CAVEAT: This post is a few years old, its been sitting in my draft folder since 2021.
Introduction
In this post, I'm going to describe a tool that I created which can be used to analyse and react to TCP data sent by NMAP scan probes. The analysis of NMAP scan probes can be used to answer questions like "What does an NMAP scan look like on the TCP stack?" or "How can I identify NMAP scans on my network?". Also let me add that this is not "new" research, analysing NMAP and its probes has been done many times before. I'm a fan of reinventing the wheel for my own amusement which generally helps me understand things better and of course, it's been a while since I've seen any new NMAP deep-dives. Enjoy :)
The analysis of the NMAP probes can be used as a detection canary that can be used by blue-teamers to identify if an actor is running NMAP scans on their network infrastructure. Additionally, the analysis of NMAP probes can be used by red-teamers to understand how their tools behave and "look on the wire".
Okay that was a lot for an introduction so let's break the tool down and see what it does.
TCP Socket Handling
First and foremost, this tool is essentially a multi-threaded TCP socket server. This functionality is used by the tool so that NMAP scans can be directed at the tool and the operator of the tool can observe the behaviour of the TCP socket connections made by NMAP. NMAP makes use of threads so by making the tool able to handle multiple connections concurrently. This is super useful because you can process all the connection probes made by NMAP. Let's go ahead and run the tool and scan it with some NMAP defaults.
NOTE: I am running all of this in Docker and the tool is configured via Environmental variables.
In one Docker container, build and run the tool to listen on port 80 and set TERM=nmap. "TERM" is the search term(string) we tell the tool to look for in the TCP data received:
root@78b5ecfeb870:/work# export PORT=80
root@78b5ecfeb870:/work# export TERM=nmap
root@78b5ecfeb870:/work# go build -o garbanzo && ./garbanzo
2020/06/10 12:02:40 $GARBANZO_WEB must be set
2020/06/10 12:02:40 $GARBANZO_HOST must be set
2020/06/10 12:02:40 [+] Initialised Listener on Port: 80
And in another Docker container, we launch an NMAP scan against the server container which has the IP address 172.17.0.2. We are using the "-sT" flag because we are in a non-privileged container and do not have the required Linux Capabilities to create raw sockets [1].
root@f5f84eb31bc0:# nmap -sT 172.17.0.2
Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-02 UTC
Nmap scan report for 172.17.0.2
Host is up (0.00014s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
and after the scan is done, we can see that NMAP detected port 80 to be open, which is correct.
Our server output will look like this:
root@78b5ecfeb870:/work# export PORT=80
root@78b5ecfeb870:/work# export TERM=nmap
root@78b5ecfeb870:/work# go build -o garbanzo && ./garbanzo
2020/01/01 12:12:12 $GARBANZO_WEB must be set
2020/01/01 12:12:12 $GARBANZO_HOST must be set
2020/01/01 12:12:12 [+] Initialised Listener on Port: 80
2020/01/01 12:12:12 [+] [d5eff754572a65e648960245a43eba98beb0ce714c4d7dd95d7278a7063acbfb] Port:80 Connection:1 from:172.17.0.3:49106
2020/01/01 12:12:12 [ERROR] [d5eff754572a65e648960245a43eba98beb0ce714c4d7dd95d7278a7063acbfb] read tcp4 172.17.0.2:80->172.17.0.3:49106: read: connection reset by peer
The output above from the tool indicates that a single TCP connections was made to port 80 and error occurred when the server attempted to read data from the stream. The error is expected because NMAP by default will reset the connect if it can make a connection. This is all the info NMAP needs to determine if a port is open, if it can successfully open a connection, then it must be open. In the output above, there is a SHA256 hash "d5eff754572a65e648960245a43eba98beb0ce714c4d7dd95d7278a7063acbfb" which is a unique identifier for the connection. This is useful for when there are multiple connections. The tool uses this hash with all activities associated to a connection. We'll see more of this in the section.
NMAP Service and Version Detection
Let's now use the "-sV" flag with our NMAP command as we want NMAP to try and extract "metadata" or the service and version of the open ports. This is useful from an attackers perspective because we want to gather as much information as possible on our target. We can try this by running the following command from our NMAP container:
root@f5f84eb31bc0:/go# nmap -sT -sV 172.17.0.2 -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-02 UTC
Nmap scan report for 172.17.0.2
Host is up (0.00014s latency).
And below is the corresponding output generated by the tool:
[+] Initialised Listener on Port: 80
[+] [2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] Port:80 Connection:1 from:172.17.0.3:51198
[ERROR] [2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] read tcp4 172.17.0.2:80->172.17.0.3:51198: read: connection reset by peer
[+] [8297b9be5c9314c96c57af36e56dd5b14cf32884a16227906199ca8ddf8ee431] Port:80 Connection:2 from:172.17.0.3:51200
[+] [02210c50dac4565cb66cb1623623b9e4efe9d5638e666160e25769458679ee6d] Port:80 Connection:3 from:172.17.0.3:51202
[+] [14746282e65da35beba19df6fa78bde2419b8a16e072a1a95ad8bc807f5f9716] Port:80 Connection:4 from:172.17.0.3:51204
[+] [74264732650f84c3084ed23f15be3aa6290e3faf1289ce276bd20b0c3a168cf5] Port:80 Connection:5 from:172.17.0.3:51206
[+] [2cb82e31bbb4b06ad2c3ccb234e07a8aec8c5c75e046af3096740260842e4bac] Port:80 Connection:6 from:172.17.0.3:51208
[+] [51be251174fd9ee7424ba7a27bf512c2f2097f285dd46ca212240ae4209587d9] Port:80 Connection:7 from:172.17.0.3:51210
[+] [9e5be1a5dce881f7ba3ef51d5a66b2f17f2fb7014b0324d14ff8e273248a044c] Port:80 Connection:8 from:172.17.0.3:51212
[+] [31f2d6fb2c6b769be4948a987deb4a62d2f67392c86d6faa7d1e4bd02c174254] Port:80 Connection:9 from:172.17.0.3:51214
[+] [6dd8b57b9bd35fea1490b872c6c729d9bc882e3af29f1b24993749921eb5e0fd] Port:80 Connection:10 from:172.17.0.3:51216
[+] [d1fc77dbec734b6958203c3102bf98c2562539e9825216e200b3bdce0211e3f2] Port:80 Connection:11 from:172.17.0.3:51218
[+] [635da8a96fe12207e71977854eb49e95fa315a3ec712da9e79bda4aa03338273] Port:80 Connection:12 from:172.17.0.3:51220
[+] [ed6270327f3ef77886ea3e4cb6c07866d0750154f38ad1f21f2ffce7ddef70b7] Port:80 Connection:13 from:172.17.0.3:51222
[+] [4099a9996900ca19503a60b0434ce295ebb7400ad7f84002f16be2a47dacbb68] Port:80 Connection:14 from:172.17.0.3:51224
[+] [1dab93852e0749e263bb9c5deca00fed53fe8a5001b719d116016ed7d1d43e81] Port:80 Connection:15 from:172.17.0.3:51226
[+] [f2354e58c621369521f4de50a0b7d430b3bc79f395ea237ac5ca2f979e638353] Port:80 Connection:16 from:172.17.0.3:51228
[+] [f442e24b6110226e818d96c399b8cb56c8936381df4126ba80101f4c8ac6a1cd] Port:80 Connection:17 from:172.17.0.3:51230
[+] [0bd2ae1db2c1c1544af266eeba31f7ed6ee24ad7582f24a6c9a50735dd9747e2] Port:80 Connection:18 from:172.17.0.3:51232
[+] [628883d43eec1ce919a06b7dc39ed8962918f14342d2f389fda82e3bac6e1888] Port:80 Connection:19 from:172.17.0.3:51234
[+] [18d9fb07f6254ff16a27159a0c8f4d6d4d729de94a0f1361a10347c6265729fd] Port:80 Connection:20 from:172.17.0.3:51236
[+] [5f5660a93b7802af41fc135f0bb1e4cd4cec0f19d9875ba194aeb3518423ff9c] Port:80 Connection:21 from:172.17.0.3:51238
[+] [0f2d4808a0826f65efcb2491efe957835a5b18853dae03cc5e8d1957919b6cf8] Port:80 Connection:22 from:172.17.0.3:51240
[+] [39c77dc5d34efd2871b8315a5e0778e31ff4a124a4bcd91345047ce666375f43] Port:80 Connection:23 from:172.17.0.3:51242
[+] [b041e718af47ea6c851c9a5cbaf50290a47099c327b3ffcbfaedffc970ff73d5] Port:80 Connection:24 from:172.17.0.3:51244
[+] [346cbcbc95c1ae7f2fc82acb85d6e8a51ab44a7c894929843d8740ba6feebc2a] Port:80 Connection:25 from:172.17.0.3:51246
[+] [6128ee2cbdb3618ed21e147e8874fc7a534e0f1da4c8286de7d0012646cadebb] Port:80 Connection:26 from:172.17.0.3:51248
[+] [098a8bee69382aabb4acd7130e7c66791666e5fa189902ef17f1cd44cf223b1b] Port:80 Connection:27 from:172.17.0.3:51250
[+] [eeb53a2542d3ea71f725353cf8b1d064ab11e8667eb29e023124b6103aa097ae] Port:80 Connection:28 from:172.17.0.3:51252
[+] [875091a5aabf395a62db73a49c0f844d6f4cde28cdc0bf27b0346f6de4be299b] Port:80 Connection:29 from:172.17.0.3:51254
[+] [effa187e4a8757b2356bc23fdac4c28b2fc9b3dd6983538d3b9c3fd7c30bb764] Port:80 Connection:30 from:172.17.0.3:51256
[+] [0600560cc19cdf6185663d128ebaee3550cdf4a17ceb5a89c68500d9593a6d46] Port:80 Connection:31 from:172.17.0.3:51258
[+] [2e3fe6ada0d67914119272dcf6f9b7367b841b2773c8999a341b09120cd6cfd9] Port:80 Connection:32 from:172.17.0.3:51260
[+] [8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] Port:80 Connection:33 from:172.17.0.3:51262
[+] [8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] nmap Probe:1 from connection: 33 :[GET /nmaplowercheck1591880218 HTTP/1.1
][474554202f6e6d61706c6f776572636865636b3135393138383032313820485454502f312e310d0a]
[+] [d30f053fbd9b19ddf4ceb2fc4a43f900584ad7f58130ebb7c16f634701ab00ef] Port:80 Connection:34 from:172.17.0.3:51264
[+] [b4ac67dec3cc4c117e69057b5edc7e71350c0d2ccba6c8369159a589ccaf1285] Port:80 Connection:35 from:172.17.0.3:51266
[+] [b4ac67dec3cc4c117e69057b5edc7e71350c0d2ccba6c8369159a589ccaf1285] nmap Probe:2 from connection: 35 :[GET /nmaplowercheck1591880218 HTTP/1.1
][474554202f6e6d61706c6f776572636865636b3135393138383032313820485454502f312e310d0a]
[+] [5db9eee927b2f08180debcbc69e626fd31cbbd2b78d038fc9077e47c5eeb556e] Port:80 Connection:36 from:172.17.0.3:51268
[+] [cf407790610951aa8966c88322aa0a3e7d46f4ace9cc89e8427acdf5bfbcdf0d] Port:80 Connection:37 from:172.17.0.3:784
Woah okay that's a lot of output, lets break it down and see what it says. Firstly, we can see that NMAP made a total of 37 connections to the tool
...Port:80 Connection:37...
. We can also see that the tool identified probes that contained our search "term" which we set to "nmap". Remember, this term basically tells the tool to search for that character sequence (case insensitive btw) in any data sent from the client (NMAP). Here's the first probe that the tool detected:
...
[+] [8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] Port:80 Connection:33 from:172.17.0.3:51262
[+] [8a7ced242e7d833644403eec43543f0b2250af048b594e1dd96c12ac148b4f1d] nmap Probe:1 from connection: 33 :[GET /nmaplowercheck1591880218 HTTP/1.1][474554202f6e6d61706c6f776572636865636b3135393138383032313820485454502f312e310d0a]
[+] [d30f053fbd9b19ddf4ceb2fc4a43f900584ad7f58130ebb7c16f634701ab00ef] Port:80 Connection:34 from:172.17.0.3:51264
...
From the output above, we can see that it was connection 33 that sent the request that contained an HTTP request that contained the term "nmap". Okay that's interesting, we now know that behaves differently with the -sV flag in terms of the amount of TCP connections made and the data sent from NMAP. We can also see that NMAP continues the behaviour of "connecting" and "resetting" the connection first to determine if the port is opened, this can be seen with the following output specifically:
[+] Initialised Listener on Port: 80
[+] [2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] Port:80 Connection:1 from:172.17.0.3:51198
[ERROR] [2b24f34f93697ce707cd9d61323b70a2b54457c3dd330f7d5e5d7bd4ebbb8f66] read tcp4 172.17.0.2:80->172.17.0.3:51198: read: connection reset by peer
[+] [8297b9be5c9314c96c57af36e56dd5b14cf32884a16227906199ca8ddf8ee431] Port:80 Connection:2 from:172.17.0.3:51200
Below is the NMAP out from the scan we just analysed:
nmap -sT -sV 172.17.0.2 -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2020 UTC
Nmap scan report for 172.17.0.2
Host is up (0.000099s latency).
PORT STATE SERVICE VERSION
80/tcp open http?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.70%I=7%D=6/11%Time=5EE229CA%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,1F,"{\xe2\xc9NKo3\x07\xc7Bs\xa3\tI\x07\x90Y\x8d\)\x94h\x7f\xaaD\
SF:xbc\xcd\x11\xb2\x85\xd0\xff")%r(HTTPOptions,85,"\(\x1f\xce\xbe\xfa\xf5\
SF:xa4\xfa!y\x1e\xd4;2\^\xd9;Y\x99\xa6\x1eAO\"\x10&W\xf1VUj\xd3{8\xe2h`\x9
SF:9\0s\x01s5oC_\x1fu\xcd\xb9\xc4\*wS&'\x9d\xe3A<\xf5\xba\xa9\xe4\x9fQ\xdb
SF:\xf7\(P\x95\xc8NL\xdf@9\xc0\x04g\x1a\xad\xbd\xefh=\x89\x18'v\xfc\xa0t\x
SF:02\xce\xb1\xf8\x1d\x18\xcb\x98I\x85\xe0O\xa4B\xa7\|\x11\xad\xec\xc9\xf1
SF:\x93\xceu\x80\x8c\x17p\xed\xfelf\xb0\x1f\x8bM\xf4\x8fw\xff")%r(RTSPRequ
SF:est,26,"\xdc\xa5\x8ar\xe7\x97\)\x9f\xcc\x07\xe2h\xc6hG0\x12\xcc\xaa\xb6
SF:\x9dj\x008\xa7\x8d\xfd\t\xcf\xe9U\xc3\x9e`\x96l\x93\xff")%r(FourOhFourR
SF:equest,15F,"\x80V\xf84\x99V1g\xd3,\xcf\x12\x01\xdd\xe2\x12\x86\x17\rL\x
SF:af\x02\xa3\xe10\xfes\xcd7K\xd1\xb6\xb2\xe8\x92\x9a\xcc\|CHB\x99\xac\xb6
SF:Y%_\x0e\x18\xc7\xf1\x8b\x91\x0bz\xaf\xbb\^\xb5\x99\xec\x03\x8e\xd7\xedy
SF:Z\x89\xf2t\xc5ab\x0b\xbb\x05\xfa\x0b>\xfeY\x9c\x10Cg\xca\x12\xde\xa1\x8
SF:4X\x0f\"B}\)\?\+\"%\x9b\xdb\|\xd2gzp\x1c\\\xfe\x13\xddQ\+5\xf4\x7fR\xd2
SF:6Q\x7f!5\xb5\x07\xe3\xad\xb9\x81y\xd2\xcc\[\xc6Lu\xfd\xc7o\xacO\xe2L\xb
SF:a\x08M\xf8m\x89x\x99\xcd&\xe3\xdf\xe3\xedW_\xe5\xc7\xfa'rT\xb1QXr\xb8R\
SF:xc1\xeb\x99\xd4\xc8\xd31\x83\?\x13\xd8\x92\x81\x7fBz\x1f\x92\xd6\x15\x1
SF:2I\xa8\xb9\x9e\xebR\xc8\xb5\xb3\xa1\x9b\xf1\xad\x1a\xa6\x1fb\0\xb3a8R\x
SF:ab\t\xa4\xbc\xa7C5\xac\0\x8d\x8b\xd8\xc0\xb5\xbdG\xeb\xe8BgG\\\x05/\x0b
SF:j\xb5\x99E\x81\n\]\xc5\xf80\xa0\]\x9e\xfc\xf6\x066&\x08\xad\xa0d\x10\x8
SF:3\xa6\xc0\(=,oO\xbf\x20\xac/4\xf52\xa2\)\xcbT\xa8\xc8\xe8\xd0\xe5\xaf\x
SF:90\xa1j\x84\xe3\xb3\xbf\xa1\x19\t\xb3P\xa7\^\x90\xdfz\$c\xd1\",\xe0\xf7
SF:\xbe\x99\xf6\x18\xba\xa7\xc7\x87\xdd\xf4\xcdw\xcc\xc7R\x8a\xb9\xb4\*\r\
SF:xbe:\xc2o;1\x0f8\x94E\rmY\ts\xc7\xad\x9e\xff")%r(GenericLines,20,"5\xd7
SF:\x9c>\xf9\nep\*\xd3\x1c\xf5\x8f\xb3\xa6\xeb\xa1\xaa\xef\xd5\xa14I\x9f\x
SF:d3\x8am>B\xe9\x84\xff")%r(Help,171,"\[2\xf3MhR&\xfe&%<\^\x11\xa5vJ#\x8d
SF:&\xb0\xbbV\x85\xbc\xdfW\xbbu\x130\x16\x92\xb5\xa99\xe0\x03\x85\xdbs\"\x
SF:dd\xca\x0c\x10\xd3\xe0\x8e\xe4\x971\xf1\x90\xb6\xaeH\xcb\xf0\xd237\+\x1
SF:2\xde~\xca&\xa93\t\x9b\xb2\xa9\]wH\x9c\x07:\x99\x88oW\xbe\xa6\xb9P\x92O
SF:`\x93-\xfc\x14\x19\x02\x18x\xd9I\x1d\xfb\xbbp\xd5d\x0e4\xc86\xab\xd1\x0
SF:e\x8b&\xd1\xfa\xbaX\xc1\x91\x20\xcb\x0f8\xc4Q\x89\xf2!\xe8V\|wj\xeb\xc3
SF:zk#`\x01A{\?\xd7\x89\x15\x07\x8d\xb2o\xeb\(\x13G\xb7#\x95\x15~\xa9\x9d\
SF:x8d\xcf\]\xbc\xbbg\x1c\xeeC\xc1\x11Y\x01\xef\xc9\xb7\xa0>:`\xd9\0\x85\x
SF:c5Zv\xc8Qa`\xc7\x93\x0f\xd7\x0b\\\xe7\x14rD\x87\x92{~\xbc\xfd\xa5\x06Z\
SF:xe1\xc4wi\xf7\xe3:\x9ep\xb8\xea\x05>\xc6p\[\x7f,\xa1\x8e\xd1\xed\xf5\xa
SF:6x\xa80\xa6\x058U\xc8\x8f\xbd{\xc3\x9dk\x04\xc61\xdb>r\\\x80\xe8K\xa6l\
SF:x9a}\xd2F\x1a\xde\xfaZ\xaa\x91\|\x1b\x1b\x8d!\xfe\x125\0\]\xb2\xde\x88G
SF:\xd1\xe9\x0f\xbf\"\xc1\"a\x02\xeb\xd4V\(L:\xe8\x87\xcb\x9f\xbf\xfb\xfc\
SF:xc6c\xe4Nz\x0eb\x94\xd5\x8b\x12\x9d\x10\xf9\x94k9@y\x82\x8a\x02\xbe\x03
SF:\xf5hs@q\xd9n\xf8\xb3\xb0\x15~\xb3\xb7\x0b\xa5\xdfGU@\xdeJ\x80\x94p\xe2
SF:\x08\xd7\xe6!\xf8\xcd\xdf\xc0s\xe4\xff");
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 87.86 seconds
The above output shows us that NMAP was able to detect that port 80 was indeed open but could not verify the service and version, which makes sense and we'll dig into why a bit later in this post.
NMAP Service and Version Detection and Scan Intensity
NMAP has useful functionality to adjust how "intensely" it scans the target according to its documentation[2]. If we look at the flag "--version-intensity" which we haven't used directly yet, we can see in the docs[2] that the flag "-sV" sets "--version-intensity" to 7 by default. Lets now go ahead and change ""--version-intensity" and observe how NMAP behaves:
First setup our tool
root@78b5ecfeb870:/work# export PORT=80
root@78b5ecfeb870:/work# export TERM=nmap
root@78b5ecfeb870:/work# go build -o garbanzo && ./garbanzo
2020/06/10 12:02:40 $GARBANZO_WEB must be set
2020/06/10 12:02:40 $GARBANZO_HOST must be set
2020/06/10 12:02:40 [+] Initialised Listener on Port: 80
Execute NMAP:
root@f5f84eb31bc0:/go# nmap -sT -sV 172.17.0.2 -p 80 --version-intensity 1
Below we get the following tool output from the NMAP command above:
[+] [e76bfa77f3047f2162bf0ca697d24cd38be99ecf96960ca5f324c33801babcd3] Port:80 Connection:1 from:172.17.0.3:51270
[ERROR] [e76bfa77f3047f2162bf0ca697d24cd38be99ecf96960ca5f324c33801babcd3] read tcp4 172.17.0.2:80->172.17.0.3:51270: read: connection reset by peer
[+] [ca32700fb09ad58490ab340fd19d5bfd17a77f5a4b39357341e93ec0ee868721] Port:80 Connection:2 from:172.17.0.3:51272
[+] [6b991cc7ea35a78d63af16555c5b404b78a74c62eede3acaed6f5cda6a650e66] Port:80 Connection:3 from:172.17.0.3:51274
[+] [343b98c09fefc41ecb2e0eb48c918ed8f5b1d0af02dc05b781abb5a4d57e7e7a] Port:80 Connection:4 from:172.17.0.3:51276
[+] [61c11e4bfa44083c4ac764fbbe1546e4a70d38434b4d39fd287cbc26bd1631dd] Port:80 Connection:5 from:172.17.0.3:51278
[+] [0958fca1885269f9797a039aedcbccc67d5153f71f5396ffee23dc707d714a8c] Port:80 Connection:6 from:172.17.0.3:51280
[+] [322a686505032b68a7903a68b98ec502f87710d7ed60cd71bc5d6708fe214af0] Port:80 Connection:7 from:172.17.0.3:51282
[+] [610f9f80d0b616267fb567fbe5b437653fd3d3ac3d524ca92baac642d599e102] Port:80 Connection:8 from:172.17.0.3:51284
[+] [12f40d18ad44fee3eef5371c571883efcac00b7576dcee35ebb8fd12af37571f] Port:80 Connection:9 from:172.17.0.3:51286
The above output from the tool shows us that NMAP continues the behaviour of checking if port 80 is open by connecting and resetting. We can also see that 9 connections were made but no "nmap" terms were identified. If we run the NMAP command several times with "--version-intensity" set to "1", we will see the above pattern repeated, first a connection and reset which is then followed by 8 probes.
Below is the associate NMAP output:
root@f5f84eb31bc0:/go# nmap -sT -sV 172.17.0.2 -p 80 --version-intensity 1
Starting Nmap 7.70 ( https://nmap.org ) at 2020-002-02 UTC
Nmap scan report for 172.17.0.2
Host is up (0.000083s latency).
PORT STATE SERVICE VERSION
80/tcp open http?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.70%I=1%D=6/11%Time=5EE23E9F%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,270,"\xb5rHF\xbc\xe9\xde\xf9\xbc\xf6\x15Y\x8e\xb9\x1f\x9a\0\xe64
SF:xrB\xb4\x9a\xcd#S:W\x01\|K\x8e\x1ft\x95\x90\n\xaf\xaf\x004k\xf9\xc1\x99
SF:\xf7\x88s\xef\x8e\x13\x03\xf1Gp-\x99\xe4\xd6\xf2e\x94\xb2Z\r\x94C\x07EY
SF:\?>\\8D\xear\xa0y\xae\xf3\x86\xda\xab<\xe2\xc6C\xa9\xf1IMw\x0b-\xb6\xce
SF:\x0b\x9b\xe6\x15S\xdd\xe2\$\.\x9e\xe4\x8f\x965\xf1\x11\xee`\xe2\x04\x95
SF:\x1b\xc0\xe5-\xceM\xe9\x97\xbcd\xea\xc2\xed\n\x03\tU\x97\x01\xbe\xaf\x0
SF:2\xce-SH\xfaZ\xdeV\xc7#\xd9W\xf0X~1-Es\xb4\xf6\xe2\xcf\x07\xa5\*m\xe5i\
SF:^\x88\x03d\xf7\xe1\x05\x12\x90\rN\x84\x17\xed\]\x1a\xf0n\xbc\xeb\xe9\xd
SF:bTp\xe5#K\xd8\|\x8c\xd2\x18}\xe9\xda\xbczz\x07\x9b\x81\xa1\xbb\x9c\xe1\
SF:x19x\x0f\x9a8\x94\x012\xf0\x9bm\xe3\x97\xf3\xe0\r\xabbK\xa6\x82\x13\x7f
SF:\xbc\xdc\x19\x1f\x93\x20\x0e\xb0\xc8\x85\xbfK\xb1\xf1\xdb\x18G\n\xf5\x1
SF:d-\xb7\xca\x9c\xbb,\x0b\x8c\xb6\xf7\x125\x17\x81A\"\xb9j\n\xbb8\xb6Y\x9
SF:e\x98\xce\x1f\x1c\xda\x91\xe4\xfcb\x88\x94\xb2\xdd\x20\x1e1\x95\xdcH\x1
SF:5\*\x9c\x9b\xac\x19\xb9A\x8at@j%\)\xe0\.p\x1bI\x1bi\xbdu\x0c\xed5\x10\x
SF:d7\npfJ\xbe\x8c\xf1\.\xd6l\x13\xd1p\x01\xb6<z\xc7\xe5\xaa\xf6=0\x8f\xc1
SF:\xc8\"\x90\xbf\xe9\xc7\x99\x8d\xeaz\xe8\x17\)\xdb{\x84\xe0C\xe34\)\xcc\
SF:x20U\x0c\xd2Cj\xf9\xfec}\xa0\xc5\x03C@\x9aG5\xf8\xee\x9c\t\xfc\xb4\x7f\
SF:x10\xb4\xb8\xee\xca-\xa0\xbc\[\xc7\xf7\xbf\xad\x89\xd7\x93\xb0\xd8\xc3\
SF:?\xb4:\xf7},\xd6\x11\x12\xc1\x8f\(tHH{@\xcb\xfa0_\xf3\xe0\x95S\xcct\xbd
SF:\^\t\xd3T\xa9t\xcd\xb2\.\x15\x96\x12\xfaFe\xac\xcb\x14\x9e\xcaO\xb2W\xe
SF:f\xf3\xd4O\)\xe2\xe7\xd6\xbbx\xa1\xc2\x087#\xb5\xb2;\x0f\xcdL\xe3`\xf4x
SF:H!\xb7\xd0M\xad\xd2\x1c\r\xf2\xb9\xc9h;ge\x0f\ny\xbe\xf7\x13X,X\xdf\xf9
SF:x\x10\x15\[\x93D\xe3\x86\xf4Z\x8d7EiZt\x91\x16\xa9K\x1e!\xab\x8d\xb9\x0
SF:1\x95\x81\xde\rU\xd0!\x93B\xb1;\x8f\x19G\xeb\x9eDY\x03\x81\xd0\xc0W\xda
SF:H\xd9\xdb0\x9f\xa3\xfd\xfdS\xbap\x88\xe2\xed\xaa\x20\xecZ\xb3\xfc\xbd\x
SF:d6\xf6\n\x86OyQ\x1a\xe6\x8b\x02\x9c\xd5\xbf\xc6\xbaCU\x0f\^\x1c\xe2\xfd
SF:\x8b\xa9\x86\x07\xba\xe9\xff")%r(HTTPOptions,150,"\$\x08\x0e\x80\xa4\xf
SF:1\xbeS\x85\^~\x7f\x0f:\x8d\x1f\[\xc2\xdd9\xe5\x97\xc6<\0\x89\xb4-\xda\x
SF:a9\xdeI\\\x8f>\xee\|\xab\xf9\xe7\xe7\xf2\xc6\xeb\x97\xbb\xb8\x99\x8f,\)
SF:\xa4K\xdc\xa3k\xb0\x20`\[\x19\xef\xbf\xb3#\xbc\xf0\x06\x05\x20\xc6\xadK
SF:\x88\xeb\x0c\xf8\xdd\xab\xadM\x99\xb4\xd7d\xe0\xde\xaa\x02\x17\xb1h\(~\
SF:xe8\xf7\xd7\?\x13b\xdb\xb9\x17\xa5\]\r\xa70\xb5\x12\xe6\rpI2\x01\xa1sk\
SF:xf1\xf5=\x99\x06\x8e,\+\xa1\x8e\"/f\xaf\xd6\xb5\x06\xef\xf6\x204e\xb4\x
SF:c5\x83\xc3\xec\t\x9a\x8c\x87\x92U\^\x1eO\xdb\[I\x8d@\xb3\xc8p\xdb\xae\x
SF:94\x98\xae\x06\xb5M\x8ey0\x80\xf5\xe0\xde>\xd4<6\x08Q\x12t\x9a\xa2\xe4W
SF:p\xb2\x19%\xea\xa2\xf0N:7\x83\x117\xa6\x11\xd2w=\xfbA\xef\x1d\xa6\xe7t5
SF:byL\\\xd6Y5%\xc4\xee\xdc\xa2\xb3X\x17\xa3\xe9\xc6:=l\x91\x98\xcb\x9e\xb
SF:4\xed\x9b\xa5\xe8\xa4\xe0\x0b\xdb\xdeV\xa0\x8d\xfb\xf9\)\xbd\xac{\xd2\+
SF:\xb1\x075s\xdc_\x0e\xc5\xe3ZJ\xc1Z\xc7\xe8\xa2>}\xbe\"\xac\xab\x04\xcc\
SF:xac\xab\x92F\x99w\xfb\xc7t\xcc\xedHp\xee\xa3\x9a-\xa7\xd4\x1c\xba\x87d\
SF:xb9\x83R\xbb\x04\x84m{CS\x8b\xa0\"w\xb7\xd3\+g\x18\x20\x93x\x93\xeaOs\x
SF:ff");
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.83 seconds
From the output above, we can see that NMAP was able to determine that port 80 was open but could not verify the service and version.
If we take a look at what we have determined at this point, we now know that the -sV defaults will send probes that contain the string "nmap" and "--version-intensity" set to 1 will result in no probes containing the string "nmap". So this leads to a natural question, at which intensity level does the string "nmap" get sent with the NMAP probes? Well easy-peasy-lemon-squeezy, lets use our tool to help us. Lets setup our server again with:
root@78b5ecfeb870:/work# export PORT=80
root@78b5ecfeb870:/work# export TERM=nmap
root@78b5ecfeb870:/work# go build -o garbanzo && ./garbanzo
2020/06/10 12:02:40 $GARBANZO_WEB must be set
2020/06/10 12:02:40 $GARBANZO_HOST must be set
2020/06/10 12:02:40 [+] Initialised Listener on Port: 80
and run NMAP with "--version-intensity" set to 2.
root@f5f84eb31bc0:/go# nmap -sT -sV 172.17.0.2 -p 80 --version-intensity 2
which results in the following tool output:
[+] Initialised Listener on Port: 80
[+] [cb2cfd7735d96677652e77940170a0a4c695b4145fa93f7c885628df551671d7] Port:80 Connection:1 from:172.17.0.3:51288
[ERROR] [cb2cfd7735d96677652e77940170a0a4c695b4145fa93f7c885628df551671d7] read tcp4 172.17.0.2:80->172.17.0.3:51288: read: connection reset by peer
[+] [50982846ac83afffab217e22573baae530ad966028d29b4c0f1d77c71c8dce16] Port:80 Connection:2 from:172.17.0.3:51290
[+] [6d95e9d08c551bda3d97565334aa089396600c62b9b4fae5847156ef596a6d5e] Port:80 Connection:3 from:172.17.0.3:51292
[+] [71fbba3e7c6949cfed8bb15ab2708a34cc20cbe5d4d5c60ca6d139ef0a3e3a4b] Port:80 Connection:4 from:172.17.0.3:51294
[+] [c774af05a3d1e12d779d86d8a23eb6daac54a3ebed1d4af18d68378ad47bc6af] Port:80 Connection:5 from:172.17.0.3:51296
[+] [dcd29b657bd7399ada9d76144cef8fc56615d356dcee1e448ea9dd675c8d5af3] Port:80 Connection:6 from:172.17.0.3:51298
[+] [be510f1d5fdb54ee007f0bf7613e9df76a8d9e17cb106a999f6c78c5865e7967] Port:80 Connection:7 from:172.17.0.3:51300
[+] [9ffc5a4a8c704547d2f7d9d995d8c55d4ad807d01124642fff9500bb7615c091] Port:80 Connection:8 from:172.17.0.3:51302
[+] [460ec7db181855235ef0f78e2f99f0779af42fcf083ccd42e23e05dd6b2d8d2a] Port:80 Connection:9 from:172.17.0.3:51304
Okay so intensity level 2 has no "nmap" term in the probes. If we repeat this process(left to the reader to do) and increase the intensity +1, we'll determine that level 7 is the level where NMAP sends the term "nmap" in its probes. Another interesting observation is that the number of connections made by NMAP also increases with the intensity level. For example, the follow NMAP command:
bash nmap -sT -sV 172.17.0.2 -p 80 --version-intensity 6
results in 24 connections made by NMAP. I'll leave it to you, the reader to verify this statement :)
References
1.https://nmap.org/book/scan-methods-connect-scan.html
2.https://nmap.org/book/man-version-detection.html
Top comments (0)