Service fingerprinting
In this recipe, we will look at how to analyze the open port to determine what kind of service(s) are running on the open port(s). This will help us understand if the target IP is running any vulnerable software. That is why service fingerprinting is a necessary and a very important step.
Getting ready
We will use nmap to fingerprint the services of the target IP. Nmap is a multi-functional tool that performs jobs ranging from host discovery to vulnerability assessment; service fingerprinting is also a part of it.
How to do it...
The steps are as follows:
- Using nmap, run the following command in terminal to achieve the service enumeration result:
nmap -sV <IP address>The output will be as shown in the following screenshot:
- We can even enumerate the UDP services running on the target IP, by using the UDP scan switch along with the service-detection switch:
Nmap -sU -sV <IP address>The output will be as shown in the following screenshot:
- We can speed up the scan using the following command:
nmap -T4 -F -sV <IP address>Details of the switches used are provided in the How it works section. For addition details, visit https://nmap.org/book/man-port-specification.html and https://nmap.org/book/man-version-detection.html .
The output will be as shown in the following screenshot:
Here we can see that the difference between the normal scan and the timed scan is almost 60+ seconds.
How it works...
The following are a list of switches that will we have used with their explanation for better understanding:
-sV: This stands for version detection; it probes all the open ports and tries to parse the banner-grabbed information to determine the service version running.-T4: TheTstands for fine-grained timing controls, and the4stands for the level of speed in which to perform a scan. The timing ranges from 0-5: (0)paranoid, (1)sneaky, (2)polite, (3)normal, (4)aggressive, (5)insane. (0) and (1) usually help in IDS evasion, while (4) tells nmap to assume that we are on a fast and reliable network, thus speeding up the scans.-F: This is a fast mode; it scans fewer ports than the default scan.
In this recipe, we have learned how nmap fingerprints open ports to detect the running services and their corresponding versions over them. This will be used later to help us detect the operating system.
There's more...
We can even check out other tools, provided in the Kali distribution, which deal with service enumeration. A few of the tools we can check are listed under Kali Linux | Information Gathering | <services>.
There are also detailed switches available in the nmap -sV detection:
--all-ports: This tells nmap to make sure it fingerprints versions of services running on all open ports.--version-intensity: This tells nmap to scan with an intensity value ranging from 0 to 9, 9 being the most effective fingerprinting.
After the ports are enumerated, an attacker can find out if the version of software running on the ports is vulnerable to any attack vectors by way of a little Google search or scouring over websites such as exploit-db.com , securityfocus.com and so on.