When performing vulnerability assessments on networks, you really want to know which services and their versions are in use. Obtaining accurate version information greatly helps determine which attacks the server is vulnerable to. However, keep in mind that security updates often revert to previous software versions, so you cannot rely solely on the version number to prove the server's vulnerability. False negative results are less common but can occur.
Another good reason to determine the service types and version numbers is that many services use the same port number. This makes guessing based on a table even more inaccurate. Anyone who has done a lot of scanning also knows that there are often services listening on unregistered ports - these are completely mysterious without version detection. The final problem is that filtered UDP ports often look similar to open ports from the perspective of a simple port scanner. But if they match the service-specific probes sent by Nmap's version detection, you can be sure that they are open (and often know exactly what is running on them).
With service enumeration, it is sometimes possible to discover information about a target in addition to the type of service and version number. This can include SSH protocol numbers, Apache modules, and much more.
Two other pieces of information that version detection can determine are the operating system and device type. Nmap uses two techniques for this. One is exclusive use of the application. If the service is identified as Microsoft Exchange, we know that the operating system is Windows since Exchange does not work on any other platform. The second technique is to request portable applications to provide platform information. Many servers (especially web servers) do not require much persuasion. This type of operating system detection is meant to complement Nmap's operating system detection system (-O) and may sometimes yield different results.
Steps for service identification
- Open port: Nmap initiates scanning and detects an open port while inspecting the destination machine's network ports.
- Service identification: When an open port is detected, Nmap sends a specific query that requests a response from the service on that port. This query is designed so that only that service understands it and responds to it.
- Data analysis: When a response arrives, Nmap analyzes its content and compares it to known service information in its database.
- Service Identification: Based on analysis, Nmap identifies the type of service based on the response. For example, it can identify it as an SMTP service, HTTP service, or DNS service.
- Version identification: In addition, Nmap tries to identify the precise version of the service. This step is based on specific strings, protocol numbers, and other identifiers that appear in the response.
What service and version of this service is running on the target machine on port 22? (remember to add the full version field to the answer).
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.