search

Service Enumeration

hashtag
Service Enumeration Overview

  • Purpose:

    • Identify the application/service and its version.

    • Use version info to scan for known vulnerabilities and, if possible, analyze the source code.

    • Exact version numbers allow more precise exploit searches targeting the service and the underlying OS.

hashtag
Service Version Detection

  • Initial Steps:

    • Quick Port Scan:

      • Run a fast, low-traffic port scan to get an overview of open ports.

      • Advantages: Lower traffic reduces the chance of detection/blocking by security mechanisms.

    • Full Port Scan:

      • After initial discovery, run a full port scan (p-) in the background to show all open ports.

  • Nmap Options:

    • p-: Scans all ports.

    • sV: Performs version detection on the identified open ports.

    • v / vv: Increases verbosity (more detailed output; shows open ports as they’re detected).

    • -stats-every=5s: Displays scan progress every 5 seconds.

    • Additional Options:

      • Pn: Disables ICMP echo requests.

      • n: Disables DNS resolution.

      • -disable-arp-ping: Disables ARP ping.

      • -packet-trace: Logs all packets sent/received for debugging or detailed analysis.

  • Examples:

    • Basic Version Detection:

      sudo nmap 10.129.2.28 -p- -sV

    • With Progress Updates:

      sudo nmap 10.129.2.28 -p- -sV --stats-every=5s

    • Increased Verbosity:

      sudo nmap 10.129.2.28 -p- -sV -v

  • Output Details:

    • Shows each port’s:

      • Port number and protocol (e.g., 22/tcp)

      • State (e.g., open, filtered)

      • Service name (e.g., ssh, smtp, http)

      • Version details (e.g., OpenSSH 7.6p1 Ubuntu)

    • Also includes host information (e.g., MAC Address, OS, CPE identifier).

  • Process:

    • Nmap largely relies on service banners for version detection.

    • If a banner is unavailable, Nmap uses a signature-based matching system (which can slow down the scan).

    • Limitation:

      • Automated scans might miss some details if the service does not present its banner or if the banner is modified/removed.

  • Detailed Example with SMTP:

    • Nmap Output:

      • Shows basic info (e.g., port 25 is running Postfix smtpd).

    • Additional Banner Info from Traffic:

      • Using TCP packet tracing or manual tools (like nc), you can capture the full banner.

      • Example banner from SMTP:

      • Reveals more detail, such as the Linux distribution (Ubuntu) not fully shown in the Nmap output.

hashtag
Manual Banner Grabbing & Packet Analysis

  • Using nc (Netcat):

    • Command:

    • Outcome:

      • Connects to the SMTP port and retrieves the banner manually.

      • Banner Example: 220 inlane ESMTP Postfix (Ubuntu)

  • Using tcpdump:

    • Command:

    • Captured Traffic:

      • Shows the TCP three-way handshake (SYN, SYN-ACK, ACK).

      • Illustrates the [PSH-ACK] packet that carries the SMTP banner.

      • Sequence of Packets:

        1. SYN: Client sends to server.

        2. SYN-ACK: Server responds.

        3. ACK: Client acknowledges.

        4. PSH-ACK: Server sends banner (data push with acknowledgment).

        5. ACK: Client confirms receipt of the banner.

  • Key Note:

    • The PSH flag in the TCP header indicates that the data (banner) is being actively pushed to the client.

hashtag
Summary

  • Service Enumeration & Version Detection are critical for:

    • Identifying target service versions for vulnerability assessment.

    • Allowing more targeted exploits.

  • Nmap is the primary tool used, with options to:

    • Scan all ports.

    • Detect service versions.

    • Increase verbosity and monitor progress.

  • Banner Grabbing and Packet Tracing (using tools like nc and tcpdump) can reveal additional details not captured by Nmap’s automated output.

These notes should serve as a quick reference guide to the concepts and commands involved in service enumeration and version detection using Nmap and related tools.

PreviousSaving the Nmap Scanning ResultsNextNmap Scripting Engine