- When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
- What about services not on the list?
- What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
- --version-trace (option shows probe details in real time)
Nmap Version Scanning Technique
- NULL probe
- - If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
- - If data is received, it is compared to signatures in nmap-services-probes
- Probable Port probes (share connection from 1.)
- - All UDP ports and TCP ports that failed (or soft-matched) NULL probing
- - Every probe has a list of probable port numbers
- - Probes that match the port send a probe string to the port
- - Responses are compared to regular expressions
- Sequential Probes
- - New connection for each probe (to avoid corrupting next probe)
- - Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
- SSL probes
- - If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
- Nmap RPC Grinder
- - If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers
No comments:
Post a Comment