LabEx
Log InJoin For Free

Detect Services and Versions in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to detect services and their versions using Nmap. The lab covers basic service detection on the localhost, adjusting the intensity of the scan, detecting services on specific ports, performing full detection, analyzing the output in the Xfce terminal, and saving the results to a text file. You'll execute commands like nmap -sV 127.0.0.1 and nmap -sV -oN services.txt 192.168.1.1 to gain hands - on experience with Nmap's service version detection capabilities.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/timing_performance("Timing and Performance") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") subgraph Lab Skills nmap/output_formats -.-> lab-530177{{"Detect Services and Versions in Nmap"}} nmap/save_output -.-> lab-530177{{"Detect Services and Versions in Nmap"}} nmap/target_specification -.-> lab-530177{{"Detect Services and Versions in Nmap"}} nmap/timing_performance -.-> lab-530177{{"Detect Services and Versions in Nmap"}} nmap/os_version_detection -.-> lab-530177{{"Detect Services and Versions in Nmap"}} nmap/service_detection -.-> lab-530177{{"Detect Services and Versions in Nmap"}} end

Run service detection with nmap -sV 127.0.0.1

In this step, we will perform a basic service detection scan using Nmap. Service detection helps identify the applications and versions running on open ports of a target system. This information is crucial for vulnerability assessment and penetration testing.

The command nmap -sV 127.0.0.1 instructs Nmap to perform service version detection (-sV) on the localhost (127.0.0.1). The localhost is your own machine.

Let's execute the command:

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

nmap -sV 127.0.0.1

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds

Explanation:

  • Starting Nmap...: Indicates the Nmap version being used.
  • Nmap scan report for localhost (127.0.0.1): Shows the target of the scan.
  • Host is up: Confirms that the target is reachable.
  • Not shown: 997 closed ports: Indicates that 997 ports were closed and not displayed. Nmap only shows open, filtered, or unfiltered ports by default.
  • PORT STATE SERVICE VERSION: This section displays the open ports, their state (open), the service running on the port, and the version of the service. For example, port 22 is open and running OpenSSH version 8.9p1. Port 80 is open and running Apache httpd version 2.4.52.
  • Service Info: Provides additional information about the operating system.
  • Nmap done: Indicates the scan is complete and shows the time taken.

This simple scan provides valuable information about the services running on your machine. In the following steps, we will explore more advanced options for service detection.

Adjust intensity with nmap -sV --version-intensity 7 192.168.1.1

In this step, we will learn how to adjust the intensity of Nmap's service version detection. The --version-intensity option allows you to control how aggressively Nmap probes for service information. A higher intensity level means Nmap will try more probes, potentially leading to more accurate results, but also taking more time.

The --version-intensity option takes a value from 0 to 9, where 0 is the lightest and 9 is the most aggressive. The default intensity is 7.

Important: Before proceeding, please note that scanning 192.168.1.1 might not work directly in the LabEx VM environment, as it's likely an internal network address. For demonstration purposes, we will use 127.0.0.1 (localhost) instead. In a real-world scenario, you would replace this with the actual target IP address.

Let's execute the command with intensity level 7:

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

nmap -sV --version-intensity 7 127.0.0.1

You should see output similar to the following (the exact output may vary depending on the services running on your machine):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5.28 seconds

Now, let's try a lower intensity level, such as 2:

nmap -sV --version-intensity 2 127.0.0.1

Observe the output. You might notice that the scan completes faster, but the version information might be less detailed or accurate.

Explanation:

  • nmap -sV --version-intensity 7 127.0.0.1: Performs service version detection with intensity level 7 on localhost.
  • nmap -sV --version-intensity 2 127.0.0.1: Performs service version detection with intensity level 2 on localhost.

By adjusting the --version-intensity option, you can fine-tune the balance between scan speed and accuracy. In situations where time is critical, a lower intensity level might be preferable. For more thorough assessments, a higher intensity level is recommended.

Detect on specific ports with nmap -sV -p 80 192.168.1.1

In this step, we will focus our service detection scan on a specific port. This is useful when you already know which port you are interested in, or when you want to reduce the scan time by only targeting a specific service.

The -p option in Nmap allows you to specify the port(s) you want to scan. In this case, we will scan port 80, which is commonly used for HTTP (web) services.

Important: As in the previous step, scanning 192.168.1.1 might not work directly in the LabEx VM environment. We will use 127.0.0.1 (localhost) instead. Remember to replace this with the actual target IP address in a real-world scenario.

Let's execute the command:

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

nmap -sV -p 80 127.0.0.1

You should see output similar to the following:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.28 seconds

Explanation:

  • nmap -sV -p 80 127.0.0.1: Performs service version detection (-sV) on port 80 (-p 80) of localhost (127.0.0.1).
  • The output shows that port 80 is open and running Apache httpd version 2.4.52.
  • Notice that the scan time is significantly shorter compared to the previous scans, as we are only scanning a single port.

You can also specify a range of ports using the -p option. For example, to scan ports 80, 443, and 8080, you would use the following command:

nmap -sV -p 80,443,8080 127.0.0.1

This allows you to target multiple specific ports in a single scan.

Use full detection with nmap -sV --version-all 127.0.0.1

In this step, we will utilize Nmap's --version-all option to perform the most comprehensive service version detection possible. This option instructs Nmap to try every single version detection probe against each open port. It's the most aggressive setting and can provide the most accurate results, but it also takes the longest time to complete.

Let's execute the command:

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

nmap -sV --version-all 127.0.0.1

You should see output similar to the following (the exact output may vary depending on the services running on your machine):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000073s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
111/tcp  open  rpcbind 2-4 (RPC #100000)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.52 seconds

Explanation:

  • nmap -sV --version-all 127.0.0.1: Performs service version detection (-sV) with the --version-all option on localhost (127.0.0.1).
  • The output shows the open ports and the detected service versions.
  • Notice that the scan time is longer compared to the previous scans, as Nmap is trying every possible probe.

Important Considerations:

  • Using --version-all can significantly increase the scan time.
  • In some cases, it might not provide significantly more accurate results than the default intensity level.
  • Be mindful of the potential impact on the target system, as this aggressive scanning can generate more traffic.

This option is most useful when you need the most accurate service version information possible and are willing to accept a longer scan time.

Analyze output in Xfce terminal

In this step, we will learn how to analyze the output of Nmap scans directly in the Xfce terminal. Understanding the output is crucial for identifying potential vulnerabilities and gaining insights into the target system.

Let's assume you have already run one of the previous Nmap commands, for example:

nmap -sV 127.0.0.1

The output will be displayed directly in the terminal. Let's break down the key elements of the output:

  • Starting Nmap...: This line indicates the Nmap version and the time the scan started.
  • Nmap scan report for...: This line shows the target IP address or hostname.
  • Host is up...: This indicates whether the target host is reachable.
  • PORT STATE SERVICE VERSION: This is the main table containing the scan results.
    • PORT: The port number.
    • STATE: The state of the port (e.g., open, closed, filtered).
    • SERVICE: The detected service running on the port (e.g., http, ssh, smtp).
    • VERSION: The version of the detected service (e.g., Apache httpd 2.4.52, OpenSSH 8.9p1).
  • Service detection performed...: This line indicates that service version detection was performed.
  • Nmap done...: This line shows the scan duration and the number of hosts scanned.

Analyzing the Output:

  1. Open Ports: Identify the open ports. These are the ports that are actively listening for connections and are potential entry points for attackers.
  2. Services: Determine the services running on the open ports. Knowing the services allows you to research potential vulnerabilities associated with those services.
  3. Versions: Identify the versions of the services. Older versions of software often have known vulnerabilities that can be exploited.

Example:

If the output shows that port 22 is open and running OpenSSH 7.6p1, you can research known vulnerabilities for that specific version of OpenSSH.

Using grep to Filter Output:

You can use the grep command to filter the Nmap output and focus on specific information. For example, to find all lines containing the word "open", you can pipe the Nmap output to grep:

First, run the nmap command again:

nmap -sV 127.0.0.1

Then, pipe the output to grep. Since the previous command's output is already in the terminal, we can't directly pipe it. However, we can use grep to search the command's output in the terminal's history.

history | grep "nmap -sV 127.0.0.1" | tail -n 1 | xargs -L 1 bash -c 'eval $(echo $1 | sed "s/^[ ]*[0-9]*[ ]*//")'

This command first finds the line in history that contains the nmap command, then extracts the command itself, and finally executes it. The output of the nmap command will then be displayed in the terminal.

Now, let's use grep to filter the output. Since we can't directly pipe the output from the previous command, we'll need to run the nmap command again and pipe its output to grep.

nmap -sV 127.0.0.1 | grep "open"

This will display only the lines that contain the word "open", making it easier to identify the open ports.

Analyzing the output in the terminal is a fundamental skill for network administrators and security professionals. It allows you to quickly assess the security posture of a system and identify potential vulnerabilities.

Save results with nmap -sV -oN services.txt 192.168.1.1

In this step, we will learn how to save the results of an Nmap scan to a file for later analysis or reporting. Nmap provides several output formats, and we will use the "normal" output format (-oN) in this example.

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

nmap -sV -oN services.txt 192.168.1.1

This command performs a service version detection scan (-sV) on the target IP address 192.168.1.1 and saves the output in the "normal" format (-oN) to a file named services.txt in your current directory (~/project).

Explanation:

  • nmap -sV: Performs service version detection.
  • -oN services.txt: Specifies that the output should be saved in the "normal" format to a file named services.txt.
  • 192.168.1.1: The target IP address. Note: If you don't have a host at 192.168.1.1, you can use 127.0.0.1 instead.

After the scan completes, you can view the contents of the services.txt file using the cat command:

cat services.txt

This will display the Nmap scan results in the terminal.

Alternatively, you can open the services.txt file with a text editor like nano:

nano services.txt

This allows you to browse the results in a more structured way.

Understanding the Output Format:

The "normal" output format is designed to be human-readable and provides a concise summary of the scan results. It includes information about the target host, open ports, detected services, and their versions.

Other Output Formats:

Nmap supports several other output formats, including:

  • -oX: XML output format, suitable for parsing by other tools.
  • -oS: Script Kiddie output format (for fun).
  • -oG: Grepable output format, designed for easy parsing with grep and other command-line tools.

Saving scan results is essential for documenting your findings, sharing them with others, and tracking changes over time.

Summary

In this lab, participants learn to use Nmap for service and version detection. They start with a basic service detection scan on the localhost using the command nmap -sV 127.0.0.1. They also learn to adjust the intensity of the scan, detect services on specific ports, and perform full detection. Additionally, they analyze the output in the Xfce terminal and save the results to a text file using the -oN option.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy