NMAP Finding Services with Versions

Jarret B

Well-Known Member
Staff member
May 22, 2017
Reaction score
Knowing the systems on a network and what Operating System (OS) they are running may not be enough for an Administrator to know. You can scan systems on a network and determine what Services and versions of a Service are running. It may be important to be able to see and know what a hacker can learn about your systems.

Probes Database

NMAP has a database which is installed when you install NMAP. The database is used when performing a service probe, but it is not automatically updated.

The database is located at ‘/usr/share/nmap/nmap-service-probes’. The easiest way to manage an update is first to look at the database version number. Open the file in a text editor and the version number is usually listed on the second line. The second line of my database is ‘# $Id: nmap-service-probes 35414 2015-11-10 16:58:39Z dmiller $’. The database version for this file is 35414.

To look on the Internet for an updated version go to ‘https://svn.nmap.org/nmap/’ as shown in Figure 1.

Figure 01.jpg


Here you can see that the version number is 36736. This seems like quite an update compared to what is currently on my system. The database definitely needs to be updated for proper OS Detection of newer systems. Remember that even small changes in the version number can be major updates. Any change can be an important one.

It may be a good idea to keep the older database version. Since my current version is 35414 I will perform the following command in a Terminal:

sudo mv /usr/share/nmap/nmap-service-probes /usr/share/nmap/nmap-service-probes-35414

The database is ‘moved’ or ‘renamed’ to include the version number. The next step is to download the new version from the website. Perform the following commands in a Terminal from the folder ‘usr/share/nmap/’:

cd /usr/share/nmap
sudo su

The new database should be downloaded and ready to go, but you should add the version number. As you saw in Figure 1 the version number is 36736. Use a text editor to open the database and on the second line add the version number. By adding the version number it will be easier to check later if the version number has changed. When the version number has changed you can update the database and add the version number so you are prepared when checking for updates again.

Service Probes Process

The first thing NMAP does when performing a Service Probe is to find all open Ports on the Target System. It is imperative to know what Ports are opened. For instance, certain services may only use specific Ports. A Web Server will typically use Port 80 and NMAP can exploit this fact.

The SYN Scan is used to detect open Ports and you must have ROOT privileges to run a SYN Scan.

If you recall, the SYN Scan perform the following steps:
  1. Source System sends a SYN request to the Target but a Port number is added to the request.
  2. The Target System will respond with a SYN/ ACK (Sync/Acknowledgement) to the Source if the specified Port is open.
  3. The Source System responds with a RST (Reset) to the Target to close the connection.
  4. The Target System can respond with a RST/ACK (Reset/Acknowledgement) to the Source System.
The connection was started to be established so this is considered a half-open connection. The connection state is being managed by NMAP so this is why you need Root privileges.

If the Port being scanned is closed the following will occur:
  1. Source System sends a SYN request to the Target and a Port number is added to the request.
  2. The Target responds with a RST (Reset) since the Port is closed.
If the Target System is behind a Firewall then the ICMP transmission or responses will be blocked by the Firewall and the following happens:
  1. Source System sends a SYN request to the Target and the Port number is added to the request.
  2. No response is received since it was Filtered by the Firewall.
In this case the port is listed as Filtered and the Port may or may not be open. The Firewall may be set to stop all outgoing packets on the specified Port. The Firewall may block all incoming packets to a specified Port and so the Target System does not receive the request.

Through these procedures, NMAP will determine opened Ports and know which Ports to exploit. If a System has no open Ports then NMAP will not continue the Service Probe.

The Service Probe process is made up of multi-stage techniques to get a response. The Response is checked against the ‘nmap-service-probes’ list to determine a version of the Service. The response list needs to be up-to-date to get correct version numbers.

The Probe being performed is as follows:
  1. Source System sends an HTTP GET request to the Target on the specified Port.
  2. Target System will respond with HTTP Data.
  3. The Source system will then respond with an acknowledgement (ACK).
  4. The Target System sends the rest of the HTTP Data.
  5. The Source System will respond with an acknowledgement and finish (ACK/FIN).
  6. The Target System sends an acknowledgement (ACK) to close the connection.
The responses of the Target System is captured by NMAP and used to find a match in the Service Probes Database.

Service Probes Database

In the database is a line which shows a test for the Service ‘vftpd’. The line is as follows:

match ftp m|^(?:220-.*\r\n)?220 .*\r\n530 Please login with USER and PASS\.\r\n|s p/vsftpd/ v/2.0.8 or later/ cpe:/a:vsftpd:vsftpd/

The line is what is being sought for when a Port is queried. When a match is found then NMAP knows which Service and version number is most likely the one on the Target system.


To perform the Service Probe you need to open a Terminal and perform the following command:

sudo nmap -sV -Pn

Here, the Target system has an IP Address of ‘’ and this should be changed to the IP Address of the system you are probing.

A sample probe is shown in Figure 2.

Figure 02.jpg


The results show that the Ports 21, 22, 111, 139, 445 and 2049 are opened. NMAP found the following services on these Ports:
  • 21 - vsftpd 2.0.8 or later
  • 22 - OpenSSH 7.3p1 Ubuntu 1ubuntu0.1 (Ubuntu Linux; protocol 2.0)
  • 111 - 2-4 (RPC #100000)
  • 139 - Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  • 445 - Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
  • 2049 - 2-4 (RPC #100003)
If we were to look at a network scan from Wireshark we could see what is going on between the two systems.

Initially the Ports are scanned on the Target System to find the opened Ports. If you look at Figure 3 you can see that the highlighted line (2086) is the end of the Port Scan. The end of the Port Scan can be noticed since a full 6 seconds elapse after the Port Scans before the Service Probe starts. The ‘Time’ column shows a jump from 22 to 28 seconds.

Figure 03.jpg


Starting at line 2197 to 2201 show the response of an ACK which is Step 3 in the Probe. Responses given to the requests are matched to the Service Probe Database. As you can see in Line 2242 there is a response from the Target System which is ‘Please login with USER and PASS’ as noted above in the example from the Service Probe Database.

Figure 04.jpg


Try the Service Probe out on various systems and determine how accurate the Service Probe can be when used on your network. Make sure you update the Database before you perform the scan.