Hacking Linux Exposed

About
Authors
Contents
Reviews
Foreword
Purchase

Articles
Books
Sourcecode
Tools
Errata

Home

 


previous article
index
next article
Nmap Version Detection Rocks
By Bri Hatch.

Summary: The newest version of Nmap can fingerprint the protocol and software versions that it discovers, giving you a more accurate picture of your network.

Most people have heard of Nmap, the ubiquitous portscanner and more, available at http://www.insecure.org/nmap/. Recently, a new version of Nmap was released with a new and frequently requested feature - version scanning.

Nmap-3.45 and later have the ability to test out open ports and discover what version of software is running. The older versions could only tell you what port was open, and what that port is traditionally used for. While this is a good start, it is common for people to run services on non-standard ports for a variety of reasons:

Obscurity
If your computer has port 22 open, it's probably an ssh server. However if you ran your ssh server on a port normally skipped by nmap, such as 27011, then it may be overlooked. As always, remember my mantra -- Security with obscurity is good, relying on security through obscurity is bad.

Fooling firewalls
Many firewalls will restrict to which ports it will allow you to connect. For example a Squid proxy may only allow the CONNECT method to the official HTTPS port, 443. If you have a server on the Internet to which you want to SSH through that proxy, then it would deny you access to the real SSH port, port 22. If you ran an SSH server on port 443, however, it will allow you through, no questions asked.

Another example may be a dialup ISP, which doesn't allow you to connect directly outbound to port 25, the SMTP port. If you wanted to not relay through your ISP, but connect to your company mail server directly, you may want to run your mail server on an additional port, such as port 80.

These non-standard setups are more common than you might think, but old Nmap results would only tell you that port 80 was likely HTTP, and wouldn't let you know if something else were listening on that port. Other tools, such as Nmap+v, or amap, were typically used to enumerate what service was actually listening on that port.

The new Nmap has the ability to test out the service directly. It has an extensive service fingerprint database, and a very fast parallel scanner. It has an efficient and effective methodology, minimising the number of tests that are required to fingerprint a service. For example if it sees a SMTP-like banner, it will first try SMTP-related tests, and only continue on to HTTP tests if those first tests fail.

It even has SSL support[1] so if a test determines that the port is SSL wrapped, it will restart the tests with full blown SSL encryption. This allows it to determine a port is POP3 inside SSL, for example.

Version detection will tell you as much as it can, including

  • The protocol in use, for example HTTP
  • The software product, for example Apache
  • The version of the software, for example Apache 1.3.27
  • Any other subversion information, such as contains PHP 4.3.2

To get version detection, you need to include the -sV flag to nmap. Alternatively, if you want the whole kitchen sink of options, you can use the -A argument, which will enable OS detection and everything else you could possibly want.

One important thing to note -- version detection will end up creating full blown TCP connections, three-way handshake and all. This means that you will not be operating in a stealthy mode!

Here's a snippet of the new output: 


  # nmap -A -p 1-65535 www.NoSuchHostExistsIPromise.com [2]
  
  Starting nmap 3.45
  Interesting ports
  PORT    STATE SERVICE  VERSION
   21/tcp  open  ftp?
   22/tcp  open  ssh      OpenSSH 3.7.1p1 (Protocol 1.99)
   25/tcp  open  smtp
   80/tcp  open  http     Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a
                            FrontPage/5.0.2.2510 PHP/4.3.2
			    mod_ssl/2.8.13 OpenSSL/0.9.7a)
   443/tcp open  ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/ ...)
   993/tcp open  ssl/imap UW Imapd 2001.315
   995/tcp open  ssl/pop3 Openwall popa3d
  8888/tcp open  ssl/unknown
  1 service unrecognised despite returning data. If you know the
  service/version, please submit the following fingerprint at
  http://www.insecure.org/cgi-bin/servicefp-submit.cgi
  
  SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\.
  SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa
  SF:mple.com\x20ESMTP\x20XahriaMail\r\n");

  Nmap run completed -- 1 IP address (1 host up) scanned in 10.339 seconds

Let's look at that output a line at a time: 


  PORT    STATE SERVICE  VERSION
  21/tcp  open  ftp?

Nmap was unable to determine what was running on port 21. It lists the port as 'ftp?' to tell you what's traditionally on this port, but no guarantees that it's FTP at all. 

  22/tcp  open  ssh      OpenSSH 3.7.1p1 (Protocol 1.99)

Here's an example of a successful version string. Nmap was able to determine that it's definitively running OpenSSH version 3.7.1p1[3], and accepts both SSH protocol 1 and 2, which you can glean from the Protocol 1.99 section. 

  25/tcp  open  smtp

Port 25 is an SMTP server, as noted by the fact that the service name stmp does not have a question mark at the end. However Nmap was unable to determine exactly which SMTP server software was running, so the version field is empty. 

  80/tcp  open  http     Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a
                           PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a)
  443/tcp open  ssl/http Apache httpd 1.3.27 ((Unix) mod_gzip/1.3.26.1a
                           PHP/4.3.2 mod_ssl/2.8.13 OpenSSL/0.9.7a)
  993/tcp open  ssl/imap UW Imapd 2001.315
  995/tcp open  ssl/pop3 Openwall popa3d

Here we see a machine that is giving out lots of unnecessary information. Port 80 and 443 is running an HTTP server, in this case Apache 1.3.27, and tells us a lot about the modules currently in use -- mod_gzip, mod_ssl PHP and it uses OpenSSL version 0.9.7a. Note that port 80 is cleartext HTTP, as noted by the service name http, while port 443 is SSL-encrypted HTTP, aka HTTPS, as noted by the service name ssl/http.

Similarly, we have both an SSLified[4] imap and pop3 server running. 

  8888/tcp open  ssl/unknown

Lastly, we have here some port that is running an SSL server, but the service being protected is not known.[5] 

  1 service unrecognised despite returning data. If you know the
  service/version, please submit the following fingerprint at
  http://www.insecure.org/cgi-bin/servicefp-submit.cgi
  
  SF-Port25-TCP:V=3.40PVT17%D=9/29%Time=3F78B3E0%r(NULL,27,"220\x20host\.
  SF:example.com\x20ESMTP\x20XahriaMail\r\n")%r(Help,27,"220\x20host\.exa
  SF:mple.com\x20ESMTP\x20XahriaMail\r\n");

This last part should be somewhat familiar to anyone who has used Nmap OS detection. Although the version scanning tests did not determine what was running on port 25 for sure, it did get enough information that you could submit back to insecure.org to let future versions recognise the service. If you know what's running on this port[6], then you can submit this fingerprint at the URL that's listed.

I'm very excited about the new version of Nmap. If you haven't checked it out yet, do so, and submit back any fingerprints you can!

For more information about the internals of Nmap's version scanning, you might want to check out Fyodor's version scanning article at http://www.insecure.org/nmap/versionscan.html.

NOTES:

[1] I helped implement the SSL support, so you'll excuse me if I pat myself on the back for this one. While there are many Open Source projects out there where my code appears, this is by far the most cool one.

[2] Hello, Verisign!

[3] Whoops - someone should upgrade this to 3.7.1p2, since the p1 had some bad PAM code built in that is vulnerable...

[4] You'll note that I said they are SSL enabled, I did not call them secure. While one, the Openwall popa3d server, is a superb and secure product, UW Imapd doesn't instill confidence in me.

[5] The service was the following, if you're curious: 

$ stunnel -d localhost:8888 -l /bin/echo -- echo Hello Fyodor

[6] In this case, it's Postfix with a custom ESMTP banner, which I use at every occasion.

Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. Is it too late for the Wachowski brothers to include SSLified Nmap in Matrix Revolutions? Bri can be reached at bri@hackinglinuxexposed.com.

Copyright Bri Hatch, 2003

This is the October 06, 2003 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Security-request@lists.onsight.com.