Service and Application Version Detection Part 1 - NM

00:00

Welcome to the end map lesson on service and application version detection.

00:04

The main point of this lesson is to show you both why service and application version detection is important

00:10

and how to use and map to accomplish it.

00:13

There's really only one command line switch that provides this specific capability in and map, but understanding when and how to use it effectively is critical.

00:23

I hope this lesson puts it all into context for you.

00:27

Here are the learning objectives for this lesson.

00:29

First, we'll talk about what service in application version detection is.

00:33

Second will discuss why it is both relevant and important.

00:37

Third, we'll talk about when and how to use it, including the most important command line options You need to know.

00:43

Then I'll provide a couple other command line options that are available,

00:47

and we'll finish up this lesson with a lab on service and application version detection. Let's get started.

00:54

So what is service in application version detection in and map?

00:58

Ultimately, the goal of this phase in an unmapped scan, is to determine what service is and applications air running on target hosts,

01:04

additionally, and Map will attempt to determine the version of those service's and applications. It does this by analyzing responses from port scans. Been taking it a step further by interrogating those ports to determine the service or application running on those ports.

01:21

This is similar to but far more sophisticated and accurate than typical banner grabbing techniques.

01:26

The way in map does. This is by comparing responses to port scans to its built in and map service probes database. It essentially queries its database in order to match expressions from responses

01:38

and map. Tries to determine service protocol, application name, version number, host, name, device type and the O s family.

01:46

More advanced operating system Discovery will be performed in the next phase of scanning and discussed in the next lesson.

01:53

Sometimes network admin, DS and or software companies will run APS, and service is on non standard boards, and map can uncover this. In many cases,

02:01

the map also makes use of N. I s Tease common platform in new Marais, Shin or CPD database in order to report in a standardized way a common representation of service and applications and their versions.

02:15

The n i s t defined C P. E. S as

02:19

a structured naming scheme for information technology systems, software and packages. It goes on to say that the CP includes a formal name format, a method for checking names against the system and a description for binding text and tests to a name.

02:36

If you want to read more about their common platform enumeration system, please take a look at the reference on the bullet point of this slide.

02:43

Or if you want to read about the details of any maps, service an application version detection navigate to the earl at the bottom of the slide.

02:52

The next question you may be interested in answering is why is this relevant and important? Well for network administrators and maps, service and application version detection is a quick and easy way to take an inventory of service. Is an application versions running on hosts? This can help with licensing compliance and vulnerability analysis

03:12

for penetration testers.

03:14

Versions of service is, and applications can lead to a successful exploitation, including a breach or denial of service attack if that's allowed in their statement of work and or contract.

03:24

Additionally, performing this type of scan can help in the improvement of in map

03:30

well running these types of scans and end map, We sometimes may get responses from a service that is not match successfully. In those cases, a special fingerprint and u. R L is provided for us to submit details if we're certain about what is running on that port,

03:45

the graphic on this slide isn't intended to be your guide for a successful ethical hacker penetration test. I simply wanted to give you a visual ization of the normal progression of in mount scanning based on what we've gone through so far.

03:58

The main point is that normally you want to perform service an application version detection after identifying interesting targets and scanning their boards.

04:06

Once you found open or open filtered ports through TCP and UDP scans,

04:12

you can use version detection to figure out

04:15

what is running on those ports.

04:16

For those of you familiar with the concept of better grabbing this feature of and map extends your capabilities.

04:24

The basic command for running version detection against the target is unmapped space, Dash s Capital V and then the target.

04:32

Though the scan is effective at gathering service and application versions, it's pretty slow and somewhat noisy,

04:38

like we've covered a lot throughout this course. This basic syntax will run an enemy up since can against 1000 ports and try to determine service in application details based on what is found to be open.

04:50

But because it is only performing a sin scan, it is only probing TCP ports and not UDP.

04:58

And because there are a lot of critical absent service is that use UDP? You had missed that information with the basic Dash s Capital V scan.

05:06

So a better command structure would take into account all the other stuff we've covered so far and would follow the following general structure

05:15

Uh, n map space scan technique

05:17

space, the ports space s capital V

05:23

space, the target. An example would be and map space.

05:28

Dash s Capital s space Dash s Capitol, You

05:32

space dash P Space Capital T colon 21 comma, 25 comma 80 comma 33 89 comma capital. You

05:43

colon 53 comma 88 comma 1 23 space

05:48

Dash s Capital V. And then the target.

05:51

This example would tighten up the scan considerably, which makes it less detectable and also much faster.

05:59

As you can see, we're doing a TCBY scan using TCP ports 2125 80 and 33 89 along with the UDP scan of Ports 88 1 23

06:12

Then we're feeding that into the version detection engine with a Dash S Capital V command line switch followed by the target.

06:18

We'll go through these and other examples in the lab.

06:24

Here are some other command line options that are available to you Inversion detection

06:29

dash, dash version, dash intensity, space level

06:32

lower levels are effective against many common service's, and higher levels are useful against less. Common service is the trade off is one of noisy nous in time. The higher the intensity, the noise er noisier and longer the scan will take.

06:46

The default is seven, which is an excellent balance. For the most part, you'll probably not have to alter version intensity too much.

06:54

Dash dash version. Dash light enables light mode. This is shorthand for dash dash version. Dash intensity space, too,

07:02

which is fast and may produce the results you're looking for.

07:06

Dash Dash version does all will try every single probe and a shorthand for dash dash version, dash intensity, space nine

07:15

dash dash version, dust trace will trace version scan activity. It tells unmapped to display extensive debugging information while it's doing its version detection. Scanning

07:29

now on to the lab

07:30

in this lab will run through the steps mentioned in an earlier slide.

07:33

First, we'll do a host Discovery scan.

07:35

Then we'll do a port scan. And finally, we'll do some simple and more targeted service and application version detection scans. Let's do it.

07:45

Welcome to the end Map service. An application version detection lab

07:48

in this lab will run through. A couple of scans were performed in the past. I'm just doing that to demonstrate the normal flow of scans that you might perform on a network.

07:57

I'll try to run through these fairly quickly, since you've seen some of them already and will cut the video where the scans take a while.

08:03

But I'll point out the amount of time certain scans take so that you can see why targeted scans are much better than simple scans.

08:13

All right, so first we're gonna start with Pink Sweep, which is a type of host. Discovery scan will do it in Mt. Dash s n

08:28

as you see him in the past, the skin goes really fast. That's why I like it. And it's scanning an entire sub net.

08:33

All right, so what I'm interested in and we've targeted this machine in the past

08:39

and that iss this del

08:41

server, that is, at 1921681.10.

08:46

So I'll clear the screen.

08:50

And the first thing I want to do now is do a fast TCP and UDP port scan of that server so we'll do it and map Dash s Capital s for the TCP SYN scan

09:03

Dash s Capitol. You for the UDP scan dash capital F to make it a fast scan which scans only 100 of the most common ports.

09:20

Okay, there you have the results.

09:24

And the only reason it really took that long was mostly because I added the dash s Capitol you for the UDP scan. But as I mentioned in the lesson, you DP ports are really important to scan for

09:35

when do inversion detection?

09:39

So

09:41

there we have all the ports. Okay, so we're gonna refer back to this in a minute,

09:45

so I'm not gonna clear the screen,

09:48

but what I want to do first

09:50

and that is the main command for the service and application version detection, that is, and map Dash s capital V of that server.

10:03

I am gonna groups.

10:07

I got the wrong I p address.

10:13

I'm gonna cut the video on this one because it takes a really long time. And it's important to mention

10:20

there's issues with just doing a simple version detection like this. The problem is that it doesn't scan you DP ports.

10:28

Instead, it scans of 1000 TCP ports.

10:31

So it is slow and it doesn't really catch everything.

10:45

Okay, so there you have your results. You can see it took 143.8 seconds.

10:50

Um,

10:52

it's there's some service fingerprints that we can submit to the end map website.

11:00

The main thing I want to show you here is

11:05

a version detection scan adds this column called version,

11:09

and underneath it is What in map has determined is the version of the service is running on these various open ports.

11:18

So that's really, really cool information.

11:22

Um,

11:24

and the other thing I want to point out is, if you notice on the Port column, you can see that every one of these is TCP

11:31

And so even though this is great information, it's gonna miss UDP port. So doing just a regular dash s Capital V,

11:39

um, is gonna miss some critical information about service is that you're gonna be interested in.

11:45

So we'll refer back to

11:48

this last scan that we did up here, which was a fast TCP and UDP scan. And you can see these three you dp ports along with all of these TCP ports. And I've made note of, um and

12:01

I'm going to do a scan that includes both TCP and you critical TCP and UDP ports,