<

Nmap: Performing a Service Scan

Published on
11,361 Points
5,261 Views
1 Endorsement
Last Modified:
Approved
As discussed in my previous articles, the Nmap Security Scanner can be used to perform a port scan of remote systems.  A port scan of a system can let the Nmap user know which services are available on a system as well as if these services are accessible through a firewall.  

By default, Nmap will use commonly known port assignments to "assume" which service is running on an associated port.  For example, if Nmap detects TCP port 80 is open on a system, Nmap reports that the port is open for HTTP - traditionally used to host a website.  Of course, this does not mean necessarily that a web server is running on the system.  Perhaps the administrator wanted to be tricky and hide an active SSH service on TCP port 80 which the default scan would not detect.

To determine what service is actually running on the port, Nmap has the ability to conduct a "Service Scan" (-sV) which conducts additional tests against an open port in an effort to determine more information about the service running on a specific port.

This article discusses features that are available in Nmap 5.0 and higher.

Conducting an Nmap Service Scan

When an Nmap scan is performed with the -sV option, the following will occur by default:

-      With the Service Scan, Nmap will conduct additional tests on each open port to determine which service is truly running on the port.
-      Your system will scan the 1,000 most commonly used TCP ports on your target(s).  These ports were enumerated by Fyodor when he conducted an Nmap scan against every host on the Internet and compiled the end results.  The scan type conducted is a standard SYN scan.
-      Nmap will randomize the order in which the ports are scanned.  If you wish for the ports to be scanned in sequential order, perhaps to test your IDS/IPS capabilities, use the -r option.
-      If an IP address is specified as the scan target, Nmap will attempt to perform a reverse DNS lookup to identify the FQDN of the scanned host(s).

In the following example, Nmap is used to conduct a Service Scan of the system at 192.168.2.100.  
 
 Nmap Service Scan (-sV)
Starting Nmap 5.00 ( http://nmap.org ) at 2009-11-19 22:40 Eastern Standard Time

Interesting ports on mail.company.net (192.168.2.100):
Not shown: 992 closed ports
PORT      STATE SERVICE       VERSION
25/tcp    open  smtp
80/tcp    open  http                Microsoft IIS webserver 6.0
135/tcp   open  msrpc            Microsoft Windows RPC
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds   Microsoft Windows 2003 microsoft-ds
593/tcp   open  ncacn_http     Microsoft Windows RPC over HTTP 1.0
691/tcp   open  resvc             Microsoft Exchange routing server 6.5.7638.1
3389/tcp  open  microsoft-rdp Microsoft Terminal Service

Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.02 seconds

Open in new window


As you can see, the above scan discovered that eight TCP ports were running on the system - noted by the "open" state.  The remaining 992 scanned ports were reported as closed as no services were running on the system.  By default, Nmap will "guess" which services are running on each of these ports based on the common usage of each port number.  

In our example, Nmap performed a Service Scan to determine the eight services that appear to be running on the system.  For example, Nmap determined that Microsoft Terminal Services was actively available on TCP port 3389 while an Exchange version (6.5.7638.1) was noted via the Routing Service on TCP port 691.  A quick Google search indicates that the version of Exchange running on the system is 2003 SP2 with additional patches installed.  Such information could be used by a security administrator for logging in to the system or provide a malicious attacker with information about the system with various attack avenues they might explore in their efforts to compromise the machine.

REMEMBER - Each system has 65,535 TCP and 65,535 UDP ports.  The standard Nmap scan only scans the 1,000 most commonly used ports to help expedite scan times.

NOTE - If you do see a result state as "filtered", this means that access to the port by Nmap has been blocked.  Typically, this result indicates that a firewall has prevented the Nmap scan from reaching the system on the filtered ports.

For other Nmap articles:
"Nmap: Performing a Basic Scan" (http://www.experts-exchange.com/articles/Security/Misc/Nmap-Performing-a-Basic-Scan.html)
"Nmap: Host Discovery Basics" (http://www.experts-exchange.com/articles/Security/Misc/Nmap-Host-Discovery-Basics.html)
1
Comment
Author:MikeHolcomb
1 Comment
 
LVL 26

Expert Comment

by:MidnightOne
As an addition to the article I highly recommend the book NMAP Network Scanning (http://www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717).
Given it's written by the creator of NMAP, it outlines the real level of detail and strategies NMAP is capable of.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Join & Write a Comment

Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month