Fingerprinting services of a remote host
Version detection is one of the most popular features of Nmap. Knowing the exact version of a service is highly valuable for penetration testers who use this service to look for security vulnerabilities, and for system administrators who wish to monitor their networks for any unauthorized changes. Fingerprinting a service may also reveal additional information about a target, such as available modules and specific protocol information.
This recipe describes how to fingerprint the services of a remote host by using Nmap.
How to do it...
Open a terminal and type the following command:
$ nmap -sV scanme.nmap.org
The result of this command is a table containing an additional column named VERSION, displaying the specific service version, if identified. Additional information will be enclosed in parenthesis. Refer to the following screenshot:
How it works...
The flag -sV
enables service detection, which returns additional service and version information.
Service detection is one of the most loved features of Nmap, as it's very useful in many situations such as identifying security vulnerabilities or making sure a service is running on a given port.
This feature basically works by sending different probes from nmap-service-probes
to the list of suspected open ports. The probes are selected based on how likely it is that they can be used to identify a service.
There is very detailed documentation on how the service detection mode works, and the file formats used, at http://nmap.org/book/vscan.html.
There's more...
You can set the amount of probes to use by changing the intensity level of the scan with the argument –-version-intensity [0-9]
, as follows:
# nmap -sV –-version-intensity 9
Nmap has a special flag to activate aggressive detection, namely -A
. Aggressive mode enables OS detection (-O
), version detection (-sV
), script scanning (-sC
), and traceroute (--traceroute
). Needless to say this mode sends a lot more probes and it is more likely to be detected, but provides a lot of valuable host information. You can see this by using one of the following commands:
# nmap -A <target>
Or
# nmap -sC -sV -O <target>
Nmap's accuracy comes from a database that has been collected over the years through user submissions. It is very important that we help keep this database up-to-date. If Nmap does not identify the service correctly, please submit your new service fingerprint or correction to http://insecure.org/cgi-bin/submit.cgi?.
See also
- The Listing open ports on a remote host recipe
- The Finding live hosts in your network recipe
- The Scanning using specific port ranges recipe
- The Scanning using a specified network interface recipe
- The Managing multiple scanning profiles with Zenmap recipe
- The Monitoring servers remotely with Nmap and Ndiff recipe
- The Hiding our traffic with additional random data recipe in Chapter 2, Network Exploration
- The Scanning IPv6 addresses recipe in Chapter 2, Network Exploration
- The Getting information from WHOIS records recipe in Chapter 3, Gathering Additional Host Information
- The Brute forcing DNS records recipe in Chapter 3, Gathering Additional Host Information
- The Fingerprinting the operative system of a host recipe in Chapter 3, Gathering Additional Host Information