Welcome to Day 8! Today, we learn about Service Version Detection, which is like moving from simply finding open doors to actually identifying who lives behind them and what they're doing. This is where basic port scanning becomes intelligent reconnaissance.
By completing Day 08, you will be able to:
- Understand what service version detection is and why it's important
- Perform version detection scans using Nmap
- Interpret version detection results
- Identify security implications of service versions
- Use version information for vulnerability assessment
Service Version Detection goes beyond just finding open ports. It actually connects to services, sends probes, and analyzes responses to determine:
- What software is running (Apache, nginx, IIS, etc.)
- Which version is installed (2.4.18, 10.0, etc.)
- Additional details like operating system, configuration hints
- Service banners and identification information
Without Version Detection:
You know: "Port 80 is open - it's a web server"
But don't know: "Is it Apache 2.2.15 (vulnerable) or nginx 1.18 (secure)?"
With Version Detection:
You know: "Port 80 is open - Apache httpd 2.2.15"
And know: "This version has 3 known critical vulnerabilities"Version Detection Steps:
Step 1: Connect to the open port
Step 2: Send service-specific probes
Step 3: Analyze responses
Step 4: Match against Nmap's database
Step 5: Return identified software and version- Banner Grabbing: Reading initial service response
- Protocol Behavior: How service responds to specific requests
- Pattern Matching: Comparing responses to known signatures
- SSL/TLS Analysis: Examining certificates and encryption details
- Application Fingerprints: Unique characteristics of software
# Basic version detection
nmap -sV 192.168.1.1
# Version detection on specific ports
nmap -sV -p 80,443,22 192.168.1.1
# Version detection with timing control
nmap -sV -T4 192.168.1.1# Web server detection
nmap -sV -p 80,443,8080,8443 webserver.com
# Database server detection
nmap -sV -p 3306,5432,1433,1521 database.server
# Mail server detection
nmap -sV -p 25,110,143,465,587,993,995 mail.server$ nmap -sV 192.168.1.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-15 10:00 EST
Nmap scan report for router.local (192.168.1.1)
Host is up (0.005s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS))
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS))
3306/tcp open mysql MySQL 5.5.68
8080/tcp open http-proxy Squid http proxy 3.5.20
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.34 secondsKey Information Provided:
- Service Name: ssh, http, mysql, etc.
- Software: OpenSSH, Apache httpd, MySQL, Squid
- Version Number: 7.4, 2.4.6, 5.5.68, 3.5.20
- Additional Details: Protocol version, OS hint, extra info
- Confidence: Implied by specific version reporting
# Different intensity levels (0-9)
nmap -sV --version-intensity 0 target # Light probing
nmap -sV --version-intensity 5 target # Default
nmap -sV --version-intensity 9 target # All probes
# What intensity means:
# 0-2: Light, fast (basic banners)
# 3-5: Balanced (default)
# 6-9: Heavy, slow (comprehensive)# Light version detection (fast)
nmap -sV --version-light target
# All probes (comprehensive, slow)
nmap -sV --version-all target
# These are shortcuts for:
--version-light = --version-intensity 2
--version-all = --version-intensity 9# Force SSL detection on all ports
nmap -sV --script ssl-cert target
# Detect SSL versions and ciphers
nmap -sV --script ssl-enum-ciphers -p 443 target
# Check for SSL vulnerabilities
nmap -sV --script ssl-* target# Comprehensive web server analysis
nmap -sV -p 80,443,8080,8443 --script=http* webserver.com
# This reveals:
# - Web server software and version
# - Server headers and banners
# - SSL/TLS configuration
# - Potential vulnerabilities# Database server version detection
nmap -sV -p 3306,5432,1433,1521 --script=mysql*,postgres*,mssql* db.server
# This reveals:
# - Database type and version
# - Authentication methods
# - Configuration details
# - Known vulnerabilities# Full service inventory of a server
nmap -sV -sC -O server.example.com
# Combines:
# -sV: Version detection
# -sC: Default scripts (more info)
# -O: OS detection
# Provides complete pictureCommon Web Servers and Security Implications:
Apache httpd:
- Look for: Version < 2.4.55 (security updates)
- Issues: Directory traversal, buffer overflows
- Example: Apache httpd 2.4.6 ((CentOS))
nginx:
- Look for: Version < 1.20.1 (security updates)
- Issues: Memory corruption, DoS vulnerabilities
- Example: nginx 1.18.0
Microsoft IIS:
- Look for: Version < 10.0 (older versions)
- Issues: Remote code execution, information disclosure
- Example: Microsoft IIS httpd 10.0SSH Server Examples:
OpenSSH:
- Versions: 7.4, 8.0, 8.4, etc.
- Look for: Version < 7.7 (security issues)
- Example: OpenSSH 7.4 (protocol 2.0)
Dropbear SSH:
- Common in: Embedded devices, routers
- Example: Dropbear sshd 2018.76 (protocol 2.0)Database Examples:
MySQL:
- Versions: 5.5, 5.6, 5.7, 8.0
- Look for: Version < 5.7.37 (security updates)
- Example: MySQL 5.5.68
PostgreSQL:
- Versions: 9.6, 10, 11, 12, 13, 14
- Example: PostgreSQL DB 13.4
Microsoft SQL Server:
- Versions: 2012, 2014, 2016, 2017, 2019
- Example: Microsoft SQL Server 2019- Known Vulnerabilities: Each version has specific security issues
- End-of-Life Software: Unsupported versions get no security updates
- Default Configurations: Certain versions have known weak defaults
- Exploit Availability: Public exploits exist for specific versions
Example: Apache httpd 2.4.49
- CVE-2021-41773: Path traversal vulnerability
- CVE-2021-42013: Path traversal (fixed in 2.4.51)
- Action: Update to 2.4.51 or later
Example: OpenSSH 7.2
- Multiple vulnerabilities fixed in 7.4
- Action: Update to current version# Task: Scan your local machine for service versions
nmap -sV 127.0.0.1
# Questions:
1. What services and versions did you find?
2. Are any services running outdated versions?
3. How long did version detection take vs regular scan?# Task: Analyze a web server (use your own or localhost)
nmap -sV -p 80,443 --script=http* 127.0.0.1
# Questions:
1. What web server software and version is running?
2. What additional information did scripts reveal?
3. Are there any security headers or configurations visible?# Task: Compare different intensity levels
# Quick scan:
nmap -sV --version-light 127.0.0.1
# Comprehensive scan:
nmap -sV --version-all 127.0.0.1
# Questions:
1. Did both methods find the same versions?
2. What additional information did --version-all provide?
3. Was the time difference significant?# Task: Research found versions for vulnerabilities
# For each version found in Exercise 1:
# 1. Note the software and version
# 2. Search online: "[software] [version] vulnerabilities"
# 3. Check: https://www.cvedetails.com/
# 4. Document any critical vulnerabilities found
# Example search:
# "Apache 2.4.6 vulnerabilities"
# "OpenSSH 7.4 security issues"# Skip version detection on certain ports
nmap -sV --exclude-ports 22,23 target
# Specify custom probe payloads
nmap -sV --version-trace target # See what's happening
# Force specific service detection
nmap -sV -p 80 --version-intensity 9 target# See version detection in action
nmap -sV -d target # Debug output
# Verbose version detection
nmap -sV -v target # More details
# Maximum verbosity
nmap -sV -vv -d target # See everythingUse --version-light (intensity 2) when:
- Scanning large networks
- Initial reconnaissance
- Need for speed over completeness
Use default (intensity 5) when:
- General security assessments
- Balanced approach needed
- Most common scenarios
Use --version-all (intensity 9) when:
- Critical systems assessment
- Need maximum accuracy
- Time is not a constraint
Recommended workflow:
# Step 1: Quick scan for open ports
nmap -F target
# Step 2: Version detection on found ports
nmap -sV -p [open-ports] target
# Step 3: Deep analysis on critical services
nmap -sV --version-all -p [critical-ports] target# Solutions:
# Increase intensity
nmap -sV --version-all target
# Use specific scripts
nmap -sV --script=[service-specific] target
# Manual verification
telnet target 80
GET / HTTP/1.0
# Check banners manually# Solutions:
# Reduce intensity
nmap -sV --version-light target
# Limit ports
nmap -sV -p 80,443,22 target
# Increase timeouts
nmap -sV --max-rtt-timeout 1000ms target
# Use parallel scanning
nmap -sV --min-parallelism 10 target# Solutions:
# Check if service is actually running
# Try different probes
nmap -sV --version-all target
# Submit to Nmap for improvement
# Report at: https://nmap.org/submit/- Only scan authorized systems
- Use information for defensive purposes
- Respect privacy and data protection
- Report vulnerabilities responsibly
- Help improve security, not exploit it
As a defender, use version detection to:
- Inventory your systems: Know what software you're running
- Identify vulnerable services: Find what needs updating
- Track software changes: Monitor for unauthorized changes
- Compliance checking: Verify software meets standards
- Patch management: Prioritize updates based on risk
Tomorrow (Day 09) will cover:
- Operating System Fingerprinting
- How Nmap detects operating systems
- Understanding OS detection results
- Practical OS identification exercises
- What was the most surprising service version you discovered?
- How does knowing specific versions change your security assessment?
- What challenges did you face with version detection?
- How can you use this information to improve security?
- Check Nmap version detection documentation:
man nmap - Use
-vflag for more detailed output - Practice on your own systems first
- Join Nmap community for support
🎉 Congratulations on completing Day 08! You've now moved from simply finding services to understanding exactly what software is running. This knowledge transforms you from a basic scanner to an informed security analyst.
"Knowing a door is open is one thing; knowing who built the door, when, and with what weaknesses - that's true reconnaissance."