Nmap - Service, Version, and OS Detection

February 18, 2021


Let's dig in deep with Service, Version, and OS Detection. Scan a machine using Nmap and it might tell what ports are open. Nmap uses the nmap-services database of about 2,200 well-known services. This lookup is usually accurate; the vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports.

When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Version detection helps you obtain this information.
Alert: Use Nmap as a root user. If you do not have root access, type sudo before every Nmap command.
First things first, you can use the help command for Nmap by typing nmap -h


Version Detection (-sV)

  • Enables version detection.
  • Alternatively, you can use -A, which enables version detection among other things.
  • Additional Options you can add with -sV 
    • --all-ports: Do not exclude any ports from version detection.
    • --version-intensity <level>: define intensity level higher the number more likely to determine but slows the scans. Levels can be defined between 0 and 9, where 7 is the default.
    • --version-light: This is the same as --version-intensity 2. This light mode makes version scanning much faster, but it is slightly less likely to identify services.
    • --version-all: This is the same as --version-intensity 9. Ensures that every single probe is attempted against each port.
    • --version-trace: Prints out extensive debugging information. It is a subset of what you get with --packet-trace.

OS Detection (-O)

  • Uses TCP/IP stack fingerprinting and Nmap sends a series of TCP packets to the remote host and examines the response.
  • Alternatively, you can use -A to enable OS detection along with other things.
  • Additional Options you can add with -O
    • --osscan-limit: Limits OS detection to promising targets. OS detection is far more effective if at least one open and one closed TCP port is found. Set this option and Nmap will not even try OS detection against hosts that do not meet these criteria. Saves a lot of time.
    • --osscan-guess: Guess the OS more aggressively.
    • --max-os-tries <value>: When Nmap performs OS detection and fails to detect, it usually repeats the attempt. By default, Nmap tries five times if conditions are good, and twice when conditions aren't so good. Specifying a lower --max-os-tries value such as 1 speed Nmap up.
If you want to know what is going on during the scan. Add the -v command, which is for verbosity. It has three levels: -v, -vv, -vvv. More v's means more verbose. If you chose one level of verbose you can press in the middle of the scan to increase the verbosity.

Similarly, -d command, is for debugging. It has 9 levels and can be defined as -d1 till -d9. That is the highest effective level and will produce thousands of lines unless you run a very simple scan with very few ports and targets.

To know the percentage of completion, you can press any key in the middle of the scan and it will display the percentage.

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.
,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)