Service Detection using Nmap
Note: If you need a better view of the image, you can right click on the image -> Open image in a new tab.
Everything is done in a Virtual Machine
Background information:
Service detection is essentially banner grabbing. Banner grabbing is when you connect to a service such as FTP, Telnet, and you grab what version the service is running. Then, if that service that is running on the application is very old, likely chance it has a vulnerability which you can use to exploit it.
Command for Nmap
|
|
--version-intensity <intensity> (Set version scan intensity)
When performing a version scan (-sV), Nmap sends a series of probes, each of which is assigned a rarity value between one and nine.
The lower-numbered probes are effective against a wide variety of common services, while the higher-numbered ones are rarely useful.
The intensity level specifies which probes should be applied. The higher the number, the more likely it is the service will be correctly identified. However, high intensity scans take longer. The intensity must be between 0 and 9. The default is 7.
Reference: https://nmap.org/book/man-version-detection.html
What does service detection look from a Wireshark perspective?
First, Using the Kali Linux I will execute an Nmap scan on my vulnerable web server.
As you can from the picture, the top portion that is highlighted in red is nmap is checking if the port is open or closed. The port is open because we got a series of SYN -> SYN-ACK -> ACK -> RST,ACK.
If the port was closed, the server would respond with a RST instead of a SYN,ACK.
After nmap figured out that the port was open, nmap ran a service detection. When a service detection happen, it will complete a TCP 3 way handshake to establish connection with the service to perform banner grabbing. As you can see from the purple frame.
That all. Thanks for reading my post.