🛡️ Methodology Checklist
- Version detection:
nmap -sV [TARGET] - Intensity control:
nmap -sV --version-intensity 9 [TARGET] - Service scripts:
nmap -sV -sC [TARGET] - Banner grab for undetected services:
nc -nv [TARGET] [PORT] - Record software name, version, and any extra info fields
- Cross-reference all versions with searchsploit and NVD
🎯 Operational Context
Think Dumber First:
-sVwith default intensity (7) catches 90% of services. Crank intensity to 9 (--version-intensity 9) only on specific unidentified ports — it’s slow. For unknown services on high ports, manually connect withnc [TARGET] [PORT]and send an HTTP GET — many services respond with useful banners.
When you land here: Open ports identified from full-port scan. Run targeted version detection: nmap -p [OPEN_PORTS] -sV -sC -oA [OUTPUT]. Then run service-specific scripts on identified service types.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
sudo nmap [TARGET_IP] -p- -sV | Scan all ports with version detection |
sudo nmap [TARGET_IP] -p [PORT] -sV | Version detection on specific port |
sudo nmap [TARGET_IP] -p- -sV -vv --stats-every=5s | Version scan with live progress and verbosity |
nc -nv [TARGET_IP] [PORT] | Manual banner grab — reveals details Nmap may sanitize |
tcpdump -i [INTERFACE] | Capture traffic to view banner exchange at packet level |
🔬 Deep Dive & Workflow
Goal
Map open ports to exact application name and version number. Precise versions enable mapping to specific CVEs and exploits (e.g., distinguishing Apache 2.4.29 on Ubuntu vs. CentOS).
How Banner Grabbing Works
- 3-way handshake completes (SYN → SYN-ACK → ACK).
- Service sends a banner with
PSHflag (push — process immediately). - Nmap reads the banner; if none, it sends service-specific probes.
Manual vs Nmap
Sometimes Nmap sanitizes banners. Manual nc can reveal OS distribution details hidden in service greetings:
220 inlane ESMTP Postfix (Ubuntu)
Packet Flow During Banner Grab
- Handshake: SYN → SYN-ACK → ACK
- Banner: Target sends
PSH, ACKwith text string (e.g., “Postfix”) - Acknowledge: Attacker sends ACK
Scanning Strategy (Noise Reduction)
- Quick scan on common ports first
- Full
-p-scan in background - Run
-sVonly against confirmed open ports
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Service shows ‘unknown’ despite being active | Non-standard response signature | Manually probe: nc -nv [TARGET] [PORT]; send \r\n or GET / HTTP/1.0\r\n\r\n and inspect raw response |
-sV identifies wrong service type | Service using protocol mimicry or wrapping | Capture response with Wireshark; check actual protocol bytes; service may be tunneled over HTTP/S |
| Version detection takes very long on many ports | Running high-intensity against all ports | Run two-phase: nmap -p- --min-rate 5000 first, then nmap -p [OPEN_PORTS] -sV -sC |
| HTTPS service identified as HTTP | TLS not detected without SSL probe | Add --script ssl-cert,ssl-enum-ciphers for TLS detection; access with curl -k https://[TARGET]:[PORT] |
| Version string returns partial info ‘Apache httpd’ without version | Server configured to suppress version | Use http-server-header script; check HTTP response headers manually with curl -I |
📝 Reporting Trigger
Finding Title: (Service version data enables CVE mapping — document exact version strings for every service. Services running end-of-life versions are separate High/Critical findings. Unidentified services should be investigated further and noted in methodology.)