You're reading from Nmap: Network Exploration and Security Auditing Cookbook Network discovery and security scanning at your fingertips

Product type Paperback

Published in May 2017

Publisher

ISBN-13 9781786467454

Length 416 pages

Edition 2nd Edition

Languages

Lua

Tools

Nmap

Concepts

Penetration Testing

Author (1):

Paulino Calderon

View More author details

Fingerprinting OS and services running on a target host

Version detection and OS detection are two of the most popular features of Nmap. Nmap is known for having the most comprehensive OS and service fingerprint databases. Knowing the platform (OS) and the exact version of a service is highly valuable for people looking for security vulnerabilities or monitoring their networks for any unauthorized changes. Fingerprinting services may also reveal additional information about a target, such as available modules and specific protocol information.

This recipe shows how to fingerprint the operating system and running services of a remote host using Nmap.

How to do it...

To enable service detection, add the Nmap option -sV to your port scan command:

$ nmap -sV <target>

The -sV option adds a table containing an additional column named VERSION, displaying the specific service version, if identified. Additional information will be enclosed in parentheses.

$ nmap -sV scanme.nmap.org 
   Nmap scan report for scanme.nmap.org (45.33.32.156) 
   Host is up (1.4s latency). 
   Other addresses for scanme.nmap.org (not scanned):    
   2600:3c01::f03c:91ff:fe18:bb2f 
   Not shown: 994 closed ports 
   PORT      STATE    SERVICE    VERSION 
   22/tcp    open     ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3   
   (Ubuntu Linux; protocol 2.0) 
   25/tcp    filtered smtp 
   80/tcp    open     http       Apache httpd 2.4.7 ((Ubuntu)) 
   514/tcp   filtered shell 
   9929/tcp  open     nping-echo Nping echo 
   31337/tcp open     tcpwrapped 
   Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

   Service detection performed. Please report any incorrect results    at https://nmap.org/submit/ . 
   Nmap done: 1 IP address (1 host up) scanned in 137.71 seconds

To enable OS detection, add the Nmap option -O to your scan command. Note that OS detection requires Nmap to be run as a privileged user:

# nmap -O <target>

The result will now include OS information at the bottom of the port list:

# nmap -O scanme.nmap.org 
   Nmap scan report for scanme.nmap.org (45.33.32.156) 
   Host is up (0.25s latency). 
   Other addresses for scanme.nmap.org (not scanned):    
   2600:3c01::f03c:91ff:fe18:bb2f 
   Not shown: 994 closed ports 
   PORT      STATE    SERVICE 
   22/tcp    open     ssh 
   25/tcp    filtered smtp 
   80/tcp    open     http 
   514/tcp   filtered shell 
   9929/tcp  open     nping-echo 
   31337/tcp open     Elite 
   Device type: WAP|general purpose|storage-misc 
   Running (JUST GUESSING): Actiontec embedded (99%), Linux          
   2.4.X|3.X (99%), Microsoft Windows 7|2012|XP (96%), BlueArc 
   embedded (91%) 
   OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel    cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2      cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012      cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100 
   Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT    v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows    7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%),      BlueArc Titan 2100 NAS device (91%) 
   No exact OS matches for host (test conditions non-ideal). 
   OS detection performed. Please report any incorrect results at      https://nmap.org/submit/ . 
   Nmap done: 1 IP address (1 host up) scanned in 114.03 seconds

How it works...

The Nmap option -sV enables service detection, which returns additional service and version information. Service detection is one of the most loved features of Nmap because it's very useful in many situations, such as identifying security vulnerabilities or making sure a service is running on a given port or a patch has been applied successfully.

This feature works by sending different probes defined in the nmap-service-probes file to the list of suspected open ports. The probes are selected based on how likely they can be used to identify a service.

If you are interested in the inner workings, you can find very detailed documentation on how service detection mode works and how the file formats are used at https://nmap.org/book/vscan.html.

The -O option tells Nmap to attempt OS detection by sending several probes using the TCP, UDP, and ICMP protocols against opened and closed ports. OS detection mode is very powerful due to Nmap's user community, which obligingly contributes fingerprints that identify a wide variety of systems, including residential routers, IP webcams, operating systems, and many other hardware devices. It is important to note that OS detection requires raw packets, so Nmap need to be run with enough privileges.

The complete documentation of the tests and probes sent during OS detection can be found at https://nmap.org/book/osdetect-methods.html.

Nmap uses the Common Platform Enumeration (CPE) as the naming scheme for service and operating system detection. This convention is used in the information security industry to identify packages, platforms, and systems.

There's more...

OS and version detection scan options can be configured thoroughly and are very powerful when tuning the performance. Let's learn about some additional Nmap options related to these scan modes.

Increasing version detection intensity

You can increase or decrease the amount of probes to use during version detection by changing the intensity level of the scan with the argument --version-intensity [0-9], as follows:

# nmap -sV --version-intensity 9 <target>

This Nmap option is incredibly effective against services running on nondefault ports due to configuration changes.

Aggressive detection mode

Nmap has a special flag to activate aggressive detection, namely -A. Aggressive mode enables OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute). This mode sends a lot more probes, and it is more likely to be detected, but provides a lot of valuable host information. You can try aggressive detection with the following command:

# nmap -A <target> 
   Nmap scan report for scanme.nmap.org (45.33.32.156) 
   Host is up (0.071s latency). 
   Other addresses for scanme.nmap.org (not scanned):     
   2600:3c01::f03c:91ff:fe18:bb2f 
   Not shown: 994 closed ports 
   PORT      STATE    SERVICE    VERSION 
   22/tcp    open     ssh        OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.3       
   (Ubuntu Linux; protocol 2.0) 
   | ssh-hostkey:  
   |   1024 ac:00:a0:1a:82:ff:cc:55:99:dc:67:2b:34:97:6b:75 (DSA) 
   |   2048 20:3d:2d:44:62:2a:b0:5a:9d:b5:b3:05:14:c2:a6:b2 (RSA) 
   |_  256 96:02:bb:5e:57:54:1c:4e:45:2f:56:4c:4a:24:b2:57 (ECDSA) 
   25/tcp    filtered smtp 
   80/tcp    open     http       Apache httpd 2.4.7 ((Ubuntu)) 
   |_http-server-header: Apache/2.4.7 (Ubuntu) 
   |_http-title: Go ahead and ScanMe! 
   514/tcp   filtered shell 
   9929/tcp  open     nping-echo Nping echo 
   31337/tcp open     tcpwrapped 
   Device type: WAP|general purpose|storage-misc 
   Running (JUST GUESSING): Actiontec embedded (98%), Linux 2.4.X|3.X    
   (98%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%) 
   OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel       
   cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2    
   cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012   
   cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100 
   Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (98%), DD-WRT   
   v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (98%), Microsoft Windows 7   
   or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%),   
   BlueArc Titan 2100 NAS device (91%) 
   No exact OS matches for host (test conditions non-ideal). 
   Network Distance: 2 hops 
   Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
   TRACEROUTE (using port 80/tcp) 
   HOP RTT     ADDRESS 
   1   0.08 ms 192.168.254.2 
   2   0.03 ms scanme.nmap.org (45.33.32.156)  
   OS and Service detection performed. Please report any incorrect       
   results at https://nmap.org/submit/ . 
   Nmap done: 1 IP address (1 host up) scanned in 208.05 seconds

Configuring OS detection

In case OS detection fails, you can use the argument --osscan-guess to force Nmap to guess the operating system:

#nmap -O --osscan-guess <target>

To launch OS detection only when the scan conditions are ideal, use the argument --osscan-limit:

#nmap -O --osscan-limit <target>

OS detection in verbose mode

Try OS detection in verbose mode to see additional host information, such as the TCP and IP ID sequence number values:

#nmap -O -v <target>

The IP ID sequence number can be found under the label IP ID Sequence Generation. Note that incremental IP ID sequence numbers can be abused by port scanning techniques such as idle scan:

#nmap -O -v 192.168.0.1  
   Initiating Ping Scan at 11:14 
   Scanning 192.168.0.1 [4 ports] 
   Completed Ping Scan at 11:14, 0.00s elapsed (1 total hosts) 
   Initiating Parallel DNS resolution of 1 host. at 11:14 
   Completed Parallel DNS resolution of 1 host. at 11:14, 0.02s elapsed 
   Initiating SYN Stealth Scan at 11:14 
   Scanning 192.168.0.1 [1000 ports] 
   Discovered open port 80/tcp on 192.168.0.1 
   Completed SYN Stealth Scan at 11:14, 13.80s elapsed (1000 total 
   ports) 
   Initiating OS detection (try #1) against 192.168.0.1 
   Retrying OS detection (try #2) against 192.168.0.1 
   Nmap scan report for 192.168.0.1 
   Host is up (0.11s latency). 
   Not shown: 998 closed ports 
   PORT    STATE    SERVICE 
   80/tcp  open     http 
   514/tcp filtered shell 
   Device type: WAP|general purpose|storage-misc 
   Running (JUST GUESSING): Actiontec embedded (99%), Linux 2.4.X|3.X   
   (99%), Microsoft Windows 7|2012|XP (96%), BlueArc embedded (91%) 
   OS CPE: cpe:/h:actiontec:mi424wr-gen3i cpe:/o:linux:linux_kernel   
   cpe:/o:linux:linux_kernel:2.4.37 cpe:/o:linux:linux_kernel:3.2   
   cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012 
   cpe:/o:microsoft:windows_xp::sp3 cpe:/h:bluearc:titan_2100 
   Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT      
   v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (97%), 
    Microsoft Windows 7 or Windows Server 2012 (96%), Microsoft  
    Windows XP SP3 (96%),       
   BlueArc Titan 2100 NAS device (91%) 
   No exact OS matches for host (test conditions non-ideal). 
   TCP Sequence Prediction: Difficulty=259 (Good luck!) 
   IP ID Sequence Generation: Incremental 

   Read data files from: /usr/local/bin/../share/nmap 
   OS detection performed. Please report any incorrect results at   
   https://nmap.org/submit/ . 
   Nmap done: 1 IP address (1 host up) scanned in 32.40 seconds 
              Raw packets sent: 1281 (59.676KB) | Rcvd: 1249 (50.520KB)

Submitting new OS and service fingerprints

Nmap's accuracy comes from a database that has been collected over the years through user submissions. It is very important that we help keep this database up to date. Nmap will let you know when you can contribute to the project by submitting an unidentified operating system, device, or service.

Please take the time to submit your contributions, as Nmap's detection capabilities come directly from the databases. Visit https://nmap.org/cgi-bin/submit.cgi? to submit new fingerprints or corrections.