Service Enumeration

Getting the service and an accurate version number is essential for us to find known exploits and source code.

It is recommended to first run a port scan. And only after than run service scan with version detection (-sV) on specific ports. Or we can run a full TCP scan on all ports with version detection:

sudo nmap 10.129.2.28 -p- -sV -v 

Here -v option will increase verbosity and if any port is found open it will be printed to the terminal. If the scan takes long we can also add the --stats-every=5s

Banner Grabbing

Primarily, Nmap looks at the banners of the scanned ports and prints them out. If it cannot identify versions through the banners, Nmap attempts to identify them through a signature-based matching system.

The way this works is after a successful three-way handshake the server will send us a banner with services and version to lets us know what we are working with. On a network level this happens with a PSH flag in TCP header. And sometimes nmap fails to process this banner. For example running a scan with --packet-trace enabled on an SMTP port if nmap fails to resolve we can manually grab the banner from SMTP port 25:

nc -nv 10.129.2.28 25