Detecting what version of what service is running on a port is very crucial, because that’s the whole point of scanning, we scan the ports then we figure out the services and their version, and finally, we check if there’s any vulnerability in the service running which can be exploited.
In this blog, we’ll cover different service and OS detection techniques to make the scan more efficient.
nmap -sV nmap.scanme.org
The above result shows us the version of ssh running on port 22.
[IMPORTANT]: Sometimes Nmap fails to detect services because the service fingerprint might not be present in its database, in that case, Nmap will simply show the fingerprint and if you know what service does the fingerprint belongs to, you can submit it to Nmap.
Options with service detection:
- –allports : Don’t skip any port for version detection.
nmap -sV --allports nmap.scanme.org
- –version-intensity : We can specify the type of probes to be sent for the service detection, the higher the number of probes better will be the service detection, the range for version intensity is between 0 to 9, the default is 7.
nmap -sV --version-intensity 8 nmap.scanme.org
- –version-light : Light scan is an alias for –version-intensity 2 , it is faster but it’s slightly less likely to detect services.
nmap -sV --version-light nmap.scanme.org
- –version-all : This is scan is an alias for –version-intensity 9, every single probe is sent to every single port but it takes more time to complete.
nmap -sV --version-all nmap.scanme.org
- -O ( OS detection ) : This option allow us to perform OS detection scan.
nmap -O nmap.scanme.org
In the above result, we can see that instead of shown one OS, Nmap shows multiple OS with different percentages, this usually happens when Nmap is unable to detect the exact OS, so instead, it tries to compare the fingerprint and gives us the percentage match. OS detection scans can generate false negatives, so it’s better to run it more than once to be sure.
Options with OS detection:
- –osscan-limit : Nmap uses criteria for good OS detection that is at least one TCP port should be open and one TCP port should be closed, all the hosts which don’t match this criterion are skipped.
nmap -O --osscan-limit nmap.scanme.org
- –max-os-tries : Specify number of attempts to detect OS, by default it’s 5 .
nmap -O --max-os-tries 3 #three attempts
This is it for this blog, in next we’ll cover the powerful NSE ( Nmap Scripting Engine ).