Adding Service Signatures to Nmap
Recent versions of the popular port scanner Nmap can detect the type and version of services running on a network, as illustrated in Example 3-2.
Example 3-2. Example Nmap version scan
>nmap -sV 127.0.0.1 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2003-07-05 17:12 EDT Interesting ports on localhost (127.0.0.1): (The 1658 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.8.1p1 (protocol 2.0) Nmap run completed -- 1 IP address (1 host up) scanned in 1.104 seconds
This scan is implemented as a series of probes and responses in the file nmap-service-probes . This file defines the probes that will be sent to the service to elicit some response, as well as a series of regular expressions against which to match responses to determine which services are running and, where possible, their versions.
At a high level, the version-scanning methodology follows this process:
If the port is a TCP port, connect to it and listen. This is called the NULL probe. Many services will return a banner on connection. If a match is made, processing stops.
If no match is given, or if the protocol is UDP, probes defined in the nmap-service-probes file will be attempted if the protocol and the port ranges in the file match. If a response matching a probe is found, processing stops. If a soft match occurs (whereby a service is recognized, but not its type or version), follow-on probes will be limited to relevant ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
