Let's dig in deep with Service, Version, and OS Detection. Scan a machine
using Nmap and it might tell what ports are open. Nmap uses
the nmap-services database of about 2,200 well-known
services. This lookup is usually accurate; the vast majority of daemons
listening on TCP port 25 are, in fact, mail servers. However, you should not
bet your security on this! People can and do run services on strange ports.
When doing vulnerability assessments (or even simple network inventories) of
your companies or clients, you really want to know which mail and DNS servers
and versions are running. Having an accurate version number helps dramatically
in determining which exploits a server is vulnerable to. Version detection
helps you obtain this information.
First things first, you can use the help command for Nmap by typing nmap -h.
Version Detection (-sV)
- Enables version detection.
- Alternatively, you can use -A, which enables version detection among other things.
- Additional Options you can add with -sV
- --all-ports: Do not exclude any ports from version detection.
- --version-intensity <level>: define intensity level higher the number more likely to determine but slows the scans. Levels can be defined between 0 and 9, where 7 is the default.
- --version-light: This is the same as --version-intensity 2. This light mode makes version scanning much faster, but it is slightly less likely to identify services.
- --version-all: This is the same as --version-intensity 9. Ensures that every single probe is attempted against each port.
- --version-trace: Prints out extensive debugging information. It is a subset of what you get with --packet-trace.
OS Detection (-O)
- Uses TCP/IP stack fingerprinting and Nmap sends a series of TCP packets to the remote host and examines the response.
- Alternatively, you can use -A to enable OS detection along with other things.
- Additional Options you can add with -O
- --osscan-limit: Limits OS detection to promising targets. OS detection is far more effective if at least one open and one closed TCP port is found. Set this option and Nmap will not even try OS detection against hosts that do not meet these criteria. Saves a lot of time.
- --osscan-guess: Guess the OS more aggressively.
- --max-os-tries <value>: When Nmap performs OS detection and fails to detect, it usually repeats the attempt. By default, Nmap tries five times if conditions are good, and twice when conditions aren't so good. Specifying a lower --max-os-tries value such as 1 speed Nmap up.
We hope this helps. If any suggestions or doubts you can add a comment and
we will reply as soon as possible.
No comments:
Post a Comment