Well Known Port List: nmap-services
The nmap-services
file is a registry of port
names to their corresponding number and protocol. Most lines have a
comment as well. Nmap ignores the comments, but users sometimes grep
for them in the file when when Nmap reports an open service of a type
that the user does not recognize. Example 14.1, “Excerpt from nmap-services
” shows a typical excerpt
from the file.
Example 14.1. Excerpt from nmap-services
qotd 17/tcp # Quote of the Day
qotd 17/udp # Quote of the Day
msp 18/tcp # Message Send Protocol
msp 18/udp # Message Send Protocol
chargen 19/tcp # ttytst source Character Generator
chargen 19/udp # ttytst source Character Generator
ftp-data 20/tcp # File Transfer [Default Data]
ftp-data 20/udp # File Transfer [Default Data]
ftp 21/tcp # File Transfer [Control]
ftp 21/udp # File Transfer [Control]
ssh 22/tcp # Secure Shell Login
ssh 22/udp # Secure Shell Login
telnet 23/tcp #
telnet 23/udp #
priv-mail 24/tcp # any private mail system
priv-mail 24/udp # any private mail system
smtp 25/tcp # Simple Mail Transfer
smtp 25/udp # Simple Mail Transfer
This file was originally based off the IANA assigned ports list
at http://www.iana.org/assignments/port-numbers,
though many other ports have been added over the years. The IANA does
not track trojans, worms and the like, yet discovering them is
important for many Nmap users.
This excerpt shows that UDP ports are often registered for
TCP-only services such as SSH and FTP. This was
inherited from the IANA, who tend to always register services for
both protocols. Because Nmap scans ports listed in
nmap-services
by default, this aspect slows Nmap
down by bloating the port list size. The
nmap-services
list will be cleaned up eventually
to remove these redundant entries.
The grammar of this file is pretty simple. There are two
whitespace-separated columns. The first is
the service name or abbreviation, as seen in the
SERVICE
column of Nmap output. The second column
gives the port number and protocol, separated by a slash. That syntax
is seen in the PORT
column of Nmap output. Nmap disregards anything beyond the second column, but most lines continue with
whitespace then and a pound (‘#
’) character, followed by a comment. Lines may be blank or contain just a pound character followed by comments.
Astute readers notice the similarity in structure between
nmap-services
and
/etc/services
(usually found at
c:\winnt\system\drivers\etc\services
on Windows).
This is no coincidence. The format was kept to allow systems
administrators to copy in any custom entries from their own
/etc/services
, or even to substitute their own
version of that file entirely. The /etc/services
format allows a third column providing alias names for a service. Nmap allows (but ignores) these in nmap-services
.
Administrators sometimes change this file to reflect custom services
running on their network. For example, an online services company I
once consulted for had dozens of different custom daemons running on
high-numbered ports. Adding these port numbers to
nmap-services
ensures that they are scanned
by default. If -p1-65535
is used to scan all ports,
the open ports will show up anyway. Adding them to the file is still
helpful because Nmap will then print the proper names rather than
unknown
. Services specific to a single
organization should generally stay in their own
nmap-services
, but other port registrations can
benefit everyone. If you find that the default port for a major worm,
trojan, file sharing application, or other service is missing from the
latest nmap-services
, please send it to me
(<fyodor@insecure.org>
) for inclusion in the next release. This helps
all users while preventing you from having to maintain and update your
own custom version of nmap-services
.
Similarly, a certain registered port may be frequently wrong for
a certain organization. nmap-services
can only
handle one service name per port number and protocol combination, yet
sometimes several different types of applications end up using the
same default port number. In that case, I try to choose the most
popular one for nmap-services
. Organizations
which commonly use another service on such a port number may change
the file accordingly.
Another common customization is to strip
nmap-services
down to only the most common,
essential services for an organization. Then the Nmap
-F
option will scan only those ports and be much
faster than with the original file. The file should normally be
placed in a custom location accessible with the
--datadir
option rather than where Nmap will use it
by default. the section called “Using Customized Data Files”
provides advice for customizing these files, including ways to prevent
Nmap upgrades from wiping out your modified versions.