SERVICE VERSION DETECTION
So, until now I discussed how to figure out the services that are running on a certain port. In this section, I use nmap to find the exact version of the service running on a port; this
could help us look for the potential exploits for that particular version of the service.
Nmap has a database named nmap-services that contain more than 2200 well-known services.Theservice version detection can be performed by specifying the –sv parameter to the nmap.
Command:
nmap –sV <target IP>
could help us look for the potential exploits for that particular version of the service.
Nmap has a database named nmap-services that contain more than 2200 well-known services.Theservice version detection can be performed by specifying the –sv parameter to the nmap.
Command:
nmap –sV <target IP>
OS FINGERPRINTING
Nmap has a huge OS fingerprinting database with more than 2600 OS fingerprints. It sends TCP and UDP packets to the target machine, and the response that is received is compared with the database. If the fingerprint matches, it displays the results.
Command:
nmap –O <Target Address>
The sample output looks as follows:
Command:
nmap –O <Target Address>
The sample output looks as follows:
Nmap also has other options for guessing OS, such as –osscan-limit, which would limit the detection to a few, more promising targets. This would save a lot of time. The second one
is –osscan-guess, which detects in a better and more aggressive manner. You can also use the command to perform both OS and service version detection:
nmap –n –A –T5 <target IP>
is –osscan-guess, which detects in a better and more aggressive manner. You can also use the command to perform both OS and service version detection:
nmap –n –A –T5 <target IP>
The –n –T5 parameter would speed up our scan, but you should keep in mind that OS detection and service detection methods are very loud at the other end and are often easily detected by IDS and IPS.
POF
POF stands for passive OS fingerprinting. As the name suggests, it does not directly engage with the target while performing OS fingerprinting; it monitors and tries to identify the TCP stack, and based on the TCP stack type, it figures out the type of OS.
The following paragraph from official documentation describe the capabilities of POF:
The following paragraph from official documentation describe the capabilities of POF:
Common uses for pof include reconnaissance during penetration tests; routine
network monitoring; detection of unauthorized network interconnects in corpo-
rate environments; providing signals for abuse-prevention tools; and miscellaneous
forensics.
Output
network monitoring; detection of unauthorized network interconnects in corpo-
rate environments; providing signals for abuse-prevention tools; and miscellaneous
forensics.
Output
Nmap has various options for interpreting the output in a user-friendly and readable format. It supports different types of output formats. The output formats may allow us to filter out results from nmap such as open ports, closed ports, and hosts.
The three popular formats used are discussed in brief next.
The three popular formats used are discussed in brief next.
Normal Format
Greppable Format
XML Format
Greppable Format
XML Format
NORMAL FORMAT
The normal format is used to output the results of nmap to any text file. Here is an example of a simple SYN scan. The results would be outputted to a file named rafay.txt.
Nmap –sS –PN <targetIP> –oN rafay.txt
GREPABLE FORMAT
In Unix-based operating systems, we have a very useful command “grep”, which can search for specific results such as ports and hosts. With the grepable format, the results are presented with one host per line.
Example:
nmap –sS 192.168.15.1 –oG rafay
nmap –sS 192.168.15.1 –oG rafay
This command would save the output into a grepable format, which is one host per line.
The following command will highlight all the ports that are open, which in this case is only
port 80.
The following command will highlight all the ports that are open, which in this case is only
port 80.
XML FORMAT
The XML format is by far the most useful output format in nmap. The reason is that the XML output generated from nmap can be easily ported over to dradis framework and armitage.
Example
Example
No comments:
Post a Comment