Customizing Version Detection with Probes in Nmap

Introduction

Nmap (Network Mapper) is one of the most powerful tools for network scanning, reconnaissance, and security auditing. Among its many features, Nmap’s version detection capabilities allow security professionals to identify running services and their versions on a given target. By default, Nmap uses a comprehensive set of predefined probes to detect services. However, in certain cases, the default probes may not be sufficient, requiring customization for more accurate detection.

This article explores how to customize version detection in Nmap using probes, providing insights into how they work, how to modify them, and best practices for achieving accurate results.

Understanding Nmap’s Version Detection

Nmap’s version detection works by sending various probes to open ports and analyzing the responses to determine the software and version running on the target. The -sV option enables version scanning, and Nmap compares the responses against a vast database of known signatures stored in the nmap-service-probes file.

How Nmap’s Version Detection Works

1. Initial Service Fingerprinting: Nmap first performs a basic scan to detect open ports.
2. Sending Probes: It sends specific probes tailored for known services, such as HTTP, FTP, or SSH.
3. Analyzing Responses: The tool compares responses to a database of known service signatures.
4. Matching and Reporting: If a match is found, it reports the service name and version; otherwise, it may provide a generic identification or list it as unknown.

While the default version detection is robust, certain scenarios require customization to improve accuracy or detect obscure or new services.

Customizing Version Detection with Probes

Understanding the nmap-service-probes File

Nmap stores its service detection rules in the nmap-service-probes file, usually found in /usr/share/nmap/ (Linux) or C:\Program Files (x86)\Nmap\ (Windows). This file contains predefined probes and their expected responses.

Key components of nmap-service-probes:

• Probe Lines: Define the type of probe and data sent (e.g., Probe TCP GET / for HTTP services).
• Match Lines: Define patterns in responses to identify services (e.g., match http m|HTTP/1\..*Apache| p/Apache httpd/).
• Softmatch Lines: Provide partial matches when exact identification isn’t possible.
• Ports Lines: Specify which ports the probe should target.

Adding a Custom Probe

To create a custom probe, follow these steps:

1. Locate the nmap-service-probes file:

   sudo nano /usr/share/nmap/nmap-service-probes
   

2. Define a New Probe:
   Add a new probe definition at the end of the file. Example:

   Probe TCP MyCustomProbe q|
   CUSTOM_COMMAND_HERE
   |
   

   • TCP indicates the protocol (can be UDP, SSL, etc.).
   • MyCustomProbe is the name of the probe.
   • q|...| defines the query sent to the service.

3. Create a Match Rule:

   match myservice m|CUSTOM_RESPONSE_PATTERN| p/My Custom Service/ v/1.0/
   

   • match myservice specifies the service name.
   • m|...| defines the expected response pattern.
   • p/.../ provides the service name.
   • v/.../ specifies the version number.

4. Save and Exit the File.

5. Test the Custom Probe:
   Run an Nmap scan with version detection enabled:

   sudo nmap -sV --version-trace -p <port> <target>
   

   • The --version-trace option provides detailed debugging output.

Advanced Techniques

Using Softmatches

Softmatches provide partial matches when a full signature isn’t available. This helps categorize unknown services while still providing useful information.

Example:

softmatch myservice m|CUSTOM_PARTIAL_RESPONSE_PATTERN|

Customizing Ports for Probes

To restrict probes to specific ports, use the Ports directive:

Probe TCP MyCustomProbe q|CUSTOM_COMMAND_HERE|
Ports 8080,8443

This ensures that the probe is sent only to ports 8080 and 8443.

Ignoring False Positives

If a service incorrectly matches a probe, you can add an exclude directive:

exclude "Some incorrect service pattern"

This prevents mismatched results from appearing.

Practical Use Cases

Detecting Custom Web Applications

If you’re scanning a network with custom web applications running on non-standard ports, modifying probes can help identify them accurately. Example:

Probe TCP WebAppProbe q|GET /custom_endpoint HTTP/1.1\r\nHost: example.com\r\n\r\n|
match webapp m|Custom WebApp v(\d+\.\d+)| p/Custom Web Application/ v/$1/

Identifying Proprietary Services

Organizations running proprietary software can create unique probes for internal network monitoring, ensuring accurate identification of their own services.

Best Practices for Custom Version Detection

• Backup Before Modifying: Always create a backup of nmap-service-probes before making changes.
• Use --version-trace for Debugging: This helps diagnose issues with custom probes.
• Keep Patterns Precise: Avoid overly broad patterns to prevent false positives.
• Regularly Update Probes: As services evolve, periodically update custom probes to maintain accuracy.
• Test on a Controlled Environment: Before using custom probes in a production environment, test them in a controlled setup.

Conclusion

Customizing Nmap’s version detection with probes enhances its ability to identify obscure, proprietary, or non-standard services. By modifying the nmap-service-probes file, users can tailor scans for improved accuracy, enabling better security auditing and network reconnaissance.

Whether you need to detect an internal application, improve the accuracy of service identification, or create a unique fingerprint for a proprietary service, custom probes offer a flexible and powerful solution. By following best practices and testing rigorously, you can fine-tune Nmap to meet your specific version detection needs.