Nmap: Performing a Service Scan

As discussed in my previous articles, the Nmap Security Scanner can be used to perform a port scan of remote systems.  A port scan of a system can let the Nmap user know which services are available on a system as well as if these services are accessible through a firewall.  

By default, Nmap will use commonly known port assignments to "assume" which service is running on an associated port.  For example, if Nmap detects TCP port 80 is open on a system, Nmap reports that the port is open for HTTP - traditionally used to host a website.  Of course, this does not mean necessarily that a web server is running on the system.  Perhaps the administrator wanted to be tricky and hide an active SSH service on TCP port 80 which the default scan would not detect.

To determine what service is actually running on the port, Nmap has the ability to conduct a "Service Scan" (-sV) which conducts additional tests against an open port in an effort to determine more information about the service running on a specific port.

This article discusses features that are available in Nmap 5.0 and higher.

Conducting an Nmap Service Scan

When an Nmap scan is performed with the -sV option, the following will occur by default:

-      With the Service Scan, Nmap will conduct additional tests on each open port to determine which service is truly running on the port.
-      Your system will scan the 1,000 most commonly used TCP ports on your target(s).  These ports were enumerated by Fyodor when he conducted an Nmap scan against every host on the Internet and compiled the end results.  The scan type conducted is a standard SYN scan.
-      Nmap will randomize the order in which the ports are scanned.  If you wish for the ports to be scanned in sequential order, perhaps to test your IDS/IPS capabilities, use the -r option.
-      If an IP address is specified as the scan target, Nmap will attempt to perform a reverse DNS lookup to identify the FQDN of the scanned host(s).

In the following example, Nmap is used to conduct a Service Scan of the system at  
 Nmap Service Scan (-sV)
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-19 22:40 Eastern Standard Time
                      Interesting ports on mail.company.net (
                      Not shown: 992 closed ports
                      PORT      STATE SERVICE       VERSION
                      25/tcp    open  smtp
                      80/tcp    open  http                Microsoft IIS webserver 6.0
                      135/tcp   open  msrpc            Microsoft Windows RPC
                      139/tcp   open  netbios-ssn
                      445/tcp   open  microsoft-ds   Microsoft Windows 2003 microsoft-ds
                      593/tcp   open  ncacn_http     Microsoft Windows RPC over HTTP 1.0
                      691/tcp   open  resvc             Microsoft Exchange routing server 6.5.7638.1
                      3389/tcp  open  microsoft-rdp Microsoft Terminal Service
                      Service Info: OS: Windows
                      Service detection performed. Please report any incorrect results at http://nmap.
                      org/submit/ .
                      Nmap done: 1 IP address (1 host up) scanned in 47.02 seconds

Open in new window

As you can see, the above scan discovered that eight TCP ports were running on the system - noted by the "open" state.  The remaining 992 scanned ports were reported as closed as no services were running on the system.  By default, Nmap will "guess" which services are running on each of these ports based on the common usage of each port number.  

In our example, Nmap performed a Service Scan to determine the eight services that appear to be running on the system.  For example, Nmap determined that Microsoft Terminal Services was actively available on TCP port 3389 while an Exchange version (6.5.7638.1) was noted via the Routing Service on TCP port 691.  A quick Google search indicates that the version of Exchange running on the system is 2003 SP2 with additional patches installed.  Such information could be used by a security administrator for logging in to the system or provide a malicious attacker with information about the system with various attack avenues they might explore in their efforts to compromise the machine.

REMEMBER - Each system has 65,535 TCP and 65,535 UDP ports.  The standard Nmap scan only scans the 1,000 most commonly used ports to help expedite scan times.

NOTE - If you do see a result state as "filtered", this means that access to the port by Nmap has been blocked.  Typically, this result indicates that a firewall has prevented the Nmap scan from reaching the system on the filtered ports.

For other Nmap articles:
"Nmap: Performing a Basic Scan" (https://www.experts-exchange.com/articles/Security/Misc/Nmap-Performing-a-Basic-Scan.html)
"Nmap: Host Discovery Basics" (https://www.experts-exchange.com/articles/Security/Misc/Nmap-Host-Discovery-Basics.html)

Comments (1)

As an addition to the article I highly recommend the book NMAP Network Scanning (http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717).
Given it's written by the creator of NMAP, it outlines the real level of detail and strategies NMAP is capable of.

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.