[Lesson 7]Network Vulnerability and Scanning: Version and OS Detection in Nmap
Since we have found the host and open ports of them. Now is the time to find out the services which are listening to those port and version of those services 😄 ✌ In addition, let’s detect the operating system running on those systems.
Service and Version Detection (-sV):
Explanation based on the information given above:
- Suppose that you ran Nmap query and it told you that ports 25/tcp, 80/tcp and 53/udp are open.
- Using its nmap service database of about 2200 well known services, nmap would report that those ports probably correspond to a mail server(SMTP) , web server(HTTP) and name server (DNS) respectively. This look up is usually accurate.
- The vast majority of daemons listening on TCP port 25 are in fact mail servers. However,you should not be your security on this. People do and can run services on strange ports.
- Even if nmap is right and the hypothetical server above is running SMTP, HTTP and DNS servers. This is not a lot of information when doing vulnerability assessments or even simple network inventories of your companies and clients.
- What you really want to know is which mail/DNS server and versions are running. With an accurate version number will helps dramatically in determining which exploitation of a server is vulnerable based on the version detected.
- Version detection assists you to obtain all the information related to the version and services of the server.
- After TCP and/or UDP ports are discovered using any one of the scan methods. Version detection investigates those ports to determine more about what is actually running.
- The nmap service probes database contains probes for querying various services and match expressions/patterns to recognize and parses responses. Nmap tries to determine the service protocol, application name, version number, host name, device type and OS family.
Let’s see how to use service and version detection in Nmap:
The nmap Scan command:
- nmap the application itself
- -n to avoid the DNS resulution
- -Pn to avoid host discovery
- -sS which is the SYN scan
- Destination IP for the metasploitable machine
- --top-ports 10 which is the top 10 ports
- -sV which is for the version detection
Results:
- The SYN Scan without the version detection took less than a seconds and the SYN Scan with version detection used a longer time to complete.
- In the first query(without the service detection), services names are estimated by Nmap according to the default services running on those ports.
- In the second query(with version detection), Nmap probed the ports to determine more about what is actually running.
❓ why it is version detection important 😲:
Now, I want to show you the most important reason of using version detection in Nmap queries:
For instance, I am going to run SSH on port 443 and then scan the port with Nmap. Let’s perform the demonstration together ✌️
Before this let’s have a look at what is the default port for ssh:
First start the ssh service and display the process id (pid) process with the netstat command line. Then, we found out that the default port for ssh is 22. next, we stop the service to change the default port of 22.
Use nano which is a terminal text editor to configure the port number. Then, navigate to the #Port 22 line.
Delete the sharp(#) to make the line as a valid configuration. This is because sharp(#) was used to make it a comment line. Now, change the port number to 443. Then, Ctrl+x to exit with nano ,y to save the changes and hit enter to save over the existing file.
Now, start ssh service with the command shown in the figure. Then, look at the listening ports to to confirm that the SSH service is running on port 443 with netstat -tnlp command line.
Let’s scan the port 443 in Kali Linux machine with Nmap:
Here, we can see that the nmap says that the service is HTTPS. Nmap uses its nmap services database to report that this port is probably correspond to a web server for https. However, we know that this is not true.
With version detection used in the command line, the result illustrated that port 443 is running and the service is SSH, not HTTPS. Version detection interrogates the port to determine the more about what is actually running. Nmap queried the port using probes of the nmap service probes database and matched the expressions to recognize and parses the responses.
