Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Book Image

Nmap 6: Network Exploration and Security Auditing Cookbook

Overview of this book

Nmap is a well known security tool used by penetration testers and system administrators. The Nmap Scripting Engine (NSE) has added the possibility to perform additional tasks using the collected host information. Tasks like advanced fingerprinting and service discovery, information gathering, and detection of security vulnerabilities."Nmap 6: Network exploration and security auditing cookbook" will help you master Nmap and its scripting engine. You will learn how to use this tool to do a wide variety of practical tasks for pentesting and network monitoring. Finally, after harvesting the power of NSE, you will also learn how to write your own NSE scripts."Nmap 6: Network exploration and security auditing cookbook" is a book full of practical knowledge for every security consultant, administrator or enthusiast looking to master Nmap. The book overviews the most important port scanning and host discovery techniques supported by Nmap. You will learn how to detect mis-configurations in web, mail and database servers and also how to implement your own monitoring system. The book also covers tasks for reporting, scanning numerous hosts, vulnerability detection and exploitation, and its strongest aspect; information gathering.
Table of Contents (18 chapters)
Nmap 6: Network Exploration and Security Auditing Cookbook
Credits
About the Author
Acknowledgement
About the Reviewers
www.PacktPub.com
Preface
References
Index

Fingerprinting services of a remote host


Version detection is one of the most popular features of Nmap. Knowing the exact version of a service is highly valuable for penetration testers who use this service to look for security vulnerabilities, and for system administrators who wish to monitor their networks for any unauthorized changes. Fingerprinting a service may also reveal additional information about a target, such as available modules and specific protocol information.

This recipe describes how to fingerprint the services of a remote host by using Nmap.

How to do it...

Open a terminal and type the following command:

$ nmap -sV scanme.nmap.org

The result of this command is a table containing an additional column named VERSION, displaying the specific service version, if identified. Additional information will be enclosed in parenthesis. Refer to the following screenshot:

How it works...

The flag -sV enables service detection, which returns additional service and version information.

Service detection is one of the most loved features of Nmap, as it's very useful in many situations such as identifying security vulnerabilities or making sure a service is running on a given port.

This feature basically works by sending different probes from nmap-service-probes to the list of suspected open ports. The probes are selected based on how likely it is that they can be used to identify a service.

There is very detailed documentation on how the service detection mode works, and the file formats used, at http://nmap.org/book/vscan.html.

There's more...

You can set the amount of probes to use by changing the intensity level of the scan with the argument –-version-intensity [0-9], as follows:

# nmap -sV –-version-intensity 9  

Aggressive detection

Nmap has a special flag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). Needless to say this mode sends a lot more probes and it is more likely to be detected, but provides a lot of valuable host information. You can see this by using one of the following commands:

# nmap -A <target>

Or

# nmap -sC -sV -O <target>

Submitting service fingerprints

Nmap's accuracy comes from a database that has been collected over the years through user submissions. It is very important that we help keep this database up-to-date. If Nmap does not identify the service correctly, please submit your new service fingerprint or correction to http://insecure.org/cgi-bin/submit.cgi?.

See also

  • The Listing open ports on a remote host recipe

  • The Finding live hosts in your network recipe

  • The Scanning using specific port ranges recipe

  • The Scanning using a specified network interface recipe

  • The Managing multiple scanning profiles with Zenmap recipe

  • The Monitoring servers remotely with Nmap and Ndiff recipe

  • The Hiding our traffic with additional random data recipe in Chapter 2, Network Exploration

  • The Scanning IPv6 addresses recipe in Chapter 2, Network Exploration

  • The Getting information from WHOIS records recipe in Chapter 3, Gathering Additional Host Information

  • The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information

  • The Fingerprinting the operative system of a host recipe in Chapter 3, Gathering Additional Host Information