Introduction
In my final post on my Nmap series "Nmap: Scan All the Things", I am going end the series by covering Nmap detection methods and output uses. I will cover Nmap's version detection and what version detection is. OS detection capabilities will also be reviewed. If you're interested in cybersecurity, please regularly check back on Cyb3r-S3c and check out my YouTube channel, Cyb3r_0verWatch, for more informative content. You can watch the accompanying video here (https://youtu.be/xkNDGHDhZD4).
Version Detection
Nmap's primary function is port scanning, where it can identify open ports on a remote machine and determine the services that might be running on them using its nmap-services database of over 2,200 well-known services. However, relying solely on this information can be risky as people may run services on unconventional ports or choose ports based on firewall restrictions.
When performing vulnerability assessments or network inventories, it's crucial to identify the specific mail and DNS servers and versions being used. This information is helpful in determining which exploits a server is vulnerable to, although security fixes are often back-ported to earlier versions of software. Additionally, determining the service types and version numbers is important as multiple services can share the same port number.
Nmap's version detection feature can reveal other information about the target, including the "info" field that may contain SSH protocol numbers or Apache modules. It can also uncover configured hostnames and device types, as well as the operating system. Nmap obtains all of this data by connecting to open ports and using probes to interrogate the services for more information. By doing so, Nmap provides a detailed assessment of what is running on the target, beyond just identifying open ports.
Version Detection in a Nutshell
Nmap scans open or open|filtered TCP and/or UDP ports to identify the services running on them. It first checks if the port is excluded, and then establishes a TCP connection to the open port. If the connection is successful, Nmap listens for about five seconds for a welcome banner. If a response is received, Nmap compares it with the 3,000 NULL probe signatures in its nmap-service-probes file. If a match is found, the service is identified, and the scanning for that port stops.
For UDP ports, Nmap sequentially executes a list of probes that match the port being scanned. Responses are compared to signature regular expressions, and a match ends the processing for the remote service. If a response is received from an open|filtered UDP port, the state is changed to open. Nmap utilizes several automatic techniques to speed up scans. It uses generic probes that match many services and tries only those probes that can potentially match a softmatched service.
Version Detection Parameters
Version Scan (-sV): Instructs Nmap to perform service version detection as part of its scanning process. Service version detection is the process of determining the specific version of the software running on a particular service, such as a web server or an FTP server, by analyzing its response to various probes sent by Nmap.
Agressive (-A): Nmap will perform OS and version detection, script scanning, and traceroute detection. It is essentially a combination of several other flags that enable more comprehensive and intrusive scanning techniques. This technique is very loud.
OS Detection
Nmap's OS detection capabilities are extensive, with a vast database of heuristics that can identify thousands of different systems based on how they respond to a selection of TCP/IP probes. Additionally, Nmap's version detection feature includes a system that interrogates open TCP or UDP ports to determine device type and OS details. These two systems work together to provide comprehensive and accurate results.
The results of the OS and version detection are reported separately, allowing you to easily identify combinations of systems, such as a Checkpoint firewall forwarding port 80 to a Windows IIS server. With these powerful capabilities, Nmap is a valuable tool for network administrators looking to gain insight into their network infrastructure.
Device Type: Nmap's fingerprinting capability allows for the identification of devices based on how they respond to certain probes. Each fingerprint is assigned one or more high-level device types such as routers, printers, firewalls, or general-purpose devices. These device types are further detailed in the "Device and OS classification (Class lines)" section. In some cases, a device may fall under multiple categories, which will be separated by the pipe symbol, as shown in the example "Device Type: router|firewall".
Running: Provides information related to the OS classification scheme and shows the OS Family and OS generation, if available. When Nmap cannot accurately identify the OS generation, it shows multiple options separated by the pipe symbol ('|'). If Nmap finds too many OS families to print concisely, it will omit this line. When there are no perfect matches, Nmap changes the field to Running (JUST GUESSING) and adds an accuracy percentage (100% is a perfect match) in parentheses after each candidate family name. If no fingerprints are close matches, the line is omitted.
OS CPE: Displays a Common Platform Enumeration (CPE) representation of the operating system if it is available. The CPE is a standardized way to identify software applications and operating systems. The OS CPE begins with the prefix "cpe:/o" followed by the vendor name, product name, and version. In addition to the operating system, there may also be a CPE representation of the hardware type, which begins with the prefix "cpe:/h". This can help to identify the specific type of hardware that is running the operating system.
OS Details: Provides a detailed description of each fingerprint that has been matched. Unlike the Device type and Running lines, which are predefined lists that are easy for computers to parse, the OS details line contains free-form data that is useful for human readers. This information can include more precise version numbers, device models, and specific architectures associated with a particular fingerprint.
Uptime Guess: This is a rough estimation of how long the target system has been running, based on the TCP timestamp option algorithm used for OS detection. Nmap sends several SYN/ACK TCP packets and looks at the headers for a timestamp option. The increment rate of the timestamp option is used to determine the current values and rate of increase, and simple linear extrapolation is used to estimate the boot time. However, the accuracy of this estimate can be affected by various factors, such as operating systems that do not start the timestamp counter at zero or that eventually overflow and wrap around. Therefore, the uptime guess is labeled a "guess" and is only printed in verbose mode if it is available and seems reasonable. The line is omitted if the target does not reply or if Nmap cannot discern the timestamp increment rate.
Network Distance: Network distance is a measurement of the number of hops between the scanning machine and the target host. The hop count is calculated based on the number of routers that are encountered on the path between the two devices. When scanning a machine on the same network segment, the network distance is one. If the target is located on a different network, the network distance will be higher, with each additional router adding one to the hop count. It's important to note that the network distance is only computed if Nmap receives a response to the relevant probe. If no response is received, the Network Distance line is omitted from the output.
TCP Sequence Prediction: Describes the ISN generation algorithm used by the target, and difficulty is a rough estimate of how hard the system makes blind IP spoofing (0 is the easiest). The parenthesized comment is based on the difficulty index and ranges from Trivial joke to Easy, Medium, Formidable, Worthy challenge, and finally Good luck! Further details about sequence tests are provided in the section called “TCP ISN greatest common divisor (GCD)”.
IP ID Sequence Generation: Describes the algorithm used by the target host to generate the IP ID field. Nmap classifies the IP ID generation algorithm into three categories, "Incremental" (TI): where the IP ID field is incremented by 1 for each successive packet sent by the system. This algorithm is vulnerable to idle scan attacks and can be abused for other malicious purposes. "Constant" (CI): where the IP ID field remains constant for all packets sent by the system. This algorithm is less vulnerable to idle scan attacks but can still reveal information about the system's traffic levels. "Incremental with a large initial value" (II): where the IP ID field starts at a large random value and increments by 1 for each successive packet sent by the system. This algorithm is more secure than the incremental algorithm but can still reveal some information about the system's traffic levels.
Conclusion
I want to thank you for watching this video on the Cyb3r_0verwatch channel. If you find this content informative and you are interested in IT, specifically cybersecurity, please like and subscribe to the Cyb3r-0verwatch channel. Nmap is a powerful and versatile network scanner that can provide a lot of useful information about network hosts and their services. However, like any tool, it is important to understand how to use it properly before diving in. In this video, I provided an overview of the various aspects of Nmap. When using Nmap, it is important to start with a basic understanding of the tool and its capabilities, and to gradually build on that knowledge. Reading the documentation and tutorials provided on Nmap.org, as well as practicing on test networks, can help you gain the knowledge and experience needed to use Nmap effectively and responsibly. Additionally, it is important to note that Nmap should only be used on networks that you have permission to scan. Unauthorized scanning of networks can be illegal and can result in serious consequences.
The information discussed in this video is gathered from my experience and research. Use this information I've provided in a way that it can best assist you. If you have any questions or would like guidance, please feel free to leave a question in the comments or you can send me a message on the contact form on the Cyb3r-S3c website listed in the description. See you next, until then keep learning, only way to improve is to keep learning.
/Signing Off,
Pragmat1c_0n3
Comments