Service Identification | Banner Grabbing
In this post we are going to see that how we can identify services, so let's start and follow these steps to know about the services running on a host, or for banner grabbing.
Step 1: Manual Service Identification: Telnet
Service Identification is usually perform for the purpose of validating what we find with less intrusive techniques, such as the port scanning we have already done. For example, Nmap has already told us which ports it was able to determine were opened. We can also use Nmap to help us validate those services. But let’s take a look at how to do it manually first. This technique is typically called banner grabbing. We know that our server is running Apache. Let’s look at one way we can figure this out if we didn’t already know it. Enter the following command:
telnet skillsetlocal.com 80
Step 2: Manual Service Identification: Telnet
Now that you're running Telnet, let's grab that banner with the below command (you may have to hit enter twice):
HEAD / HTTP/1.0
We can now see what's running over port 80. If for any reason this iisn't working and you need to close Telnet, you can do so by typing "close". If Telnet is still open once this step is checked off, you may also type "close".
Step 3: Service Identification with nmap: Port 80
By now you should be relatively comfortable with basic Nmap syntax. Let's use it for service identification. Enter the following command to perform service identification on port 80 against your host machine:
nmap -sV -p80 skillsetlocal.com
As you can see, we have an open port with an instance of Apache server running and the version it is on.
Step 4: Service Identification with nmap: Port 3306
Now let's try the same for port 3306....
nmap -sV -p3306 skillsetlocal.com
We can see that this port is used for MySQL.
Pretty neat, huh? This is a great way to get the status of a port and/or the services running on it.
Step 5: Service Identification with nmap: All ports
Let's take a look at all ports this time to see what's open and running. We can do so by using the same command as before, but this time without the port number addition.
nmap -sV skillsetlocal.com
As you can see, we have a lot going on.
Step 6: Service Identification through Packet Analysis
Let's take a break from the terminal for a minute.
To better understand the process of OS fingerprinting, you should test your skills at manual passive fingerprinting. In real life, this is performed by analyzing sniffer traces. Since we've already reviewed packets in a previous lab, we'll just take a look at some information/images. Due to the fact that protocol stack implementations differ, we can notice many things just by passively examining traffic or a sniffer log. The Honeynet Project noted some areas that could be examined for signatures. Here is what they had to say on the topic:
There are four TCP areas that we will look at to determine the operating system (however there are other signatures that can be used). By analyzing these factors of a packet, you may be able to determine the remote operating system. These signatures are:
Window Size - What the operating system sets the Window Size at
DF - Does the operating system set the Don't Fragment bit
TOS - Does the operating system set the Type of Service, and if so, at what
TTL - What the operating system sets the Time To Live on the outbound packet .
Using the chart shown above, make a best guess as to what type of OS created this packet. Hint: convert hex values (such as Win:) to decimal to look up your answer. You can use any online hex converter or you can convert them by using the following command, replacing the hex number with the one you'd like to convert:
07/20-21:14:13.129662 188.8.131.52:659 -> 184.108.40.206:53 TCP TTL:45 TOS:0x0 ID:56257 *FA* Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78
What OS created this packet?
07/24-16:57:02.530000 220.127.116.11:23 -> 18.104.22.168:2412 TCP TTL:118 TOS:0x0 ID:53311 IpLen:20 DgmLen:53 DF AP Seq: 0x695B2295 Ack: 0x15807E7A Win: 0x4268
While this is a tedious exercise, it is very valuable in teaching one to recognize certain values as it is related to certain operating systems. Now let’s look at some of Nmap’s more advanced features.
Step 7: Nmap Scripting Engine (NSE): SNMP Script
For the last few years, Nmap has included NSE. It is the next generation of automation within the Nmap tool. We spend a good bit of time with NSE in the actual Advanced Ethical Hacking class, but we want to introduce you to it here. Let’s dive right in and take a look at how powerful it can be. Enter the following command on a single line:
sudo nmap -sC -sU -p161 skillsetlocal.com --script=snmp-sysdescr --script-args snmpcommunity=secret
Pretty powerful for a port scanner right? Here’s what we just did:
sC invokes NSE so that the scripts are available (it loads default scripts).
The --script=snmp-sysdescr tells Nmap to use the SNMP system description enumeration script.
The --script-args allows us to input required arguments such as the SNMP community string we entered, which we discovered in earlier SNMP labs to be the word “secret”.
So basically, once we have the community string, we could really do all of the SNMP lab with just Nmap! Additionally, it does have to ability to crack community strings, web authentication passwords, telnet passwords, FTP passwords and many more. NSE certainly takes Nmap to a new level! Believe it or not, you can even create your own! NSE scripts are written using a language called Lua. Even the canned default scripts are pretty good.
Step 8: Nmap Scripting Engine (NSE): All Scripts
Let’s run all the scripts against our local machine this time. The output is going to be pretty significant, so let's pipe it to more:
nmap -sC skillsetlocal.com | more
If you have some extra time, go ahead and do host discovery (just like we've done in past posts) and try port scanning other hosts on the network. That sort of scan will take a considerable amount of time, but will give you a wealth of information. You can also pipe in more to be able to work through the information slowly instead of watching it whizz by.
NSE is definitely something you should spend a few weeks mastering. It can cut your recon time in half if used properly!
Also Read: Advance scanning with Nmap