How to perform a script and version scan
While performing penetration tests, reconnaissance is really important for informing the next steps of testing. Even though Nmap provides the open ports and the version of the service running on the port, you will need to know the exact version or the name of the service that is running to prepare further exploits or to gain further knowledge of the system.
The Nmap-service-probes database contains specific packet construction techniques to probe specific services and analyze the responses received from them. Nmap provides information about the service protocol, the application name, the version number, the hostname, the device type, and the OS family. It also sometimes determines whether the service is open to connections or if any default logins are available for the service:
- -sV (version detection): This flag enables Nmap to perform version detection on the particular host. This flag has options that can be used in conjunction with it.
- --allports: Nmap skips some ports that have a default function enabled when a connection is made. This option will enable users to skip any such exclusions and perform an all-port scan as per the syntax provided.
- --version-intensity <intensity>: This defines the intensity with which the probes are configured to determine the version. The value of this flag has a range between 0-9, the default being 7. The higher the value, the better the chances of the service versions being accurate.
- --version-light: This is used to configure lighter probes to reduce the scan time.
- --version-all: This sets the probe intensity at 9, thereby making the scan slower and the results having a chance of being more accurate.
- --version-trace: This prints out a lot of information about the version scans that are being performed.