Knowing the systems on a network and what Operating System (OS) they are running may not be enough for an Administrator to know. You can scan systems on a network and determine what Services and versions of a Service are running. It may be important to be able to see and know what a hacker can learn about your systems.
Probes Database
NMAP has a database which is installed when you install NMAP. The database is used when performing a service probe, but it is not automatically updated.
The database is located at ‘/usr/share/nmap/nmap-service-probes’. The easiest way to manage an update is first to look at the database version number. Open the file in a text editor and the version number is usually listed on the second line. The second line of my database is ‘# $Id: nmap-service-probes 35414 2015-11-10 16:58:39Z dmiller $’. The database version for this file is 35414.
To look on the Internet for an updated version go to ‘https://svn.nmap.org/nmap/’ as shown in Figure 1.
FIGURE 1
Here you can see that the version number is 36736. This seems like quite an update compared to what is currently on my system. The database definitely needs to be updated for proper OS Detection of newer systems. Remember that even small changes in the version number can be major updates. Any change can be an important one.
It may be a good idea to keep the older database version. Since my current version is 35414 I will perform the following command in a Terminal:
sudo mv /usr/share/nmap/nmap-service-probes /usr/share/nmap/nmap-service-probes-35414
The database is ‘moved’ or ‘renamed’ to include the version number. The next step is to download the new version from the website. Perform the following commands in a Terminal from the folder ‘usr/share/nmap/’:
cd /usr/share/nmap
sudo su
wget https://svn.nmap.org/nmap/nmap-service-probes
The new database should be downloaded and ready to go, but you should add the version number. As you saw in Figure 1 the version number is 36736. Use a text editor to open the database and on the second line add the version number. By adding the version number it will be easier to check later if the version number has changed. When the version number has changed you can update the database and add the version number so you are prepared when checking for updates again.
Service Probes Process
The first thing NMAP does when performing a Service Probe is to find all open Ports on the Target System. It is imperative to know what Ports are opened. For instance, certain services may only use specific Ports. A Web Server will typically use Port 80 and NMAP can exploit this fact.
The SYN Scan is used to detect open Ports and you must have ROOT privileges to run a SYN Scan.
If you recall, the SYN Scan perform the following steps:
If the Port being scanned is closed the following will occur:
Through these procedures, NMAP will determine opened Ports and know which Ports to exploit. If a System has no open Ports then NMAP will not continue the Service Probe.
The Service Probe process is made up of multi-stage techniques to get a response. The Response is checked against the ‘nmap-service-probes’ list to determine a version of the Service. The response list needs to be up-to-date to get correct version numbers.
The Probe being performed is as follows:
Service Probes Database
In the database is a line which shows a test for the Service ‘vftpd’. The line is as follows:
match ftp m|^(?:220-.*\r\n)?220 .*\r\n530 Please login with USER and PASS\.\r\n|s p/vsftpd/ v/2.0.8 or later/ cpe:/a:vsftpd:vsftpd/
The line is what is being sought for when a Port is queried. When a match is found then NMAP knows which Service and version number is most likely the one on the Target system.
Scan
To perform the Service Probe you need to open a Terminal and perform the following command:
sudo nmap -sV 192.168.0.63 -Pn
Here, the Target system has an IP Address of ‘192.168.0.63’ and this should be changed to the IP Address of the system you are probing.
A sample probe is shown in Figure 2.
FIGURE 2
The results show that the Ports 21, 22, 111, 139, 445 and 2049 are opened. NMAP found the following services on these Ports:
Initially the Ports are scanned on the Target System to find the opened Ports. If you look at Figure 3 you can see that the highlighted line (2086) is the end of the Port Scan. The end of the Port Scan can be noticed since a full 6 seconds elapse after the Port Scans before the Service Probe starts. The ‘Time’ column shows a jump from 22 to 28 seconds.
FIGURE 3
Starting at line 2197 to 2201 show the response of an ACK which is Step 3 in the Probe. Responses given to the requests are matched to the Service Probe Database. As you can see in Line 2242 there is a response from the Target System which is ‘Please login with USER and PASS’ as noted above in the example from the Service Probe Database.
FIGURE 4
Try the Service Probe out on various systems and determine how accurate the Service Probe can be when used on your network. Make sure you update the Database before you perform the scan.
Probes Database
NMAP has a database which is installed when you install NMAP. The database is used when performing a service probe, but it is not automatically updated.
The database is located at ‘/usr/share/nmap/nmap-service-probes’. The easiest way to manage an update is first to look at the database version number. Open the file in a text editor and the version number is usually listed on the second line. The second line of my database is ‘# $Id: nmap-service-probes 35414 2015-11-10 16:58:39Z dmiller $’. The database version for this file is 35414.
To look on the Internet for an updated version go to ‘https://svn.nmap.org/nmap/’ as shown in Figure 1.
FIGURE 1
Here you can see that the version number is 36736. This seems like quite an update compared to what is currently on my system. The database definitely needs to be updated for proper OS Detection of newer systems. Remember that even small changes in the version number can be major updates. Any change can be an important one.
It may be a good idea to keep the older database version. Since my current version is 35414 I will perform the following command in a Terminal:
sudo mv /usr/share/nmap/nmap-service-probes /usr/share/nmap/nmap-service-probes-35414
The database is ‘moved’ or ‘renamed’ to include the version number. The next step is to download the new version from the website. Perform the following commands in a Terminal from the folder ‘usr/share/nmap/’:
cd /usr/share/nmap
sudo su
wget https://svn.nmap.org/nmap/nmap-service-probes
The new database should be downloaded and ready to go, but you should add the version number. As you saw in Figure 1 the version number is 36736. Use a text editor to open the database and on the second line add the version number. By adding the version number it will be easier to check later if the version number has changed. When the version number has changed you can update the database and add the version number so you are prepared when checking for updates again.
Service Probes Process
The first thing NMAP does when performing a Service Probe is to find all open Ports on the Target System. It is imperative to know what Ports are opened. For instance, certain services may only use specific Ports. A Web Server will typically use Port 80 and NMAP can exploit this fact.
The SYN Scan is used to detect open Ports and you must have ROOT privileges to run a SYN Scan.
If you recall, the SYN Scan perform the following steps:
- Source System sends a SYN request to the Target but a Port number is added to the request.
- The Target System will respond with a SYN/ ACK (Sync/Acknowledgement) to the Source if the specified Port is open.
- The Source System responds with a RST (Reset) to the Target to close the connection.
- The Target System can respond with a RST/ACK (Reset/Acknowledgement) to the Source System.
If the Port being scanned is closed the following will occur:
- Source System sends a SYN request to the Target and a Port number is added to the request.
- The Target responds with a RST (Reset) since the Port is closed.
- Source System sends a SYN request to the Target and the Port number is added to the request.
- No response is received since it was Filtered by the Firewall.
Through these procedures, NMAP will determine opened Ports and know which Ports to exploit. If a System has no open Ports then NMAP will not continue the Service Probe.
The Service Probe process is made up of multi-stage techniques to get a response. The Response is checked against the ‘nmap-service-probes’ list to determine a version of the Service. The response list needs to be up-to-date to get correct version numbers.
The Probe being performed is as follows:
- Source System sends an HTTP GET request to the Target on the specified Port.
- Target System will respond with HTTP Data.
- The Source system will then respond with an acknowledgement (ACK).
- The Target System sends the rest of the HTTP Data.
- The Source System will respond with an acknowledgement and finish (ACK/FIN).
- The Target System sends an acknowledgement (ACK) to close the connection.
Service Probes Database
In the database is a line which shows a test for the Service ‘vftpd’. The line is as follows:
match ftp m|^(?:220-.*\r\n)?220 .*\r\n530 Please login with USER and PASS\.\r\n|s p/vsftpd/ v/2.0.8 or later/ cpe:/a:vsftpd:vsftpd/
The line is what is being sought for when a Port is queried. When a match is found then NMAP knows which Service and version number is most likely the one on the Target system.
Scan
To perform the Service Probe you need to open a Terminal and perform the following command:
sudo nmap -sV 192.168.0.63 -Pn
Here, the Target system has an IP Address of ‘192.168.0.63’ and this should be changed to the IP Address of the system you are probing.
A sample probe is shown in Figure 2.
FIGURE 2
The results show that the Ports 21, 22, 111, 139, 445 and 2049 are opened. NMAP found the following services on these Ports:
- 21 - vsftpd 2.0.8 or later
- 22 - OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
- 111 - 2-4 (RPC #100000)
- 139 - Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- 445 - Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
- 2049 - 2-4 (RPC #100003)
Initially the Ports are scanned on the Target System to find the opened Ports. If you look at Figure 3 you can see that the highlighted line (2086) is the end of the Port Scan. The end of the Port Scan can be noticed since a full 6 seconds elapse after the Port Scans before the Service Probe starts. The ‘Time’ column shows a jump from 22 to 28 seconds.
FIGURE 3
Starting at line 2197 to 2201 show the response of an ACK which is Step 3 in the Probe. Responses given to the requests are matched to the Service Probe Database. As you can see in Line 2242 there is a response from the Target System which is ‘Please login with USER and PASS’ as noted above in the example from the Service Probe Database.
FIGURE 4
Try the Service Probe out on various systems and determine how accurate the Service Probe can be when used on your network. Make sure you update the Database before you perform the scan.