Determine service version
You can use Nmap to determine the version of the software the target is running. This is particulary useful when doing vulnerability assessments, since you really want to know, for example, which mail and DNS servers and versions are running, and having an accurate version helps dramatically in determining which exploits a server is vulnerable to.
You can determine a lot of information using service scans, including:
- the service protocol (e.g. FTP, SSH, Telnet, HTTP).
- the application name (e.g. BIND, Apache httpd).
- the version number.
- hostname.
- device type (e.g. printer, router).
- the OS family (e.g. Windows, Linux).
To run a service version scan, use the -sV flags:
root@kali:~# nmap -sV 192.168.5.102 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-03 20:07 CET Nmap scan report for 192.168.5.102 Host is up (1.0s latency). Not shown: 977 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 53/tcp open domain Microsoft DNS 80/tcp open http Microsoft IIS httpd 8.0 88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2016-03-03 19:09:38Z) 111/tcp open rpcbind? 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds (primary domain: MYDOMAIN) 464/tcp open kpasswd5? 514/tcp filtered shell 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2049/tcp open mountd 1-3 (RPC #100005) 3260/tcp open tcpwrapped 3268/tcp open ldap 3269/tcp open tcpwrapped 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 186.76 seconds
Notice how we got more information about a service on the open ports, including the service version. This information is very useful if you are looking for vulnerabilities in certain versions of software.
