Determine service version

You can use Nmap to determine the version of the software the target is running. This is particulary useful when doing vulnerability assessments, since you really want to know, for example, which mail and DNS servers and versions are running, and having an accurate version helps dramatically in determining which exploits a server is vulnerable to.

You can determine a lot of information using service scans, including:

  • the service protocol (e.g. FTP, SSH, Telnet, HTTP).
  • the application name (e.g. BIND, Apache httpd).
  • the version number.
  • hostname.
  • device type (e.g. printer, router).
  • the OS family (e.g. Windows, Linux).

To run a service version scan, use the -sV flags:

 root@kali:~# nmap -sV 192.168.5.102
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-03 20:07 CET
 Nmap scan report for 192.168.5.102
 Host is up (1.0s latency).
 Not shown: 977 closed ports
 PORT STATE SERVICE VERSION
 21/tcp open ftp Microsoft ftpd
 53/tcp open domain Microsoft DNS
 80/tcp open http Microsoft IIS httpd 8.0
 88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2016-03-03 19:09:38Z)
 111/tcp open rpcbind?
 135/tcp open msrpc Microsoft Windows RPC
 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
 389/tcp open ldap
 445/tcp open microsoft-ds (primary domain: MYDOMAIN)
 464/tcp open kpasswd5?
 514/tcp filtered shell
 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
 636/tcp open tcpwrapped
 2049/tcp open mountd 1-3 (RPC #100005)
 3260/tcp open tcpwrapped
 3268/tcp open ldap
 3269/tcp open tcpwrapped
 49152/tcp open msrpc Microsoft Windows RPC
 49153/tcp open msrpc Microsoft Windows RPC
 49154/tcp open msrpc Microsoft Windows RPC
 49155/tcp open msrpc Microsoft Windows RPC
 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
 49158/tcp open msrpc Microsoft Windows RPC
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 186.76 seconds

Notice how we got more information about a service on the open ports, including the service version. This information is very useful if you are looking for vulnerabilities in certain versions of software.

 

Geek University 2021