Service Enumeration

Introduction

It is essential to determine the application and its version as accurately as possible.
We can use this information to scan for known vulnerabilities and analyze the source code for that version if we find it.

It is recommended to perform a quick port scan first, which gives us a small overview of the available ports. This causes significantly less traffic, which is advantageous for us because otherwise we can be discovered and blocked by the security mechanisms.
We can deal with these first and run a port scan in the background, which shows all open ports (-p-).
We can use the version scan to scan the specific ports for services and their versions (-sV).
A full port scan takes quite a long time. To view the scan status, we can press the [Space Bar] during the scan, which will cause Nmap to show us the scan status.
Command: sudo nmap <IP Address> -p- -sV
Example: sudo nmap 10.129.2.28 -p- -sV
Example (Updates status every 5s): sudo nmap 10.129.2.28 -p- -sV --stats-every=5s
Example (Updates status every 5m): sudo nmap 10.129.2.28 -p- -sV --stats-every=5m
Example (Shows open ports as soon as they are discovered -vv can be also used): sudo nmap 10.129.2.28 -p- -sV -v

Primarily, Nmap looks at the banners of the scanned ports and prints them out. If it cannot identify versions through the banners, Nmap attempts to identify them through a signature-based matching system, but this significantly increases the scan's duration.
One disadvantage to Nmap's presented results is that the automatic scan can miss some information because sometimes Nmap does not know how to handle it (For example, sometimes the target gives more information that nmap doesn't display because it doesn't know how to handle)
If we manually connect to the server using nc, grab the banner, and intercept the network traffic using tcpdump, we can see what Nmap did not show us (sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28) (nc -nv 10.129.2.28 25)

Last updated 7 months ago