In the last blog post I talked about what nmap is, how different types of host discovery, port scanning work and how to save the nmap results in different output formats. In this post I will write about how we can use nmap to perform service enumeration and how service enumeration works under the hood.
Finding the right version of services running in the target hosts helps in finding different exploits related to the particular version number. For e.g if you find that ssh is of an older version then you can probably get some public exploits which can be used for penetration testers benefits.
To find what service particular port of target server is running we simply give -sV flag
sudo nmap -sV -p 10.10.10.89
As you can see in the screenshot that nmap has successfully given the state of the port , it’s service and version. Nmap looks at the banner received and tries to find out the versions. If it can not find any versions then it falls back to signature based matching which increases detection time. We can use the following command to find out the banner separately.
sudo nmap –script=banner -p 22 10.10.10.89
Alternatively , We can use nc to find out the banner.
nc -v 10.10.10.89 22
I recommend using nc and nmap banner script to find out additional details as nmap service enumeration sometimes misses useful information. For example some services might give out other information like OS name after successful three way handshake which nmap misses.
If we have to perform service enumeration of all the open ports then we can simply use -p- for example.
sudo nmap -sV -p- 10.10.10.56
In the screenshot above you can see that it has found two open ports, their states, services and versions.
Tip: If you forget to supply -v flag to put it in verbose mode then you can simply press ‘v’ in the middle of the scan to put it in verbose mode automatically.
Note : When doing a service enumeration for all ports nmap does not perform service enumeration in TCP ports 9100-9107. Those are ports assigned to the printer services and they spit out everything in paper in printed form. If you want to include those ports too then you can simply make changes to the ‘Exclude’ directive in ‘nmap-service-probes’ file. You can find the file using the following command.
find / -type f -name “nmap-service-probes” 2>/dev/null
Now you remove the port number. Since nmap by default does not scan those ports for service enumeration smart sysadmins can hide services in those ports.
How Service Enumeration Works?
As always let’s run the service enumeration command with nmap and intercept the traffic using tcpdump.
sudo nmap -p 2222 -sV -n -Pn 10.10.10.56
Now, let’s run sudo tcpdump -i any host 10.10.10.56
The first, second and the third lines of the highlighted portion indicate that a successful three way handshake has been completed. The fourth line has ‘P.’ flag sent by the server which indicates that data has been sent to the client(P) and it has finished sending the data(.) The fifth line sends an acknowledgement packet to the server that it successfully received the data sent by the server.
But what data server sends? We can capture the traffic with tcpdump with -A flag to see the actual data content.
In the screenshot above you can see that the server has sent data and this is the banner.
Nmap basically initiated a TCP connection , waited for the server to receive some data which is the banner in our case and based on the banner received it determined the version number.
We can basically run the same command and use –packet-trace flag to see the same output. Let’s try to do the same but this time we don’t use tcpdump.
In the second line of the highlighted portion you can see that nmap has sent null probes to the server. Null probe simply means that nmap is listening for incoming connections without actually sending any data. The fourth line says that it has matched with line 3518. What it means is once the banner is received it compares against the list in a file named “nmap-service-probes”. There is a way to find out the actual file name without knowing by tracing syscalls. But that will be another topic on its own.
In this case the match was found in line 3518. Let’s verify that.
In deed the received banner perfectly matches the regex shown.
Nmap waits for 6 seconds for the data to arrive if not then it issues other probe requests accordingly. There are other fallback options nmap uses to perform service enumeration which is left as an excercise to the readers.