<?xml version="1.0" encoding="UTF-8" standalone="no"?> <!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml"><head><title>Chapter 7. Service and Application Version Detection | Nmap Network Scanning</title><link rel="stylesheet" type="text/css" href="/shared/css/db5.css?v=2"/><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"/><link rel="prev" href="mayo-scan.html" title="Scanning 676,352 IP Addresses in 46 Hours"/><link rel="next" href="vscan-examples.html" title="Usage and Examples"/><link rel="canonical" href="https://nmap.org/book/vscan.html"/> <meta name="viewport" content="width=device-width,initial-scale=1"> <meta name="theme-color" content="#2A0D45"> <link rel="preload" as="image" href="/images/sitelogo.png" imagesizes="168px" imagesrcset="/images/sitelogo.png, /images/sitelogo-2x.png 2x"> <link rel="preload" as="image" href="/shared/images/nst-icons.svg"> <link rel="stylesheet" href="/shared/css/nst.css?v=2"> <script async src="/shared/js/nst.js?v=2"></script> <link rel="stylesheet" href="/shared/css/nst-foot.css?v=2" media="print" onload="this.media='all'"> <link rel="stylesheet" href="/site.css"> <!--Google Analytics Code--> <link rel="preload" href="https://www.google-analytics.com/analytics.js" as="script"> <script> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-11009417-1', 'auto'); ga('send', 'pageview'); </script> <!--END Google Analytics Code--> <META NAME="ROBOTS" CONTENT="NOARCHIVE"> <link rel="shortcut icon" href="/shared/images/tiny-eyeicon.png" type="image/png"> </head> <body><div id="nst-wrapper"> <div id="menu"> <div class="blur"> <header id="nst-head"> <a id="menu-open" href="#menu" aria-label="Open menu"> <img width="44" height="44" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#menu"> </a> <a id="menu-close" href="#" aria-label="Close menu"> <img width="44" height="44" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#close"> </a> <a id="nst-logo" href="/" aria-label="Home page"> <img alt="Home page logo" srcset="/images/sitelogo.png, /images/sitelogo-2x.png 2x" src="/images/sitelogo.png" onerror="this.onerror=null;this.srcset=this.src" height=90 width=168></a> <nav id="nst-gnav"> <a class="nlink" href="https://nmap.org/">Nmap.org</a> <a class="nlink" href="https://npcap.com/">Npcap.com</a> <a class="nlink" href="https://seclists.org/">Seclists.org</a> <a class="nlink" href="https://sectools.org">Sectools.org</a> <a class="nlink" href="https://insecure.org/">Insecure.org</a> </nav> <form class="nst-search" id="nst-head-search" action="/search/"> <input class="nst-search-q" name="q" type="search" placeholder="Site Search"> <button class="nst-search-button" title="Search"> <img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search"> </button> </form> </header> </div> </div> <main id="nst-content"> <nav id="nst-sitenav"> <a class="nlink" href="/download.html">Download</a> <a class="nlink" href="/book/man.html">Reference Guide</a> <a class="nlink" href="/book/">Book</a> <a class="nlink" href="/docs.html">Docs</a> <a class="nlink" href="/zenmap/">Zenmap GUI</a> <a class="nlink" href="/movies/">In the Movies</a> </nav> <header><ul class="breadcrumb-nav"><li class="breadcrumb"><a href="toc.html">Nmap Network Scanning</a></li><li class="breadcrumb current">Chapter 7. Service and Application Version Detection</li></ul><nav class="docnav-header"><div class="dn-unit"><a class="dn-link dn-prev" href="mayo-scan.html" accesskey="p">Prev</a></div><div class="dn-unit"><a class="dn-link dn-next" href="vscan-examples.html" accesskey="n">Next</a></div></nav></header><section class="chapter" id="vscan"><div class="titlepage"><div><div><h1 class="title">Chapter 7. Service and Application Version Detection</h1></div></div></div><div class="toc"><div class="toc-title">Table of Contents</div><ul class="toc"><li><span class="sect1"><a href="vscan.html#vscan-intro">Introduction</a></span></li><li><span class="sect1"><a href="vscan-examples.html">Usage and Examples</a></span></li><li><span class="sect1"><a href="vscan-technique.html">Technique Described</a></span><ul><li><span class="sect2"><a href="vscan-technique.html#vscan-cheats-and-fallbacks">Cheats and Fallbacks</a></span></li><li><span class="sect2"><a href="vscan-technique.html#vscan-selection-and-rarity">Probe Selection and Rarity</a></span></li></ul></li><li><span class="sect1"><a href="vscan-technique-demo.html">Technique Demonstrated</a></span></li><li><span class="sect1"><a href="vscan-post-processors.html">Post-processors</a></span><ul><li><span class="sect2"><a href="vscan-post-processors.html#version-detection-nse">Nmap Scripting Engine Integration</a></span></li><li><span class="sect2"><a href="vscan-post-processors.html#version-detection-rpc">RPC Grinding</a></span></li><li><span class="sect2"><a href="vscan-post-processors.html#vscan-ssl-postprocess">SSL Post-processor Notes</a></span></li></ul></li><li><span class="sect1"><a href="vscan-fileformat.html"><code class="filename">nmap-service-probes</code> File Format</a></span><ul><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-exclude"><code class="literal">Exclude</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-probe"><code class="literal">Probe</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-match"><code class="literal">match</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-softmatch"><code class="literal">softmatch</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-ports"><code class="literal">ports</code> and <code class="literal">sslports</code> Directives</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-totalwaitms"><code class="literal">totalwaitms</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-tcpwrappedms"><code class="literal">tcpwrappedms</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-rarity"><code class="literal">rarity</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-db-fallback"><code class="literal">fallback</code> Directive</a></span></li><li><span class="sect2"><a href="vscan-fileformat.html#vscan-fileformat-example">Putting It All Together</a></span></li></ul></li><li><span class="sect1"><a href="vscan-community.html">Community Contributions</a></span><ul><li><span class="sect2"><a href="vscan-community.html#vscan-submit-prints">Submit Service Fingerprints</a></span></li><li><span class="sect2"><a href="vscan-community.html#vscan-submit-corrections">Submit Database Corrections</a></span></li><li><span class="sect2"><a href="vscan-community.html#vscan-submit-probe">Submit New Probes</a></span></li></ul></li><li><span class="sect1"><a href="vscan-find-service-fast.html">SOLUTION: Find All Servers Running an Insecure or Nonstandard Application Version</a></span><ul><li><span class="sect2"><a href="vscan-find-service-fast.html#vscan-find-service-problem">Problem</a></span></li><li><span class="sect2"><a href="vscan-find-service-fast.html#vscan-find-service-solution">Solution</a></span></li><li><span class="sect2"><a href="vscan-find-service-fast.html#vscan-find-service-discussion">Discussion</a></span></li></ul></li><li><span class="sect1"><a href="vscan-hack-it.html">SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection</a></span><ul><li><span class="sect2"><a href="vscan-hack-it.html#vscan-hack-it-problem">Problem</a></span></li><li><span class="sect2"><a href="vscan-hack-it.html#vscan-hack-it-solution">Solution</a></span></li><li><span class="sect2"><a href="vscan-hack-it.html#vscan-hack-it-discussion">Discussion</a></span></li></ul></li></ul></div><a id="version-detection-indexterm" class="indexterm"></a><a id="idm45751290590336" class="indexterm"></a><section class="sect1" id="vscan-intro"><div class="titlepage"><div><div><h2 class="title" style="clear: both">Introduction</h2></div></div></div><p>While Nmap does many things, its most fundamental feature is port scanning. Point Nmap at a remote machine, and it might tell you that ports <code class="literal">25/tcp</code>, <code class="literal">80/tcp</code>, and <code class="literal">53/udp</code> are open. Using its <code class="filename">nmap-services</code><a id="idm45751290584944" class="indexterm"></a> database of more than 2,200 well-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate—the vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports. Perhaps their main web server was already on port 80, so they picked a different port for a staging or test server. Maybe they think hiding a vulnerable service on some obscure port prevents <span class="quote">“<span class="quote">evil hackers</span>”</span> from finding it. Even more common lately is that people choose ports based not on the service they want to run, but on what gets through the firewall. When ISPs blocked port 80 after major Microsoft IIS worms CodeRed and Nimda, hordes of users responded by moving their personal web servers to another port. When companies block Telnet access due to its horrific security risks, I have seen users simply run telnetd on the <span class="application">Secure Shell</span> (SSH) port instead.</p><p>Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to. Do keep in mind that security fixes are often back-ported to earlier versions of software, so you cannot rely solely on the version number to prove a service is vulnerable. False negatives are rarer, but can happen when silly administrators spoof the version number of a vulnerable service to make it appear patched.</p><p>Another good reason for determining the service types and version numbers is that many services share the same port number. For example, port <code class="literal">258/tcp</code> is used by both the Checkpoint Firewall-1 GUI management interface and the <span class="application">yak</span> Windows chat client. This makes a guess based on the <code class="filename">nmap-services</code> table even less accurate. Anyone who has done much scanning knows that you also often find services listening on unregistered ports—these are a complete mystery without version detection. A final problem is that filtered UDP ports often look the same to a simple port scanner as open ports (see <a class="xref" href="scan-methods-udp-scan.html" title="UDP Scan (-sU)">the section called “UDP Scan (<code class="option">-sU</code>)”</a>). But if they respond to the service-specific probes sent by Nmap version detection, you know for sure that they are open (and often exactly what is running).<a id="idm45751290575856" class="indexterm"></a> </p><p>Service scans sometimes reveal information about a target beyond the service type and version number. Miscellaneous information discovered about a service is collected in the <span class="quote">“<span class="quote">info</span>”</span> field. This is displayed in the <code class="literal">VERSION</code> column inside parentheses following the product name and version number. This field can include SSH protocol numbers, Apache modules, and much more.</p><p>Some services also report their configured hostnames, which differ from machines' reverse DNS<a id="idm45751290572368" class="indexterm"></a> hostnames surprisingly often. The hostname field is reported on a <code class="literal">Service Info</code> line following the port table. It sounds like a minor information leak, but can have consequences. One year at the CanSecWest security conference, I was huddled up in my room with my laptop. Suddenly the <span class="application">tcpdump</span> window in the corner of my screen went wild and I realized my machine was under attack. I scanned back and found an unusual high port sitting open. Upon connecting, the port spewed a bunch of binary characters, but one ASCII field in the output gave a configured domain name. The domain was for a small enough security company that I knew exactly who was responsible. I had the front desk ring his hotel room, and boy was he surprised when I asked him to stop probing my box.</p><p>Two more fields that version detection can discover are operating system and device type. These are also reported on the <code class="literal">Service Info</code><a id="idm45751290568288" class="indexterm"></a> line. We use two techniques here. One is application exclusivity. If we identify a service as Microsoft Exchange, we know the operating system is Windows since Exchange doesn't run on anything else. The other technique is to persuade more portable applications to divulge the platform information. Many servers (especially web servers) require very little coaxing. This type of OS detection is intended to complement Nmap's OS detection system (<code class="option">-O</code>) and can sometimes report differing results. For example, consider a Microsoft Exchange server hidden behind a port-forwarding Unix firewall.</p><p>The Nmap version scanning subsystem obtains all of this data by connecting to open ports and interrogating them for further information using probes that the specific services understand. This allows Nmap to give a detailed assessment of what is really running, rather than just what port numbers are open. <a class="xref" href="vscan.html#ex-version-detection-scan1" title="Example 7.1. Simple usage of version detection">Example 7.1</a> shows the actual output.</p><div class="example" id="ex-version-detection-scan1"><div class="example-title">Example 7.1. Simple usage of version detection</div><div class="example-contents"><a id="idm45751290562928" class="indexterm"></a><pre class="screen"># <strong class="userinput"><code>nmap -sV -T4 -F insecure.org</code></strong> Starting Nmap ( https://nmap.org ) Nmap scan report for insecure.org (74.207.254.18) Host is up (0.016s latency). rDNS record for 74.207.254.18: web.insecure.org Not shown: 95 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd 2.2.3 ((CentOS)) 113/tcp closed auth 443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS)) Service Info: Host: web.insecure.org Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds </pre></div></div><br class="example-break"/><p>Nmap version detection offers the following advanced features (fully described later):</p><a id="idm45751290559200" class="indexterm"></a><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>High speed, parallel operation via non-blocking sockets and a probe/match definition grammar designed for efficient yet powerful implementation.</p></li><li class="listitem"><p>Determines the application name and version number where available—not just the service protocol. </p></li><li class="listitem"><p>Supports both the TCP and UDP protocols, as well as both textual ASCII and packed binary services. </p></li><li class="listitem"><p>Multi-platform support, including Linux, Windows, Mac OS X, FreeBSD/NetBSD/OpenBSD, Solaris, and all the other platforms on which Nmap is known to work.</p></li><li class="listitem"><p>If SSL is detected, Nmap connects using OpenSSL (if available) and tries to determine what service is listening behind that encryption layer. This allows it to discover services like HTTPS, POP3S, IMAPS, etc. as well as providing version details.</p></li><li class="listitem"><p>If a SunRPC<a id="idm45751290553936" class="indexterm"></a> service is discovered, Nmap launches its brute-force RPC grinder<a id="idm45751290552736" class="indexterm"></a> to find the program number, name, and version number.</p></li><li class="listitem"><p>IPv6 is supported, including TCP, UDP, and SSL over TCP.</p></li><li class="listitem"><p>Common Platform Enumeration (CPE)<a id="idm45751290550704" class="indexterm"></a> output for interoperation with other software (some information is only included in XML output). See <a class="xref" href="output-formats-cpe.html" title="Common Platform Enumeration (CPE)">the section called “Common Platform Enumeration (CPE)”</a> for more about CPE.</p></li><li class="listitem"><p>Community contributions: if Nmap gets data back from a service that it does not recognize, a <span class="emphasis"><em>service fingerprint</em></span><a id="idm45751290548000" class="indexterm"></a> is printed along with a submission URL.<a id="idm45751290547120" class="indexterm"></a><a id="idm45751290546416" class="indexterm"></a> This system is patterned after the extremely successful Nmap OS Detection fingerprint submission process. New probes and corrections can also be submitted.</p></li><li class="listitem"><p>Comprehensive database: Nmap recognizes more than one thousand service signatures, covering more than 180 unique service protocols from ACAP, AFP, and AIM to XML-RPC, Zebedee, and Zebra.</p></li></ul></div></section><a id="idm45751289980096" class="indexterm"></a></section><footer><hr/><nav class="docnav-footer"><div class="dn-unit"><a class="dn-link dn-prev" href="mayo-scan.html">Prev</a><span class="dn-title">Scanning 676,352 IP Addresses in 46 Hours</span></div><div class="dn-unit"><a class="dn-link dn-up" href="toc.html" accesskey="u">Up</a><span class="dn-title">Nmap Network Scanning</span></div><div class="dn-unit"><a class="dn-link dn-home" href="toc.html" accesskey="h">Home</a></div><div class="dn-unit"><a class="dn-link dn-next" href="vscan-examples.html">Next</a><span class="dn-title">Usage and Examples</span></div></nav></footer> </main><!-- content --> <footer id="nst-foot"> <form class="nst-search" id="nst-foot-search" action="/search/"> <input class="nst-search-q" name="q" type="search" placeholder="Site Search"> <button class="nst-search-button" title="Search"> <img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search"> </button> </form> <div class="flexlists"> <div class="fl-unit"> <h2><a class="nlink" href="https://nmap.org/">Nmap Security Scanner</a></h2> <ul> <li><a class="nlink" href="https://nmap.org/book/man.html">Ref Guide</a> <li><a class="nlink" href="https://nmap.org/book/install.html">Install Guide</a> <li><a class="nlink" href="https://nmap.org/docs.html">Docs</a> <li><a class="nlink" href="https://nmap.org/download.html">Download</a> <li><a class="nlink" href="https://nmap.org/oem/">Nmap OEM</a> </ul> </div> <div class="fl-unit"> <h2><a class="nlink" href="https://npcap.com/">Npcap packet capture</a></h2> <ul> <li><a class="nlink" href="https://npcap.com/guide/">User's Guide</a> <li><a class="nlink" href="https://npcap.com/guide/npcap-devguide.html#npcap-api">API docs</a> <li><a class="nlink" href="https://npcap.com/#download">Download</a> <li><a class="nlink" href="https://npcap.com/oem/">Npcap OEM</a> </ul> </div> <div class="fl-unit"> <h2><a class="nlink" href="https://seclists.org/">Security Lists</a></h2> <ul> <li><a class="nlink" href="https://seclists.org/nmap-announce/">Nmap Announce</a> <li><a class="nlink" href="https://seclists.org/nmap-dev/">Nmap Dev</a> <li><a class="nlink" href="https://seclists.org/fulldisclosure/">Full Disclosure</a> <li><a class="nlink" href="https://seclists.org/oss-sec/">Open Source Security</a> <li><a class="nlink" href="https://seclists.org/dataloss/">BreachExchange</a> </ul> </div> <div class="fl-unit"> <h2><a class="nlink" href="https://sectools.org">Security Tools</a></h2> <ul> <li><a class="nlink" href="https://sectools.org/tag/vuln-scanners/">Vuln scanners</a> <li><a class="nlink" href="https://sectools.org/tag/pass-audit/">Password audit</a> <li><a class="nlink" href="https://sectools.org/tag/web-scanners/">Web scanners</a> <li><a class="nlink" href="https://sectools.org/tag/wireless/">Wireless</a> <li><a class="nlink" href="https://sectools.org/tag/sploits/">Exploitation</a> </ul> </div> <div class="fl-unit"> <h2><a class="nlink" href="https://insecure.org/">About</a></h2> <ul> <li><a class="nlink" href="https://insecure.org/fyodor/">About/Contact</a> <li><a class="nlink" href="https://insecure.org/privacy.html">Privacy</a> <li><a class="nlink" href="https://insecure.org/advertising.html">Advertising</a> <li><a class="nlink" href="https://nmap.org/npsl/">Nmap Public Source License</a> </ul> </div> <div class="fl-unit social-links"> <a class="nlink" href="https://twitter.com/nmap" title="Visit us on Twitter"> <img width="32" height="32" src="/shared/images/nst-icons.svg#twitter" alt="" aria-hidden="true"> </a> <a class="nlink" href="https://facebook.com/nmap" title="Visit us on Facebook"> <img width="32" height="32" src="/shared/images/nst-icons.svg#facebook" alt="" aria-hidden="true"> </a> <a class="nlink" href="https://github.com/nmap/" title="Visit us on Github"> <img width="32" height="32" src="/shared/images/nst-icons.svg#github" alt="" aria-hidden="true"> </a> <a class="nlink" href="https://reddit.com/r/nmap/" title="Discuss Nmap on Reddit"> <img width="32" height="32" src="/shared/images/nst-icons.svg#reddit" alt="" aria-hidden="true"> </a> </div> </div> </footer> </div><!-- wrapper --> </body> </html>