{"id":13007,"date":"2019-10-14T10:49:30","date_gmt":"2019-10-14T08:49:30","guid":{"rendered":"https:\/\/www.viafirma.com\/blog-xnoccio\/?p=13007"},"modified":"2025-11-10T14:07:57","modified_gmt":"2025-11-10T13:07:57","slug":"identification-services-nmap","status":"publish","type":"post","link":"https:\/\/www.viafirma.com\/en\/identification-services-nmap\/","title":{"rendered":"Ethical hacking: identification of services with nmap"},"content":{"rendered":"\r\n

In the previous ethical hacking post<\/a>, we briefly explained several options to obtain an enumeration of IP addresses and subdomains when performing an ethical hacking process. If you liked that “this is very safe because who will know that this subdomain exists” (although you can not believe it, it is more common than it seems), do not miss how the “who will know that I put this service on this port with such a strange number” ends badly … Let’s talk about service identification with nmap.<\/em><\/p>\r\n\r\n\r\n\r\n

<\/p>\r\n\r\n\r\n\r\n

In short, in this post we will try to see how it is possible to make an inventory of open ports on an IP or range of IPs, and even identify the technology underneath an open port, when possible.<\/p>\r\n\r\n\r\n\r\n

Basically this post is going to focus on the use of a fantastic and essential tool, nmap<\/em><\/strong>. Although it is a tool typically used in Linux (and of course included in the reference suite I use in these posts, Kali), you can already find compilations for other operating systems.<\/a><\/p>\r\n\r\n\r\n\r\n

Before getting into the nitty-gritty, we would like to warn you that nmap<\/em> is a complex and complete tool, with a huge amount of options, parameters, etc.; this post is not intended to be a manual for using the tool but again an introduction to it in order to understand the identification of services as a phase of ethical hacking prior to the detection of vulnerabilities. To learn more about the tool, we recommend reading its manual<\/a>.<\/p>\r\n\r\n\r\n\r\n

The Open Source tool<\/em> nmap allows us to perform network and port scans, being able to scan a single destination, a range, a list of IPs… it is based on TCP, UDP, ICMP, SCTP, etc. requests and incorporates several scanning techniques.<\/p>\r\n\r\n\r\n\r\n

We recommend in general to refresh some knowledge about transport protocols, for example by remembering how the establishment of a TCP connection works with negotiation in three steps: first, SYN-type call from the client to a port, RST response if the port is closed or SYN-ACK if it is open, and the ACK from the client to the server to complete the process. nmap will rely on these types of messages to determine whether or not a port is listening on the destination.<\/p>\r\n\r\n\r\n\r\n

Sometimes this cannot be used, or is detected by the remote server, and there are other alternatives for scanning.<\/p>\r\n\r\n\r\n\r\n

General syntax and first scan<\/h2>\r\n\r\n\r\n\r\n

General syntax:<\/p>\r\n\r\n\r\n\r\n

\r\nnmap [  ...] [  ] {  }\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
Next, we proceed to perform the first scan:<\/p>\r\n\r\n\r\n\r\n
We execute the command:<\/p>\r\n\r\n\r\n\r\n
\r\nnmap 45.33.49.119\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
We are not setting any type of scan, so it uses the default scan, TCP SYN. nmap sends a SYN and assumes the port is open if it receives a SYN ACK. There are also no additional option parameters, and as a destination there is a single IP. This command will give us a result similar to the following:<\/p>\r\n\r\n\r\n\r\n
\r\nStarting Nmap 7.70 ( https:\/\/nmap.org ) at 2019-10-01 18:12 CEST\r\nNmap scan report for ack.nmap.org (45.33.49.119)\r\nHost is up (0.19s latency).\r\nNot shown: 993 filtered ports\r\nPORT      STATE  SERVICE\r\n22\/tcp    open   ssh\r\n25\/tcp    open   smtp\r\n70\/tcp    closed gopher\r\n80\/tcp    open   http\r\n113\/tcp   closed ident\r\n443\/tcp   open   https\r\n31337\/tcp closed Elite\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 10.86 seconds\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
It returns in a few seconds a list of open ports on that IP<\/a>, including an SSH, an SMTP mail server, a web server, and a possible back orifice.<\/p>\r\n\r\n\r\n\r\n
In many cases this is simply a first point of analysis even if, for example, the software behind an FTP, SSH, etc. server is fully up-to-date and there are no known vulnerabilities. Already at first you could, for example, launch a brute force dictionary attack on the SSH or FTP server trying to gain access (there are a huge number of such servers with default or insecure credentials).<\/p>\r\n\r\n\r\n\r\n
There are automatic tools (bots) that are basically continuously scanning wide IP ranges for recognizable open ports, for example database ports (MongoDB, MySQL, PostgreSQL, etc.), and when they detect such an open port, they automatically attempt a login with default credentials. For example, in the case of typical LAMP \/ WAMP installations, a root access \/ to the mySQL port. And basically this way a huge amount of databases have been hacked without prior human intervention. This is feasible even if we have it open on another port, since it is possible to identify in many cases that what is on port 5555 “to mislead”, to say something, is a mySQL through the fingerprint of the service, as we will see later.<\/p>\r\n\r\n\r\n\r\n
In short, it is very dangerous to leave default credentials on web servers, routers, FTPs, SSHs, databases… because there is no need for anyone to have a bug, a bot will do it.<\/p>\r\n\r\n\r\n\r\n
\"Scan<\/figure>\r\n\r\n\r\n\r\n
A first parameter<\/h2>\r\n\r\n\r\n\r\n
If we want to have some information about how nmap has obtained this information, we can augment the traces with the -v (verbose) or -vv parameter, where we can see that nmap has been launching SYN commands and in some cases receiving RESET (port closed), in others SYN-ACK (port open) and in others no response (“filtered”), which can make us understand that a firewall is stopping our request:<\/p>\r\n\r\n\r\n\r\n
\r\nPORT            STATE           SERVICE         REASON\r\n22\/tcp          open            ssh             syn-ack ttl 53\r\n25\/tcp          open            smtp            syn-ack ttl 53\r\n70\/tcp          closed          gopher          reset ttl 52\r\n80\/tcp          open            http            syn-ack ttl 53\r\n113\/tcp         closed          ident           reset ttl 52\r\n443\/tcp         open            https           syn-ack ttl 53\r\n31337\/tcp       closed          Elite           reset ttl 53\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
Increasing the range of IPs to be scanned<\/h2>\r\n\r\n\r\n\r\n
nmap<\/em> allows us to determine IP ranges to scan in several ways (it is recommended to analyze the manual or use –help for more complete information). For example:<\/p>\r\n\r\n\r\n\r\n
\r\nnmap 192.168.10.0\/24 (subred completa)\r\nnmap 192.168.10.1-20 (20 IPs)\r\nnmap 192.168.10.*\r\nnmap 192.168.10.1 192.168.10.2 192.168.10.3\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
Or for example, let’s imagine that we have been accumulating IPs since our initial enumeration, and we have a file with the different IPs separated by tabs or line breaks (one IP or range per line). We can load the file with the -iL parameter (input list) and perform the scan of the entire IP inventory. It also allows, for example, to exclude some specific IPs with —exclude<\/em> or —excludefile<\/em>.<\/p>\r\n\r\n\r\n\r\n
Defining the ports to be scanned<\/h2>\r\n\r\n\r\n\r\n
We can manually define the ports we want to scan. For example, if we are looking for web servers on ports 80, 443 and 8080 in a subnet we could do it with the -p parameter:<\/p>\r\n\r\n\r\n\r\n
\r\nnmap -p 80,443,8080 192.168.10.0\/24\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
We can also ask nmap to scan the “N” (whole number) most common ports; for example, to scan the 25 most common ports in a range of IPs:<\/p>\r\n\r\n\r\n\r\n
\r\nnmap --top-ports 25 192.168.10.0\/24\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
Receiving a response like this:<\/p>\r\n\r\n\r\n\r\n
\r\nPORT     STATE     SERVICE\r\n21\/tcp    closed   ftp\r\n22\/tcp    open     ssh\r\n23\/tcp    closed   telnet\r\n25\/tcp    closed   smtp\r\n53\/tcp    open     domain\r\n80\/tcp    open     http\r\n110\/tcp   closed   pop3\r\n111\/tcp   open     rpcbind\r\n135\/tcp   closed   msrpc\r\n139\/tcp   open     netbios-ssn\r\n143\/tcp   closed   imap\r\n199\/tcp   closed   smux\r\n443\/tcp   closed   https\r\n445\/tcp   open     microsoft-ds\r\n587\/tcp   closed   submission\r\n993\/tcp   closed   imaps\r\n995\/tcp   closed   pop3s\r\n1025\/tcp  closed   NFS-or-IIS\r\n1720\/tcp  closed   h323q931\r\n1723\/tcp  closed   pptp\r\n3306\/tcp  closed   mysql\r\n3389\/tcp  closed   ms-wbt-server\r\n5900\/tcp  open     vnc\r\n8080\/tcp  closed   http-proxy\r\n8888\/tcp  closed   sun-answerbook\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
We can ask to scan all TCP, UDP and SCTP ports (slower) with the identifier –p<\/em>– :<\/p>\r\n\r\n\r\n\r\n
\r\nnmap -p- 192.168.10.0\/24\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
Identifying operating systems and services<\/h2>\r\n\r\n\r\n\r\n
As we can see, nmap allows us to detect ports that are listening on an IP or a range. Later we will also see how other scanning techniques can be defined. In addition, nmap allows us to try to identify which technology (product, version, etc.) is behind an open port, or even the operating system installed on a server, with the -O and -sV parameters. This detection is based on the “signature” (fingerprint) of the responses given by the service to certain calls.<\/p>\r\n\r\n\r\n\r\n
\r\nnmap -O -sV 192.168.10.5\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
\r\nPORT         STATE         SERVICE       VERSION\r\n22\/tcp       open          ssh           OpenSSH 6.7p1 Raspbian 5+deb8u3 (protocol 2.0)\r\n53\/tcp       open          domain        ISC BIND 9.9.5 (Raspbian Linux 8.0 (Jessie based))\r\n80\/tcp       open          http          Apache httpd 2.4.10 ((Raspbian))\r\n111\/tcp      open          rpcbind       2-4 (RPC #100000)\r\n139\/tcp      open          netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n445\/tcp      open          netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\r\n4567\/tcp     open          http          Jetty 9.4.8.v20171121\r\n5900\/tcp     open          vnc           RealVNC Enterprise 5.3 or later (protocol 5.0)\r\nMAC Address: B8:27:EB:CD:FE:89 (Raspberry Pi Foundation)\r\nDevice type: general purpose\r\nRunning: Linux 3.X|4.X\r\nOS CPE: cpe:\/o:linux:linux_kernel:3 cpe:\/o:linux:linux_kernel:4\r\nOS details: Linux 3.2 - 4.9\r\nNetwork Distance: 1 hop\r\nService Info: Host: RASPBERRYPI; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
In this case, not only do we know that this machine has certain ports open. It also tells us that it is a Raspberry running Raspbian (so, for example, we could do a brute force test with a “pi” user, which is the default user), and the versions of the different ports that are listening, so this information can be used to exploit vulnerabilities on unpatched versions, etc.<\/p>\r\n\r\n\r\n\r\n
Using more probing techniques<\/h2>\r\n\r\n\r\n\r\n
By default nmap uses SYN as a scanning technique. It is a fast and not very intrusive \/ detectable technique, but sometimes , but it supports a total of 12 different techniques that we can define as parameters, as we can see in the tool’s user manual<\/a>.<\/p>\r\n\r\n\r\n\r\n
For example, if we want to do a scan based on UDP calls, we can make a call of the type:<\/p>\r\n\r\n\r\n\r\n
\r\nnmap  -sU 192.168.10.5\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
Searching for vulnerabilities with nmap<\/em><\/h2>\r\n\r\n\r\n\r\n
Although there are more “comfortable” and specific tools to search for vulnerabilities, such as Nessus, or suites such as Metasploit that consolidates several tools, nmap also allows us to perform vulnerability analysis.<\/p>\r\n\r\n\r\n\r\n
To do this, it uses a series of Lua<\/em> scripts that are located in a path on our machine (in the case of Kali, in \/usr\/share\/nmap\/scripts\/<\/em> ) and can be invoked with —script<\/em> or its equivalent -sC.<\/p>\r\n\r\n\r\n\r\n
Scripts can belong to one or several categories, so we can ask nmap<\/em> to evaluate, for example, all the scripts of a category against a host. There are some particularly interesting categories such as “vuln<\/em>” (scripts dedicated to detect vulnerabilities in the target), “exploit<\/em>“, etc.<\/p>\r\n\r\n\r\n\r\n
For example, if we want to scan vulnerability category scripts against a host:<\/p>\r\n\r\n\r\n\r\n
\r\nnmap --script vuln scanme.nmap.org\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
\r\nPORT       STATE      SERVICE\r\n22\/tcp     open       ssh\r\n80\/tcp     open       http\r\n| http-csrf: \r\n| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=scanme.nmap.org\r\n|   Found the following possible CSRF vulnerabilities: \r\n|     \r\n|     Path: http:\/\/scanme.nmap.org:80\/\r\n|     Form id: cse-search-box-sidebar\r\n|_    Form action: https:\/\/nmap.org\/search.html\r\n|http-dombased-xss: Couldn't find any DOM based XSS. | http-enum:  |   \/images\/: Potentially interesting directory w\/ listing on 'apache\/2.4.7 (ubuntu)' |  \/shared\/: Potentially interesting directory w\/ listing on 'apache\/2.4.7 (ubuntu)'\r\n| http-slowloris-check: \r\n|   VULNERABLE:\r\n|   Slowloris DOS attack\r\n|     State: LIKELY VULNERABLE\r\n|     IDs:  CVE:CVE-2007-6750\r\n|       Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.  It accomplishes this by opening connections to the target web server and sending a partial request. By doing so, it starves the http server's resources causing Denial Of Service.\r\n|     Disclosure date: 2009-09-17\r\n|     References:\r\n|       https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2007-6750\r\n|_      http:\/\/ha.ckers.org\/slowloris\/\r\n|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.\r\n9929\/tcp  open  nping-echo\r\n31337\/tcp open  Elite\r\n<\/code><\/pre>\r\n\r\n\r\n\r\n
As we can see, the script has detected a potential vulnerability based on the Slowloris denial of service attack. If we analyze the scripts in the aforementioned path, we can see that there is precisely one that exploits this vulnerability, called http-slowloris. If we want more information about the script we can launch the following command:<\/p>\r\n\r\n\r\n\r\n
nmap --script-help http-slowloris<\/code><\/pre>\r\n\r\n\r\n\r\n
Explaining how the script works, how to launch it (it is also possible to do it with nmap itself with —script<\/em> and –script-args<\/em>), etc. We can also get for example a description of all the scripts that search for vulnerabilities:<\/p>\r\n\r\n\r\n\r\n
nmap --script-help vuln<\/code><\/pre>\r\n\r\n\r\n\r\n
We can also, for example, launch all scripts of a given type. For example, if we want to scan for vulnerabilities on SMB protocol on a given host:<\/p>\r\n\r\n\r\n\r\n
nmap --script smb-* 192.168.10.5<\/code><\/pre>\r\n\r\n\r\n\r\n
We can also, for example, evaluate a vulnerability over our entire network by choosing a specific script against a range. The –script parameter<\/p>\r\n\r\n\r\n\r\n
nmap --script-help vuln<\/code><\/pre>\r\n\r\n\r\n\r\n
nmap --script<\/code><\/pre>\r\n\r\n\r\n\r\n
In short, nmap<\/em> even includes interesting options for assessing vulnerabilities and even launching exploits<\/em>, although there are other tools commonly used for this purpose.<\/p>\r\n\r\n\r\n\r\n
\"Searching<\/figure>\r\n\r\n\r\n\r\n
Other interesting options<\/h2>\r\n\r\n\r\n\r\n
As we have said, nmap<\/em> has a lot of options and it is impossible to try to cover even a small percentage of them in a post. In fact, there is an official nmap<\/em> book of almost 500 pages… but in any case we try to comment here some of them that seem interesting.<\/p>\r\n\r\n\r\n\r\n