Apart from the basic host discovery and port scanning, Nmap offers service version detection by using the -sV option during scan.
SERVICE/VERSION DETECTION on Nmap 6.01:
-sV: Probe open ports to determine service/version info
--version-intensity: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
HOW service/version detection in nmap works ???
In short Nmap probes a port and attempts to grab any available banner, then it matches the received banner with its database of banners. The database is stored in nmap directory within a file called nmap-service-probes.
Nmap uses regular expression to match the banner found. An example of how a detection of OpenSSH service works:
rule found in nmap-service-probes:
match ssh m|^SSH-([\d.]+)-OpenSSH\r?\n$| p/OpenSSH/ i/protocol $1/ d/terminal server/
Green: tells nmap what service is matched
Blue: Determine if the banner received is in the following pattern
Red: Reply from nmap to us, informing us the version found
Linux Console:
Have netcat open a random port and send out a SSH string:
echo -ne "SSH-2.0-OpenSSH_2.5\r\n" | nc -l 222
Have nmap try a service detection on the port you have just opened: (I have chosen port 222)
nmap -sV -PN -p 222 127.0.0.1
[root@localhost user]# nmap -sV -PN -p 222 127.0.0.1
RESULT:
[root@localhost user]# nmap -sV -PN -p 222 127.0.0.1
Starting Nmap 5.51 ( http://nmap.org ) at 2012-07-13 19:51 PDT
PORT STATE SERVICE VERSION
222/tcp open ssh OpenSSH 2.5 (protocol 2.0)
Additional Info:
For more info on regular expression or just testing it live:
http://www.regextester.com/
http://www.regular-expressions.info/reference.html/
Nmap:
http://nmap.org/download.html
Posts
