Service Enumeration

Service Enumeration Overview

Purpose:
- Identify the application/service and its version.
- Use version info to scan for known vulnerabilities and, if possible, analyze the source code.
- Exact version numbers allow more precise exploit searches targeting the service and the underlying OS.

Service Version Detection

Initial Steps:
- Quick Port Scan:
  - Run a fast, low-traffic port scan to get an overview of open ports.
  - Advantages: Lower traffic reduces the chance of detection/blocking by security mechanisms.
- Full Port Scan:
  - After initial discovery, run a full port scan (p-) in the background to show all open ports.
Nmap Options:
- p-: Scans all ports.
- sV: Performs version detection on the identified open ports.
- v / vv: Increases verbosity (more detailed output; shows open ports as they’re detected).
- -stats-every=5s: Displays scan progress every 5 seconds.
- Additional Options:
  - Pn: Disables ICMP echo requests.
  - n: Disables DNS resolution.
  - -disable-arp-ping: Disables ARP ping.
  - -packet-trace: Logs all packets sent/received for debugging or detailed analysis.

Examples:

Basic Version Detection:
```
sudo nmap 10.129.2.28 -p- -sV
```

With Progress Updates:

sudo nmap 10.129.2.28 -p- -sV --stats-every=5s

Increased Verbosity:
```
sudo nmap 10.129.2.28 -p- -sV -v
```

Output Details:
- Shows each port’s:
  - Port number and protocol (e.g., 22/tcp)
  - State (e.g., open, filtered)
  - Service name (e.g., ssh, smtp, http)
  - Version details (e.g., OpenSSH 7.6p1 Ubuntu)
- Also includes host information (e.g., MAC Address, OS, CPE identifier).

Banner Grabbing

Process:
- Nmap largely relies on service banners for version detection.
- If a banner is unavailable, Nmap uses a signature-based matching system (which can slow down the scan).
- Limitation:
  - Automated scans might miss some details if the service does not present its banner or if the banner is modified/removed.

Detailed Example with SMTP:

Nmap Output:

Shows basic info (e.g., port 25 is running Postfix smtpd).

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p- -sV -Pn -n --disable-arp-ping --packet-trace

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 20:10 CEST
<SNIP>
NSOCK INFO [0.4200s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.28:25] (35 bytes): 220 inlane ESMTP Postfix (Ubuntu)..
Service scan match (Probe NULL matched with NULL line 3104): 10.129.2.28:25 is smtp.  Version: |Postfix smtpd|||
NSOCK INFO [0.4200s] nsock_iod_delete(): nsock_iod_delete (IOD #1)Nmap scan report for 10.129.2.28
Host is up (0.076s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
MAC Address: DE:AD:00:00:BE:EF (Intel Corporate)
Service Info: Host:  inlane

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Additional Banner Info from Traffic:
- Using TCP packet tracing or manual tools (like nc), you can capture the full banner.
- Example banner from SMTP:
  220 inlane ESMTP Postfix (Ubuntu)
- Reveals more detail, such as the Linux distribution (Ubuntu) not fully shown in the Nmap output.

Manual Banner Grabbing & Packet Analysis

Using nc (Netcat):
- Command:
  nc -nv 10.129.2.28 25
- Outcome:
  - Connects to the SMTP port and retrieves the banner manually.
  - Banner Example: 220 inlane ESMTP Postfix (Ubuntu)
Using tcpdump:
- Command:
  sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28
- Captured Traffic:
  - Shows the TCP three-way handshake (SYN, SYN-ACK, ACK).
  - Illustrates the [PSH-ACK] packet that carries the SMTP banner.
  - Sequence of Packets:
    SYN: Client sends to server.
    SYN-ACK: Server responds.
    ACK: Client acknowledges.
    PSH-ACK: Server sends banner (data push with acknowledgment).
    ACK: Client confirms receipt of the banner.
Key Note:
- The PSH flag in the TCP header indicates that the data (banner) is being actively pushed to the client.

Summary

Service Enumeration & Version Detection are critical for:
- Identifying target service versions for vulnerability assessment.
- Allowing more targeted exploits.
Nmap is the primary tool used, with options to:
- Scan all ports.
- Detect service versions.
- Increase verbosity and monitor progress.
Banner Grabbing and Packet Tracing (using tools like nc and tcpdump) can reveal additional details not captured by Nmap’s automated output.

These notes should serve as a quick reference guide to the concepts and commands involved in service enumeration and version detection using Nmap and related tools.

PreviousSaving the Nmap Scanning Results NextNmap Scripting Engine

z3tssu@htb[/htb]$ sudo nmap 10.129.2.28 -p- -sV -Pn -n --disable-arp-ping --packet-trace Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-16 20:10 CEST <SNIP> NSOCK INFO [0.4200s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [10.129.2.28:25] (35 bytes): 220 inlane ESMTP Postfix (Ubuntu).. Service scan match (Probe NULL matched with NULL line 3104): 10.129.2.28:25 is smtp. Version: |Postfix smtpd||| NSOCK INFO [0.4200s] nsock_iod_delete(): nsock_iod_delete (IOD #1)Nmap scan report for 10.129.2.28 Host is up (0.076s latency). PORT STATE SERVICE VERSION 25/tcp open smtp Postfix smtpd MAC Address: DE:AD:00:00:BE:EF (Intel Corporate) Service Info: Host: inlane Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds