Version Detection

Using Nmap

Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008

Detecting Service and Awarding Versions

By default, Nmap identifies open ports on the target host and correlates those port numbers with common services associated with those ports, located in the nmap-services file. But is information technology really a Web server running on port 80? When y'all are managing your network assets and performing security auditing, Nmap tin become 1 step further to probe the open ports to endeavor to identify the application or service running on information technology. For asset management, you are interested in the version of services and applications, not just for inventory reasons, but also for policy compliance. You may find systems running unauthorized servers, so y'all will desire to identify the unauthorized services and applications that are running. For security auditing, you lot are interested in service and awarding versions from a vulnerability and patch management perspective.

Nmap can perform version detection to assist in gathering more detail on the services and applications running on the identified open ports. Version detection uses a variety of probes, located in the nmap-services-probes file, to solicit responses from the services and applications. Nmap queries the target host with the probe information and analyzes the response, comparing it against known responses for a variety of services, applications, and versions. Nmap will attempt to identify the following parameters:

Service Protocol The service running on the open port, such every bit FTP, Hypertext Transfer Protocol (HTTP), or Simple Postal service Transfer Protocol (SMTP).

Awarding Name The specific awarding for the service, such as WU-FTPD, Microsoft IIS, or Sendmail.

Version Number The version of the application.

Hostname The hostname of the target host. (This may be for an internal network and different than the DNS response).

Device Type The type of device such as a print server, media, router, WAP, or power device.

Operating System Family The underlying OS such equally Windows, HP-UX, Cisco IOS, or Linux. (This could be different than what the Nmap Bone detection reports if the organisation uses network accost translator (NAT) and forwarding for the awarding).

Miscellaneous Details Other details such every bit kernel information, serial numbers, firmware versions, user names, and countersign data.

Port State Version detection also attempts to gain more than information most UDP and TCP ports that were reported every bit open|filtered to determine the correct state of the port.

Annotation

If Nmap was compiled with OpenSSL back up, it can attempt to find listening services behind Secure Sockets Layer (SSL) encryption. By default, Nmap volition look for OpenSSL libraries during install and include this adequacy. OpenSSL support is not bachelor on the Windows version of Nmap.

To enable version detection with your port browse use the -sV command-line option. For example:

# nmap -sV 192.168.2.3

Starting Nmap four.50 ( http://insecure.org ) at 2008-01-03 21:44 EST

Interesting ports on 192.168.2.3:

Not shown: 1705 closed ports

PORT State SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
3389/tcp open microsoft-rdp Microsoft Concluding Service
6346/tcp filtered gnutella
6347/tcp filtered gnutella2
8081/tcp open http Network Assembly ePolicy Orchestrator

(Computername: LT-A030443 Version: 3.6.0.453)

Service Info: OS: Windows

Service detection performed. Please report any wrong results at http://insecure.org/nmap/submit/ .

Nmap done: 1 IP accost (1 host up) scanned in xi.317   seconds

This control will use Nmap's default SYN browse for port detection, but the version detection selection can be combined with whatever of the port detection techniques.

Nmap includes several control-line options to configure the version detection engine. The nmap-service-probes file excludes probing sure ports (due east.g., printer ports will print anything that is sent to information technology). To enable all ports for version detection, use the --allports command-line option. You can also control the version scanning intensity with the ---version-intensity control-line option. By default, Nmap uses an intensity of vii (out of 0–ix). The intensity level controls the probes that are used in version detection; the college intensity means that more than probes are used. Probes are classified with a rarity value betwixt 1 and 9, with 1 being very common and highly useful, and 9 being rare and less useful. Higher intensity scans take longer since they use more of the rare probes, but y'all are more than likely to accept services and versions correctly detected. If you lot want quick just less reliable version detection, y'all can as well use the --version-lite command-line selection, which is equal to a version intensity level of ii. If y'all desire comprehensive and reliable version detection by executing every probe, you can also utilize the --version-all command-line option, which is equal to a version intensity level of 9. You lot can also get detailed information during the version detection process by using the --version-trace command-line option. You tin can specify a customized service probe file, instead of the default nmap-service-probes, past using the --versiondb command-line option.

Note

The -A control-line option enables version detection, OS detection, script scanning, and traceroute.

Nmap version detection also includes Remote Process Call (RPC)-specific probes to discover the RPC plan and version. These are enabled by default when version detection discovers RPC services, but it tin can also be enabled separately exterior of version detection past using the -sR control-line choice. The RPC probes tin gather the same type of information as executing the rpcinfo -p UNIX command, even if the target host'due south portmapper is backside a firewall.

Table 4.5 summarizes the service and application version detection command-line options. Version detection is a growing and evolving feature of Nmap, with numerous enterprise capabilities.

Table 4.5. Service and Awarding Version Detection Command-Line Options

Selection Clarification
-sV Enable version detection for services and awarding
-sR Enable RPC version detection (enabled by default with -sV option)
--allports Don't exclude whatever ports from version detection
--version-intensity   <   intensity   > Set version browse intensity from 0 to 9
--version-light Set version intensity to level two for quick version scanning
--version-all Set version intensity to level 9 to endeavour all probes
--version-trace Impress debugging information during version detection
--versiondb   <   service probes file   > Specify a customized services probes file

Notes from the Underground…

Os and Version Detection Community Contribution

The Nmap OS and version detection probe databases grow by contributions from its users. When Nmap receives responses to probes merely it still tin't identify the OS or application version, it will brandish a special fingerprint and a Uniform Resource Locator (URL) to submit the signature. Bone detection relies on at least 1 open port and ane closed port on the target host to impress a reliable fingerprint. If you lot are sure what OS or application and version is running on a port, please submit this fingerprint to help grow the database of signatures. If Nmap didn't receive any responses for version detection and does non print a fingerprint, this means that at that place isn't a probe for this service. You lot tin can also contribute to Nmap by writing and submitting version detection probes. This takes longer than simply submitting a fingerprint, but if y'all accept time information technology is a great fashion to support the open up source community! For detailed information on service and application version detection, including usage and developing probes, cheque out http://insecure.org/nmap/vscan .

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597492416000042

Nmap Scanning in the Real World

Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008

Discovering Unauthorized Applications and Services

We accept previously discussed Nmap's adequacy for service and version detection against open ports. What really helps to put information technology into perspective is discussing real-life scenarios and that is what nosotros'll practise in this section. This characteristic of Nmap is ordinarily used to detect unauthorized or outdated applications and services. What happens when you lot are tasked with finding all the open up file shares in the network? How nigh when the boss calls you and requests a count of how many FTP servers are running in your lab? What if one of your yearly goals is to brand certain all SSH versions are up-to-spec? And finally, how almost being tasked with tracking down users who are obscuring internal Web sites under atypical port numbers? Hither'due south a list of some other items you might find yourself tracking down or keeping inventory of, depending on your organization's policy:

P2P software

Conversation applications

Samba servers

Remote desktop services

Unauthorized database services

Open mail service relays

Unauthorized proxy servers

Unmanaged printers

Virtual operating systems, like VMware

Unauthorized operating systems, similar MAC OS 10 or Linux

The overnice affair nigh using Nmap in this capacity is that the service and version detection capability is built right into the tool. Earlier in the book, we covered the –sV or version choice, equally well as the OS detection capability, called with the –O option. In more contempo Nmap versions, yous also have the luxury of running both simultaneously by use the –A option.

We'll run a sample scan and accept advantage of the version detection capability. Looking back on our usage chapter, nosotros can test out some of the following additional service and version detection options:

SERVICE/VERSION DETECTION:

-sV: Probe open ports to make up one's mind service/version info

--version-intensity <level>: Set from 0 (light) to nine (try all probes)

--version-light: Limit to nigh likely probes (intensity two)

--version-all: Endeavor every single probe (intensity 9)

--version-trace: Testify detailed version scan action (for debugging)

Equally a examination, we'll run the version-intensity at 0 and so at 9 to compare the results. Let's test against our trusty SUSE arrangement:

C:\downloads>nmap -sV --version-intensity 0 10.0.0.five

Starting Nmap 4.53 ( http://insecure.org ) at 2008-02-01 23:30 Central Standard Fourth dimension

Interesting ports on 10.0.0.5:

Non shown: 1709 closed ports

PORT   STATE   SERVICE   VERSION

22/tcp   open   ssh   OpenSSH 4.i (protocol 1.99)

111/tcp   open   rpcbind   two (rpc #100000)

139/tcp   open   netbios-ssn   Samba smbd 3.Ten (workgroup: LAB)

445/tcp   open   netbios-ssn   Samba smbd 3.X (workgroup: LAB)

631/tcp   open   ipp   CUPS 1.1

MAC Address: 00:0C:29:E0:54:1B (VMware)

Host script results:

|_ Discover OS Version over NetBIOS and SMB: Unix

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .

Nmap washed: ane IP address (1 host up) scanned in thirteen.422 seconds

This looks great and exactly like the kind of information we would need to consummate an inventory of TCP/IP services available on this system. We ran the control over again using a version-intensity of 9 and received the same results. Let's see if nosotros tin can trip upwards Nmap a little bit past starting upwards a netcat listener on TCP port 135 on the SUSE server. This port is normally associated with the Windows MS-RPC service. On the SUSE system, we'll run this command:

vmware1:/home # nc –50 –p135

To verify that the port is now open, we can also run a quick netstat on the SUSE server:

vmware1:/home # netstat –na | grep ':135'

tcp   0   0.0.0.0:135   0.0.0.0:*   Heed

Looks cracking so far. Now we'll kick off the service and version detection scan with the nigh intense setting, a level 9, and specific to our port 135:

C:\WINDOWS\system32>nmap -sV --version-intensity ix -p135 10.0.0.5

Starting Nmap 4.53 ( http://insecure.org ) at 2008-02-01 23:55 Cardinal Standard Time

Interesting ports on 10.0.0.v:

PORT   STATE   SERVICE   VERSION

135/tcp open msrpc?

MAC Address: 00:0C:29:E9:43:0A (VMware)

Service detection performed. Delight report any wrong results at http://insecure.org/nmap/submit/ .

Nmap washed: 1 IP address (one host up) scanned in thirteen.000   seconds

Looks similar the trick is somewhat successful. Nmap'due south best guess is that the port is indeed running the MS-RPC service. However, since Nmap is unable to provide any real version information, and nosotros see the question mark in the results, we know that this service volition require more than intensive and perchance, easily-on, investigation. This really demonstrates the importance of remaining objective with regards to your Nmap results. Nigh likely, the majority of services in your infrastructure will be easily and properly identified by Nmap's service and version detection browse; however if an end-user really wants to cover upwardly their tracks, you will accept to be more vigilant in your own discovery efforts.

Tools & Traps …

Netcat

Netcat is a fantastic tool for reading and even writing data across TCP/IP connections. Information technology has the adequacy to heed on any port and even to execute a command for that port. It has long been referred to every bit the TCP/IP Swiss Army Knife and is considered a must-have for the security analyst. As we saw in the example example in this chapter, it provides an extremely simple way of setting up a listener on whatever port to watch and collect traffic from any system that attempts to connect to that port. In this capacity, it provides a very simple, honeypot-like capability in that the service is plain not really running, simply from the attacker's viewpoint appears to be bachelor. You tin can download the tool for UNIX systems from the original site here: http://netcat.sourceforge.net/. A windows port was also adult and is maintained here: www.vulnwatch.org/netcat/. There is a great readme.txt on the vulnwatch site that describes several different tips and tricks for working with the tool. You can check it out hither: http://world wide web.vulnwatch.org/netcat/readment.txt.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B978159749241600008X

Introducing Network Scanning

Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008

Solutions Fast Track

What is Network Scanning?

Network scanning discovers agile hosts on the network and information well-nigh the hosts, such as blazon of operating system, active ports, services, and applications.

Network scanning frequently uses network mapping, port scanning, service and version detection, and operating arrangement detection.

Avant-garde network scanners include scanning optimization and stealthy scanning techniques.

Networking and Protocol Fundamentals

Ethernet is a shared medium that uses MAC or hardware addresses.

The OSI model has seven layers and represents a standard for network advice.

The IP protocol contains the source and destination IP addresses used for network scanning.

TCP performs a three style handshake to brand a connection between two devices.

Both TCP and UDP utilize ports to communicate.

Network Scanning Techniques

Host discovery identifies agile hosts on the network.

Host discovery oft uses ICMP ECHO requests to solicit a reply from a host, but non-ICMP methods may too exist used.

Firewalls and border routers may block host discovery attempts.

Port scanning identifies open up ports and services by attempting to solicit a reply from a specific port on a device.

Port scanning uses a variety of TCP flags or UDP parameters to solicit replies from hosts and to attempt to evade firewalls and edge routers.

Active fingerprinting sends several packets to a device with a variety of parameters in order to evaluate the replies and decide the operating system against a known listing of requests and replies by OS.

Parallelism and timing parameters provide performance optimization for network scanners.

Low and slow scanning, fragmentation, and spoofing are methods used by advanced network scanners to evade detection by firewalls and intrusion detection systems.

Common Network Scanning Tools

Nmap is the almost popular and widely used gratis network scanner.

Superscan is a pop free Windows-based network scanner.

NEWT is a pop network scanner bachelor for free or as a commercial product.

Who Uses Network Scanning?

Network, organization, and security professionals use network scanning for a diversity of authoritative functions such every bit security auditing, compliance testing, asset management, and network and system inventory.

Network scanning may be used to manage patching and upgrades, monitor arrangement uptime, assess policy compliance, verify firewall filter functioning, and notice unauthorized devices and applications.

Attackers utilize network scanning to place active hosts, open ports and services on a target device. The aggressor may then exploit discovered vulnerabilities.

Detecting and Protecting

Most products perform scan detection by monitoring connection attempts to a large number of hosts or ports from a single source IP over a specific period of fourth dimension.

Refining thresholds for your specific infrastructure reduces false positives.

Protect your network from ping sweeps by not allowing ICMP ECHO requests to enter your network.

Products that monitor connection state volition discover packets that are non function of an existing connexion.

Regularly perform your own network scan attempts from exterior of the network, (if you take permission) to see what attackers can run across.

Network Scanning and Policy

A good Appropriate Apply policy will prohibit the use of network scanners by anyone non specifically designated to perform this function.

Make sure you have permission to use a network scanner on a network that is not your own.

Read the appropriate use policies of your Internet access provider before using a network scanner.

Read total chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597492416000017

Introducing Nmap

Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008

What is Nmap?

Nmap, or Network Mapper, is a complimentary, open up source tool that is available under the GNU General Public License as published by the Free Software Foundation.

Nmap has capabilities for network mapping, port scanning, service and version detection, and operating system detection.

Nmap tin be installed on Windows, Linux, or Mac Bone X.

Using Nmap in the Enterprise

Make sure you have well-documented permission from the appropriate upper-management to carry Nmap scans.

Identify change control windows for scanning of critical assets.

Mail an e-mail accost or telephone number to attain the Nmap squad in instance of scanning-caused outage.

Approach reconnaissance of your networks as an attacker would. First with a wide-reaching browse to make up one's mind bachelor systems, and then gradually narrow downward your scans to identify specific operating systems, ports or services.

Securing Nmap

Nmap requires authoritative privilege in order to successfully install and run.

Employees conducting Nmap scans should be utilizing special access accounts in order to maintain accountability and the principle of to the lowest degree privilege.

Co-ordinate to your information classification policies, it may be necessary to deeply shop Nmap results of critical assets.

Create a solid working relationship with your internal IT audit team to assist facilitate your understanding of their inspect controls.

Optimizing Nmap

Nmap has integrated timing policies that vary from T0 (very, very slow) to T5 (extremely fast).

Y'all can tell Nmap to never perform DNS resolution of the IP addresses it is scanning by using the -n pick.

Additional parameters give Nmap the power to control parallel scanning of a certain number of IP addresses.

Avant-garde Nmap Scanning Techniques

Nmap comes with additional parameters that can provide scanning capabilities beyond the basic syn – syn/ack – ack connect scan.

Manipulating options similar the time-to-live, parcel size or fragmentation tin can exist used to exam your organization's intrusion detection or prevention teams.

Understanding how TCP and UDP respond to certain stimuli is critical to working with advanced Nmap scanning features.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/article/pii/B9781597492416000029

Attacking Smart Devices

Tony Flick , Justin Morehouse , in Securing the Smart Filigree, 2011

Services Identification and System Identification

The objective of the Services Identification and System Identification module of the Process Security Testing section of ISECOM's OSSTMM is to identify the services that are running on the TCP and UDP ports that responded during the Port Scanning module. For example, in the Port Scanning module we learned that the TED 5000 Smart Device is running services on TCP ports lxxx and 443. While these ports most commonly are associated with a Web server, the Services Identification and Arrangement Identification modules attempt to determine WHAT Spider web server (i.due east. Apache or Internet Data Services) is running on WHAT operating organisation (Blood-red Lid Linux or Microsoft Windows 2008 R2).

Nmap can be used to identify the services and the operating system of the targeted device. Several new switches were used to place the services and operating systems. Since but TCP ports responded, assume that we used the -sS switch not the -sU switch. The new switches used were

-sV – This switch tells Nmap to perform version detection of the services running on the open ports.

-p 21-25,80,443 – This switch tells Nmap to scan the TCP ports 21 (FTP), 22 (SSH), 23 (Telnet), 24 (any private mail arrangement), 25 (SMTP), 80 (HTTP), and 443 (HTTPS). While merely TCP ports 80 and 443 responded to our initial TCP port scan in the Port Scanning module, we asked Nmap to look for TCP ports 21 through 25 and so that it could identify the closed ports. When performing identification of operating system, Nmap looks for responses and compares them to a database of known responses. Both open up and airtight responses are used, so by having Nmap evaluate the airtight responses for TCP ports 21 through 25, we increased the likelihood that it will identify the target'due south operating system.

-O – This switch tells Nmap to effort to identify the target's operating system based on the responses to the same scanned TCP ports.

Figure 13.7 shows the results of our Nmap version browse. As you can see, Nmap was unable to place the services running on either TCP port eighty or TCP port 443. This is because information technology does not have a signature for the TED 5000's response in its database.

Figure xiii.7. Screenshot of Nmap service and operating arrangement detection results.

Too, Nmap was unable to place the operating system running on the targeted device. While this may seem like a waste of fourth dimension, it is a valuable office of enumerating your target. Plus, all is non lost equally Nessus, which will be used in the Vulnerability Research and Verification module, also attempts to identify the services running and the operating system.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495707000133

Vulnerability Cess

Russ Rogers , in Nessus Network Auditing (Second Edition), 2008

Identifying Vulnerabilities

Afterwards every online host has been identified, each open up port has been mapped to a known service, and the known services accept been mapped to specific applications, the organisation is finally ready to brainstorm testing for vulnerabilities. This process often starts with basic information-gathering techniques, followed by agile configuration probes, and finally a set of custom attacks that can identify whether a given vulnerability exists on a given arrangement.

The vulnerability identification process can vary from elementary imprint matching and version tests, to complete exploitation of the tested flaw. When version detection and imprint matching are used to identify a vulnerability, fake positives often result due to application vendors providing updated software that nonetheless displays the imprint of the vulnerable version. For this reason, version numbers are often consulted just when at that place is no other way to safely verify whether the vulnerability exists.

The only way to place a big pct of common vulnerabilities is to endeavor to exploit the flaw. This often means using the vulnerability to execute a command, display a system file, or otherwise verify that the system is indeed vulnerable to an attack past a remote intruder. Many buffer overflow and input manipulation vulnerabilities tin exist detected past triggering just plenty of the flaw to indicate that the system has not been patched, simply non plenty to actually take down the service. The cess tool has to walk a fine line betwixt reliable vulnerability identification and destructive side furnishings.

Vulnerability tests that utilise banner checks volition meet issues when the tested service has been patched, either by the vendor or system administrator, simply the version number displayed to the network has been updated. This is a relatively common practice with open-source UNIX-based platforms and certain Linux distributions.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9781597492089000010

Nmap Os Fingerprinting

Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008

H4x0rz, Tigers and Bears…Oh MY!

Virtually security minded administrators keep abreast of the latest exploits being released that can touch systems in their networks. Upon hearing of a new exploit, a proactive ambassador would start a scan across the network searching for versions of the potentially afflicted Os. Within a short period of time, a list could exist generated and a targeted patching regiment could exist initiated to get these machines back into a dark-green country. Otherwise, if we practice null, we leave ourselves open up to a potentially crippling attack that could cost an arrangement untold amounts of coin. Costs related to outages and data loss can hands be devastating to a business, non to mention the career of administrators comatose at the wheel.

Conversely an attacker can use Nmap and its OS fingerprinting and version detection against you lot in very devastating ways. If someone is allowed to scan even the nearly superficial areas of your network, they can ultimately gain the highest level of access and become at your information and intellectual property. Every enterprise surroundings of whatever calibration is a constant target to the general hacking and malicious traffic going across the Net at any given second. The bigger the enterprise and the more unique or valuable the data it houses, the more skilled hacker they attract. Keeping that in listen, know that fifty-fifty the to the lowest degree sophisticated hackers volition use tools such as Nmap to do OS fingerprinting reconnaissance.

Data that was useful for you as a proactive admin is now a soft betoken for an assailant to work their way into your systems or otherwise deny them of services and impede your concern catamenia. Aside from data regarding operating systems and exploits, an attacker could use the simple Os and version information derived from an Nmap fingerprinting assault to know the IP address of an externally facing router or wireless access point. For instance, an attacker could meet a Linksys fingerprint, much similar the one given every bit an example previously, and instantly take a foothold in attempting to gain further access to the network.

Read full affiliate

URL:

https://world wide web.sciencedirect.com/scientific discipline/article/pii/B9781597492416000066

Scanner scripting

Jason Andress , Ryan Linn , in Coding for Penetration Testers (Second Edition), 2017

Working With Service Probes in Nmap

1 of the handy things we can do with Nmap is to probe for services on our target hosts. This allows us to add custom service definitions to Nmap, so we can detect running services outside the default list, specified in the nmap-service file, which is located in /usr/share/nmap on Kali. The nmap-service file is used to perform a simple match confronting the port number, and provides us with the name of the service that typically runs on that port. When nosotros run a default Nmap scan like nmap 10.0.0.51 with no options, the nmap-service file is used to provide the service information, such every bit:

PORT         STATE     SERVICE

80/tcp     open     http

139/tcp     open up     netbios-ssn

9100/tcp     open up     jetdirect

9101/tcp     open     jetdirect

9102/tcp     open     jetdirect

9110/tcp     open     unknown

9220/tcp     open     unknown

9290/tcp     open     unknown

As nosotros said, this is just a match from the nmap-service file, with no additional checks fabricated. We can certainly edit this file to add or alter entries, just this has limited utility every bit the file is already fairly exhaustive.

If we want to go a better idea of what exactly the running services are, we can run Nmap with the version checking selection turned on, every bit in nmap –sV x.0.0.51, which should produce results along the lines of the post-obit:

PORT       STATE     SERVICE         VERSION

80/tcp     open up       http             Virata-EmWeb 6.0.1 (HP PhotoSmart/Deskjet printer http config)

139/tcp     open       netbios-ssn?

9100/tcp   open       jetdirect?

9101/tcp   open       jetdirect?

9102/tcp   open       jetdirect?

9110/tcp   open       unknown

9220/tcp   open       hp-gsg         HP Generic Scan Gateway ane.0

9290/tcp   open up       hp-gsg         IEEE 1284.four scan peripheral gateway

i service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

SF-Port9110-TCP:Five=5.51%D=iv/twenty%Fourth dimension=4DD72E40%P=x86_64-unknown-linux-gnu

SF:%r(RPCCheck,2B,"\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x

SF:01\x97\|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");

Service Info: Device: printer

We can see hither that we got back quite a bit more detailed information on several of the ports, although not everything was successful. This information is pulled from the entries in the nmap-services-probes file, also located in /usr/share/nmap on Kali. We can add together entries to this file in order to perform detailed version detection for custom services. In the output from our example, we can also encounter data returned on an unrecognized service, which we could use as the basis for building a new entry in the nmap-services-probes file. Allow'south go ahead and add a new match entry in the nmap-services-probes file for the unknown service that came back from our browse.

In this case, the device is an HP LaserJet printer. If we look at the fingerprint data, we tin can break it out into its components, every bit listed in Tabular array 7.1.

Table 7.i. Netcat Service Fingerprint Data

Meaning Fingerprint Component
Port Port9110
Protocol TCP
Nmap version V=5.51
Engagement D=4/20
Time Time=4DD72E40
Architecture P=x86_64-unknown-linux-gnu
Probe responses r(RPCCheck,2B,"\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86\xa0\0\x01\x97\|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");

Nosotros tin can meet from the probe response that port 9110 responded to a Remote Procedure Phone call (RPC) probe of some kind, and then this gives united states an indication of what kind of traffic may be flowing through the port. We tin try to discover more specific data virtually this port with additional probing from Nmap, but with our example device, this will ultimately be rather fruitless. For now we will assume that this is (questionably) RPC and proceed on that basis.

If we check in nmap-services, we will detect the entry for port 9110 listed as:

Unknown   9110/tcp   0.000304

This is easy enough to correct, if we similar, by editing the file. In society to go things working a bit better for the actual bug, we volition demand to place an entry in nmap-services-probes. We tin tell that the response came from the RPCCheck probe, and then this is where we demand to start in the file. If nosotros search for the string RPCCheck in the file, nosotros will find information technology (at present) effectually line 7694, which is where the probe department starts, as shown in Fig. 7.three.

Figure vii.3. RPC probe section in nmap-service-probes.

We will add a lucifer line in this department in gild to allow our service to be recognized a little ameliorate. In this example, we volition take a section of the fingerprint and use it to put together the match line. The friction match line volition simply be:

match hp-rpc one thousand|^\0\0\(r\xfe\x1d\x13\0\0\0\0\0\0\0\x02\0\x01\x86| p/Unknown HP RPC Service/

The match statements in this file utilize the Perl regular expression (regex) syntax, as we discussed in Chapter 3, Introduction to Perl. Here nosotros start the line with match, and then the service name, which we have set as hp-rpc here, then the match string, then the product name, which nosotros accept chosen Unknown HP RPC Service. That'southward all there is to it.

Now we can save the file, and run our service browse again (nmap –sV 10.0.0.51) to run across the results. This time we go back a different fix of information for our port:

PORT       STATE   SERVICE       VERSION

80/tcp     open     http           Virata-EmWeb 6.0.1 (HP PhotoSmart/Deskjet printer http config)

139/tcp     open     netbios-ssn?

9100/tcp   open     jetdirect?

9101/tcp   open     jetdirect?

9102/tcp   open     jetdirect?

9110/tcp   open     hp-rpc         Unknown HP RPC Service

9220/tcp   open up     hp-gsg         HP Generic Scan Gateway i.0

9290/tcp   open     hp-gsg         IEEE 1284.4 browse peripheral gateway

MAC Address: 00:15:60:4C:D6:7A (Hewlett Packard)

Service Info: Device: printer

Depending on the service fingerprint in question and the probe being used, we may have to tinker about a bit in order to become the match line merely right. We want to be specific enough and then that we don't accidentally include services that have a similar fingerprint and we include all the proper information when we have information technology. In that location are also a number of other fields nosotros tin utilize on the match line, all of which are included in the Nmap documentation [1].

Read total chapter

URL:

https://world wide web.sciencedirect.com/scientific discipline/commodity/pii/B9780128054727000073

Getting and Installing Nmap

Angela Orebaugh , Becky Pinkard , in Nmap in the Enterprise, 2008

Installing Nmap from Source

Installing Nmap from source is usually the best way to install the latest and greatest version, every bit binaries sometimes lag being congenital after source is released. Installing from the source code too give you more command over the installation. As well, binary packages don't ordinarily include boosted software such every bit OpenSSL, which Nmap uses for version detection. Perform the following to install Nmap from the source lawmaking (replace version with the most recent Nmap version):

i.

Download the Nmap tarball in bzip or gzip compressed format from http://insecure.org/nmap/download.

ii.

Uncompress and excerpt the Nmap tarball by typing bzip2 –cd nmap-version. tar.bz2 | tar xvf - and pressing Enter. (or gzip –cd nmap-version.tgz | tar xvf -).

3.

Change to the Nmap directory past typing cd nmap-version and pressing Enter.

4.

Run the configure script by typing ./configure and pressing Enter.

5.

When the configure process is complete and the control prompt is displayed, make certain in that location are no errors. If everything appears trouble-free, run the brand utility simply by typing make and pressing Enter.

6.

If the make utility completed without errors, you lot must become root to install Nmap. Type su root and press Enter. Enter the password for root and press Enter. Next, install the files in their advisable locations by typing make install and pressing Enter.

7.

Subsequently the make install process completes, the command prompt will be displayed once again. To run Nmap, type nmap and press Enter. You will see the listing of usage options.

You take at present completed your build of Nmap from source. The Nmap binary installs in /usr/local/bin, and then if you don't have that directory in your permanent

PATH, you must add it. Once everything is installed, yous may also remove the ∗.tar.bz2 or ∗.tgz files.

Annotation

Most installations follow the configure | make | brand install format. Nonetheless, in some instances, there may exist other steps. Once the tar file has been extracted, at that place is normally an INSTALL text file included in the software subdirectory. Take a look at this file past typing more than INSTALL to verify the installation procedure.

Notes from the Underground…

Compression Utilities

Every bit you are downloading software packages from the Net, y'all volition encounter numerous pinch utilities. Many people are already familiar with the aught compression format used on both Windows and UNIX systems. In this affiliate, we discuss the tar format used for archiving files. The tar format does not provide compression. Instead, it only packages files together into one single file. This single tar file will all the same take up the same amount of space, plus a trivial more than, equally the sum of all of the individual files. Tar files are typically compressed with other utilities such as gzip or bzip2.

Gzip is used to reduce the size of files, thus making information technology a nifty tool for compressing large packet captures. Gzip files are recognized by the .gz extension. Files can be compressed by typing the command gzip filename . Files can be uncompressed by using the commands gzip –d filename or gunzip filename .

Bzip2 is a newer file compression utility and is capable of greater pinch ratios than gzip. Bzip2 files are recognized by the .bz2 extension. Files tin be compressed past typing the control bzip2 filename . Files can exist uncompressed by using the commands bzip2 –d filename or bunzip2 filename .

Notation

Let'due south take a moment to ascertain the typical variables used for the tar command: -z, -x, -v, and -f options.

The -z option specifies that the file must be processed through the gzip filter. Y'all can tell if an archive was created with gzip by the .gz extension. The -z option is only available in the GNU version of tar. If yous are not using the GNU version, y'all will have to unzip the tar file with a command such as gunzip or gzip –dc filename.tar.gz | tar xvf -.

The -x choice indicates y'all want the contents of the annal to be extracted. By default, this activity will extract the contents into the current working directory unless otherwise specified.

The -five option stands for verbose, which means that tar will display all files it processes on the screen. This is a personal preference and is not critical to the extraction performance.

The -f selection specifies the file that tar will procedure. For example, this could be nmap-version.tar.gz. Sometimes it might be necessary to specify a full path if the file you want to work with is located in another directory.

Using the configure Script

During the configure script portion of the build process, you tin can pass options to the installer to customize the application to your specific needs. At that place are many options available, but hither are the ones well-nigh important to Nmap.

Note

Typing ./configure --assistance volition give you the consummate listing of information on the optional parameters.

--prefix   =   directoryname This option determines where Nmap and its components are installed. By default, everything is installed to /usr/local and Nmap gets installed to /usr/local/bin. The man folio and information files (OS fingerprint information, services definitions, etc) are installed in sub-directories under /usr/local/homo and /usr/local/share/nmap respectively. You can change the path of the split up elements by using the options --bindir, --datadir, or --mandir.

--without-zenmap This parameter prevents the Zenmap graphical frontend from being created. The Zenmap graphical frontend is discussed later in the book.

--with-openssl   =   directoryname Nmap uses the openssl libraries to probe SSL encrypted services. Nmap volition await for these libraries on your host and include the capability if they are found. If the openssl libraries are in a non-standard location or are not in the search path, and so you may want to utilize this choice to specify where the libraries are located.

--with-libpcap   =   directoryname Nmap uses libpcap for capturing raw IP packets. Nmap will check your system for an existing re-create of libpcap that is compatible with the version being installed. Otherwise Nmap will install a copy that is included. If you want to apply your ain version of libpcap that you have already installed, use this choice to tell Nmap where information technology's installed.

--with-libpcre   =   directoryname LibPCRE is a Perl-compatible regular expression library that is included with Nmap, but you may desire to use your own version of libpcre that you have already installed. If then, utilise this choice to tell Nmap where it's installed.

--with-libdnet   =   directoryname Libdnet is a library used by Nmap for sending raw ethernet frames. An Nmap-specific version is already included in the Nmap build, but if you want to use your own version installed on your system, you will need to tell Nmap where information technology is located past using this option. Information technology is recommended to apply the version of libdnet that is included with Nmap because information technology has been customized to work properly with Nmap.

--with-localdirs This parameter forces Nmap to look in /usr/local/lib and /usr/local/include for critical library and header files. This is generally not necessary, unless libraries are stored in a not-standard location.

Read full chapter

URL:

https://www.sciencedirect.com/scientific discipline/article/pii/B9781597492416000030