Saturday, July 14, 2012

How NMAP Service Version Detection works

What is nmapNmap (Network Mapper) is a security scanner originally written by Gordon Lyon. (wiki)

Apart from the basic host discovery and port scanning, Nmap offers service version detection by using the -sV option during scan.
  -sV: Probe open ports to determine service/version info
  --version-intensity : Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)

HOW service/version detection in nmap works ???
In short Nmap probes a port and attempts to grab any available banner, then it matches the received banner with its database of banners. The database is stored in nmap directory within a file called nmap-service-probes.

Nmap uses regular expression to match the banner found. An example of how a detection of OpenSSH service works:

rule found in nmap-service-probes
match ssh m|^SSH-([\d.]+)-OpenSSH\r?\n$| p/OpenSSH/ i/protocol $1/ d/terminal server/
Green: tells nmap what service is matched
Blue: Determine if the banner received is in the following pattern
Red: Reply from nmap to us, informing us the version found

Linux Console:
Have netcat open a random port and send out a SSH string:
echo -ne "SSH-2.0-OpenSSH_2.5\r\n" | nc -l 222

Have nmap try a service detection on the port you have just opened: (I have chosen port 222)
nmap -sV -PN -p 222

[root@localhost user]# nmap -sV -PN -p 222

[root@localhost user]# nmap -sV -PN -p 222
Starting Nmap 5.51 ( ) at 2012-07-13 19:51 PDT
222/tcp open  ssh     OpenSSH 2.5 (protocol 2.0)

Additional Info:
For more info on regular expression or just testing it live:


No comments:

Post a Comment