Skip to content

Nmap Post Port Scans

Service and Version Detection (-sV)

After discovering open ports, it's crucial to identify the services running on those ports and their versions. This information is essential for vulnerability assessment.

  • How it Works: Nmap connects to open ports and tries to elicit information about the service. It compares the responses to a database of known service banners and version strings.

  • -sV: Enables service and version detection.

  • --version-intensity <level>: Controls the level of probing. Higher levels (0-9) mean more probes and potentially more accurate results, but also take longer. --version-light is level 2, --version-all is level 9.

  • TCP 3-Way Handshake: -sV requires a full TCP 3-way handshake. Stealth SYN scans (-sS) are not possible when using -sV. Nmap needs to establish a connection to interact with the service and get version information.

  • Output: The version information is displayed in a dedicated "VERSION" column in the Nmap output. This is distinct from the "SERVICE" column, which might just guess the service based on the port number. The version is obtained through actual interaction with the service.

OS Detection (-O)

Nmap can attempt to identify the target operating system based on its network behavior.

  • How it Works: Nmap sends a series of probes to the target and analyzes the responses. It compares these responses to a database of known OS fingerprints.

  • -O: Enables OS detection.

  • Accuracy: OS detection is not always perfect. It can be fooled by firewalls, network address translation (NAT), and virtualization. Nmap needs at least one open and one closed port for reliable OS detection. Treat the results as a guess, not a certainty.

  • Output: Nmap provides information about the detected OS, including the OS name, version, and CPE (Common Platform Enumeration) identifier.

Traceroute (--traceroute)

Nmap can perform traceroute to map the path to the target.

  • How it Works: Nmap sends packets with decreasing TTL (Time To Live) values. When a packet's TTL reaches 0, the router sends an ICMP Time-to-Live Exceeded message back. This reveals the router's IP address.

  • --traceroute: Enables traceroute.

  • Nmap's Approach: Nmap's traceroute starts with a high TTL and decrements it. This is different from the traditional traceroute command, which starts with a low TTL and increments it.

  • Limitations: Some routers block ICMP Time-to-Live Exceeded messages, which can prevent traceroute from revealing the complete path.

Nmap Scripting Engine (NSE)

NSE allows you to extend Nmap's functionality using scripts written in Lua.

  • Scripts: Nmap comes with hundreds of pre-written scripts for various tasks, from service fingerprinting to vulnerability scanning.

  • Categories: Scripts are organized into categories (e.g., auth, brute, default, discovery, exploit, vuln).

  • --script=<scripts>: Runs specified scripts. You can use wildcards (e.g., --script "http*") or comma-separated lists.

  • -sC or --script=default: Runs the default scripts.

  • Security Considerations: Be careful when running scripts, especially those in the brute, exploit, and intrusive categories. Make sure you have permission to run these scripts on the target system. Scripts from untrusted sources can pose a security risk.

  • Script Descriptions: You can examine the script files (usually in /usr/share/nmap/scripts) to understand what they do.

Saving Scan Results

Nmap can save scan results in several formats.

  • -oN <filename> (Normal): Saves the output in a human-readable format, similar to what you see on the console.

  • -oG <filename> (Grepable): Saves the output in a format that's easy to parse with grep. Each line contains complete information about a host or port, making it easy to filter and search.

  • -oX <filename> (XML): Saves the output in XML format, which is suitable for automated processing and integration with other tools.

  • -oA <filename> (All): Saves the output in all three formats (normal, grepable, and XML).

  • -oS <filename> (Script Kiddie): A humorous output format, not recommended for serious use.

Combining Options

You can combine many Nmap options in a single command. For example:

sudo nmap -sS -sV -O --traceroute -sC -oA my_scan 192.168.1.10

This command performs a SYN scan, service and version detection, OS detection, traceroute, runs default scripts, and saves the results in all three formats to files named my_scan.nmap, my_scan.gnmap, and my_scan.xml.