Version Detection & Fingerprinting

Identifying software versions and system characteristics for vulnerability assessment

Service Version Detection

Banner Grabbing Techniques

Netcat Banner Grabbing

# Netcat banner grabbing nc -nv target.com 21 # FTP nc -nv target.com 22 # SSH nc -nv target.com 23 # Telnet nc -nv target.com 25 # SMTP nc -nv target.com 80 # HTTP nc -nv target.com 110 # POP3

Telnet Banner Grabbing

# Telnet banner grabbing telnet target.com 21 telnet target.com 80

HTTP Headers

# HTTP headers curl -I http://target.com wget --server-response --spider http://target.com

SSL/TLS Certificate Info

# SSL/TLS certificate info openssl s_client -connect target.com:443

Nmap Version Detection

# Service version detection nmap -sV target.com

# Aggressive version detection nmap -sV --version-intensity 9 target.com

# Version detection with scripts nmap -sV -sC target.com

# OS detection nmap -O target.com

# Combined aggressive scan nmap -A target.com

Operating System Fingerprinting

Active OS Detection

# Nmap OS detection nmap -O target.com

# p0f passive OS fingerprinting p0f -i eth0

# Xprobe2 OS fingerprinting xprobe2 target.com

Passive OS Detection Indicators

TTL Values

Windows: 128, Linux: 64, Cisco: 255

TCP Window Sizes

Windows: 65535/8192, Linux: 5840

ICMP Responses

Different OS handle ICMP differently

TCP Options

OS-specific TCP option implementations

Common TTL Values:

Windows: 128
Linux: 64
Cisco: 255
OpenBSD: 255

TCP Window Sizes:

Windows: 65535, 8192
Linux: 5840
FreeBSD: 65535

Application Version Detection

Web Application Fingerprinting

# Technology detection whatweb target.com wappalyzer target.com # Browser extension

CMS Detection

# WordPress wpscan --url http://target.com --enumerate vp # Drupal droopescan scan drupal -u http://target.com # Joomla joomscan -u http://target.com

Server Fingerprinting

# Server fingerprinting httprint -h target.com -s signatures.txt

Database Version Detection

MySQL Version

# MySQL version mysql -h target.com -u root -p -e "SELECT VERSION()"

MSSQL Version

# MSSQL version sqlcmd -S target.com -U sa -P password -Q "SELECT @@VERSION"

PostgreSQL Version

# PostgreSQL version psql -h target.com -U postgres -c "SELECT version()"

Oracle Version

# Oracle version sqlplus username/password@target.com SQL> SELECT banner FROM v$version;

Advanced Fingerprinting Techniques

HTTP Response Analysis

# Detailed HTTP response analysis curl -v -A "Mozilla/5.0" http://target.com curl -X OPTIONS http://target.com -v curl -X TRACE http://target.com -v

SSL/TLS Fingerprinting

# SSL/TLS analysis sslscan target.com testssl.sh target.com nmap --script ssl-enum-ciphers target.com -p 443

SMTP Fingerprinting

# SMTP fingerprinting telnet target.com 25 EHLO test.com HELP

SSH Fingerprinting

# SSH version and algorithms ssh -o PreferredAuthentications=none target.com nmap --script ssh2-enum-algos target.com -p 22

Framework and Technology Detection

Web Framework Detection

Django

Python web framework detection

Laravel

PHP framework identification

React/Angular

JavaScript framework detection

Spring Boot

Java framework fingerprinting

Content Management System Detection

# Generic CMS detection cmseek -u http://target.com whatcms target.com # WordPress specific curl -s http://target.com/wp-admin/ curl -s http://target.com/readme.html # Drupal specific curl -s http://target.com/CHANGELOG.txt curl -s http://target.com/misc/drupal.js # Joomla specific curl -s http://target.com/administrator/ curl -s http://target.com/language/en-GB/en-GB.xml

Vulnerability Assessment Based on Versions

Once you identify service versions, search for known vulnerabilities:

Exploit Database Search

# Search for exploits searchsploit apache 2.4.29 searchsploit openssh 7.4

CVE Database Search

# CVE database search cve-search apache 2.4.29

Metasploit Module Search

# Metasploit module search msfconsole msf > search apache 2.4.29

Online Vulnerability Databases

CVE Details

Comprehensive vulnerability database

NVD

National Vulnerability Database

Exploit-DB

Exploit database and archive

MITRE CVE

Common Vulnerabilities and Exposures

Service-Specific Version Detection

Apache HTTP Server

# Apache version detection curl -I http://target.com nmap --script http-server-header target.com -p 80 nikto -h target.com | grep "Server:"

Nginx Version Detection

# Nginx version detection curl -I http://target.com | grep -i server curl -v http://target.com/nginx_status

IIS Version Detection

# IIS version detection curl -I http://target.com | grep -i server nmap --script http-iis-webdav-vuln target.com

FTP Server Detection

# FTP server version ftp target.com nc target.com 21 nmap --script ftp-anon,ftp-banner target.com -p 21

SSH Server Detection

# SSH server version ssh target.com nc target.com 22 nmap --script ssh-hostkey,ssh2-enum-algos target.com -p 22

Automated Version Detection

Nessus Professional

Nessus Features:

Comprehensive version detection
Vulnerability correlation
Compliance checking
Detailed reporting

OpenVAS/GVM

# OpenVAS scanning gvm-cli --xml "Version Detection"

Custom Version Detection Scripts

#!/bin/bash # Version detection automation script TARGET=$1 echo "=== VERSION DETECTION REPORT ===" echo "Target: $TARGET" echo "Date: $(date)" echo "" echo "=== HTTP Server ===" curl -I http://$TARGET 2>/dev/null | grep -i server echo "=== SSH Server ===" nc $TARGET 22 2>/dev/null | head -1 echo "=== FTP Server ===" nc $TARGET 21 2>/dev/null | head -1 echo "=== SMTP Server ===" nc $TARGET 25 2>/dev/null | head -1 echo "=== Operating System ===" nmap -O $TARGET 2>/dev/null | grep "OS details"

Version Enumeration Best Practices

Stealth Considerations

Minimize Detection:

Use passive techniques when possible
Randomize request timing
Use different user agents
Avoid aggressive scanning
Monitor for defensive responses

Accuracy and Validation

Ensure Accurate Results:

Cross-verify with multiple tools
Check for version obfuscation
Look for custom banners or headers
Test different connection methods
Document confidence levels

False Positive Management

# Verify version information # Test multiple endpoints curl -I http://target.com/admin/ curl -I http://target.com/api/ curl -I http://target.com/test/ # Compare banner information nc target.com 21 | tee ftp_banner.txt nmap -sV target.com -p 21 | tee nmap_ftp.txt

Version-Based Attack Planning

Vulnerability Correlation Matrix

Critical Vulnerabilities

RCE, Authentication bypass, Privilege escalation

High Risk

SQL injection, XSS, Directory traversal

Medium Risk

Information disclosure, DoS vulnerabilities

Low Risk

Configuration issues, deprecated features

Exploit Prioritization

Prioritize exploits based on:

CVSS Score: Common Vulnerability Scoring System rating
Exploit Availability: Public exploits vs. proof-of-concept
Attack Complexity: Simple vs. complex exploitation
Access Required: Remote vs. local access needed
Impact Level: System compromise vs. information disclosure

Reporting Version Information

Documentation Template

# Version Detection Report Template ================================= Target: target.com Date: $(date) OPERATING SYSTEM: - OS: Linux/Windows/Unknown - Version: Specific version if detected - Confidence: High/Medium/Low WEB SERVICES: - Server: Apache/Nginx/IIS - Version: X.X.X - Modules: Detected modules/plugins DATABASE SERVICES: - Type: MySQL/MSSQL/PostgreSQL - Version: X.X.X - Access: Public/Restricted APPLICATIONS: - CMS: WordPress/Drupal/Joomla - Version: X.X.X - Plugins: Enumerated plugins VULNERABILITIES: - CVE-XXXX-XXXX: Description - Severity: Critical/High/Medium/Low - Exploit Available: Yes/No

Risk Assessment Integration

Version-Based Risk Factors:

End-of-life software without security updates
Known vulnerabilities with public exploits
Default configurations and credentials
Unpatched systems with missing security updates
Development or beta versions in production