database called nmap-service-probes which includes probes for querying and match expressions to identify responses.

Both databases help Nmap first to detect the service behind the port such as ssh or http. Second, Nmap will try to find the software providing the service (such as OpenSSH for ssh or Nginx or Apache for http) and the specific version number.

In order to increase version detection accuracy, this specific scan integrates NSE (Nmap Scripting Engine) to launch scripts against suspected services to confirm or discard detections.

You can always regulate the intensity of a scan as will be explained below despite it will be only useful against uncommon services on targets.

Getting started with Nmap Services and Version Detection:

To install Nmap on Debian and based Linux distributions run:

# apt install nmap -y

Before starting lets run a regular Nmap scan by executing:

# nmap linuxhint.com

You can see open and filtered ports are listed, now lets run a version scan by executing:

# nmap -sV linuxhint.com

You can see in the output above this time Nmap detected OpenSSH 6.6.1p1 behind port 22, Postfix behind port 25 and Nginx behind ports 80 and 443. In some cases, Nmap cannot distinguish filtered ports, in such cases Nmap will mark them as filtered, yet if instructed it will continue probes against these ports.

It is possible to determine que grade of intensity Nmap will use to detect software versions, by default the level 7 and the possible range is from 0 to 9. This feature will only show results if uncommon services are running on the target, there will not be differences in servers with widely used services. The following example shows a version scan with minimal intensity:

#  nmap -sV –version-intensity 0 linuxhint.com

To run the most aggressive version detection scan, replace the 0 for 9:

# nmap -sV –version-intensity 9 linuxhint.com

The level 9 can be also executed as:

# nmap -sV –version-all nic.ar

For a low intensity version detection (2) you can use:

#  nmap -sV –version-light  nic.ar

You can instruct Nmap to show the whole process by adding the –version-trace option:

# nmap -sV  –version-trace

Now, let’s use the flag -A which also enables version detection, additionally to OS, traceroute and NSE:

# nmap -A

As you can see after the scan NSE post scan as launched detecting possible vulnerabilities for the exposed Bind version.

The device type and OS were successfully detected as phone and Android and a traceroute was also executed (the Android mobile is working as hotspot).

While in order to detect services NSE is integrated to allow a better accuracy, a specific OS detection scan can be launched with the -O flag as in the following example:

# nmap -O

As you see the result was pretty similar without NSE, which is by default integrated to version probes.

As you could see, with Nmap and few commands you’ll be able to learn relevant information on software running on targets, if the flag -A is enabled Nmap will test results trying to find security holes for the specified service versions.

I hope you found this tutorial on Nmap Version Scan useful, there are a lot of additional high quality content on Nmap at https://linuxhint.com/?s=nmap.

Keep following LinuxHint for more tips and updates on Linux and networking.

Sandclock IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, Sandclock IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Python Virtualenv Tutorial

The headaches of dependency management are common to developers. One errant update requires hours of research to correct. ...

Installing and Using Snort Intrusion Detection System to Protect Servers and Networks

After setting up any server among the first usual steps linked to security are the firewall, updates and upgrades, ssh...

Jinja 2 Templates

JInja2 is a widely-used and fully featured template engine for Python. Being modern it is hence also design-friendly language...
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn chuyển đổi windows server windows evaluation to standard và active windows server 2008 + 2012 + 2016 + 2019

How to Update Ubuntu Linux

Squid Proxy Manager cài đặt và quản lý Proxy Squid tự động trên ubuntu

Hướng dẫn cài đặt Apache CloudStack

Hướng dẫn ký file PDF bằng chữ ký số (chữ ký điện tử) và sửa lỗi mới nhất 2021 foxit reader