Saturday, December 14, 2024

Nmap Version Detection Rocks

Share

Most people have heard of Nmap, the ubiquitous portscanner and more, available at http://www.insecure.org/nmap/. Recently, a new version of Nmap was released with a new and frequently requested feature – version scanning.

Nmap-3.45 and later have the ability to test out open ports and discover what version of software is running. The older versions could only tell you what port was open, and what that port is traditionally used for. While this is a good start, it is common for people to run services on non-standard ports for a variety of reasons:

Obscurity

If your computer has port 22 open, it’s probably an ssh server. However if you ran your ssh server on a port normally skipped by nmap, such as 27011, then it may be overlooked. As always, remember my mantra — Security with obscurity is good, relying on security through obscurity is bad.

Fooling firewalls

Many firewalls will restrict to which ports it will allow you to connect. For example a Squid proxy may only allow the CONNECT method to the official HTTPS port, 443. If you have a server on the Internet to which you want to SSH through that proxy, then it would deny you access to the real SSH port, port 22. If you ran an SSH server on port 443, however, it will allow you through, no questions asked.
Another example may be a dialup ISP, which doesn’t allow you to connect directly outbound to port 25, the SMTP port. If you wanted to not relay through your ISP, but connect to your company mail server directly, you may want to run your mail server on an additional port, such as port 80.

These non-standard setups are more common than you might think, but old Nmap results would only tell you that port 80 was likely HTTP, and wouldn’t let you know if something else were listening on that port. Other tools, such as Nmap+v, or amap, were typically used to enumerate what service was actually listening on that port.

The new Nmap has the ability to test out the service directly. It has an extensive service fingerprint database, and a very fast parallel scanner. It has an efficient and effective methodology, minimising the number of tests that are required to fingerprint a service. For example if it sees a SMTP-like banner, it will first try SMTP-related tests, and only continue on to HTTP tests if those first tests fail.

It even has SSL support[1] so if a test determines that the port is SSL wrapped, it will restart the tests with full blown SSL encryption. This allows it to determine a port is POP3 inside SSL, for example.

Version detection will tell you as much as it can, including

  • The protocol in use, for example HTTP
  • The software product, for example Apache
  • The version of the software, for example Apache 1.3.27
  • Any other subversion information, such as contains PHP 4.3.2

To get version detection, you need to include the -sV flag to nmap. Alternatively, if you want the whole kitchen sink of options, you can use the -A argument, which will enable OS detection and everything else you could possibly want.

One important thing to note — version detection will end up creating full blown TCP connections, three-way handshake and all. This means that you will not be operating in a stealthy mode!

Here’s a snippet of the new output:

Let’s look at that output a line at a time:

PORT STATE SERVICE VERSION
21/tcp open ftp?

Nmap was unable to determine what was running on port 21. It lists the port as ‘ftp?’ to tell you what’s traditionally on this port, but no guarantees that it’s FTP at all.

22/tcp open ssh OpenSSH 3.7.1p1 (Protocol 1.99)

Here’s an example of a successful version string. Nmap was able to determine that it’s definitively running OpenSSH version 3.7.1p1[3], and accepts both SSH protocol 1 and 2, which you can glean from the Protocol 1.99 section.

25/tcp open smtp

Port 25 is an SMTP server, as noted by the fact that the service name stmp does not have a question mark at the end. However Nmap was unable to determine exactly which SMTP server software was running, so the version field is empty.

Here we see a machine that is giving out lots of unnecessary information. Port 80 and 443 is running an HTTP server, in this case Apache 1.3.27, and tells us a lot about the modules currently in use — mod_gzip, mod_ssl PHP and it uses OpenSSL version 0.9.7a. Note that port 80 is cleartext HTTP, as noted by the service name http, while port 443 is SSL-encrypted HTTP, aka HTTPS, as noted by the service name ssl/http.

Similarly, we have both an SSLified[4] imap and pop3 server running.

8888/tcp open ssl/unknown

Lastly, we have here some port that is running an SSL server, but the service being protected is not known.[5]

1 service unrecognised despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi

This last part should be somewhat familiar to anyone who has used Nmap OS detection. Although the version scanning tests did not determine what was running on port 25 for sure, it did get enough information that you could submit back to insecure.org to let future versions recognise the service. If you know what’s running on this port[6], then you can submit this fingerprint at the URL that’s listed.

I’m very excited about the new version of Nmap. If you haven’t checked it out yet, do so, and submit back any fingerprints you can!

For more information about the internals of Nmap’s version scanning, you might want to check out Fyodor’s version scanning article at http://www.insecure.org/nmap/versionscan.html.

NOTES:

[1] I helped implement the SSL support, so you’ll excuse me if I pat myself on the back for this one. While there are many Open Source projects out there where my code appears, this is by far the most cool one.

[2] Hello, Verisign!

[3] Whoops – someone should upgrade this to 3.7.1p2, since the p1 had some bad PAM code built in that is vulnerable…

[4] You’ll note that I said they are SSL enabled, I did not call them secure. While one, the Openwall popa3d server, is a superb and secure product, UW Imapd doesn’t instill confidence in me.

[5] The service was the following, if you’re curious:

$ stunnel -d localhost:8888 -l /bin/echo -- echo Hello Fyodor

[6] In this case, it’s Postfix with a custom ESMTP banner, which I use at every occasion.

Click here to sign up for FREE B2B newsletters from Murdok!

Brian Hatch is Chief Hacker at Onsight, Inc and author of
Hacking Linux Exposed
and Building Linux VPNs.
Brian can be reached at brian@hackinglinuxexposed.com.

Table of contents

Read more

Local News