Nmap Security Scanner
*Ref Guide
Security Lists
Security Tools
Site News
Advertising
About/Contact
Credits
Sponsors





Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Well Known Port List: nmap-services
Prev Chapter 14. Understanding and Customizing Nmap Data Files Next

Well Known Port List: nmap-services

The nmap-services file is a registry of port names to their corresponding number and protocol. Most lines have a comment as well. Nmap ignores the comments, but users sometimes grep for them in the file when when Nmap reports an open service of a type that the user does not recognize. Example 14.1, “Excerpt from nmap-services” shows a typical excerpt from the file.

Example 14.1. Excerpt from nmap-services

qotd              17/tcp     # Quote of the Day
qotd              17/udp     # Quote of the Day
msp               18/tcp     # Message Send Protocol
msp               18/udp     # Message Send Protocol
chargen           19/tcp     # ttytst source Character Generator
chargen           19/udp     # ttytst source Character Generator
ftp-data          20/tcp     # File Transfer [Default Data]
ftp-data          20/udp     # File Transfer [Default Data]
ftp               21/tcp     # File Transfer [Control]
ftp               21/udp     # File Transfer [Control]
ssh               22/tcp     # Secure Shell Login
ssh               22/udp     # Secure Shell Login
telnet            23/tcp     #
telnet            23/udp     #
priv-mail         24/tcp     # any private mail system
priv-mail         24/udp     # any private mail system
smtp              25/tcp     # Simple Mail Transfer
smtp              25/udp     # Simple Mail Transfer

This file was originally based off the IANA assigned ports list at http://www.iana.org/assignments/port-numbers, though many other ports have been added over the years. The IANA does not track trojans, worms and the like, yet discovering them is important for many Nmap users.

This excerpt shows that UDP ports are often registered for TCP-only services such as SSH and FTP. This was inherited from the IANA, who tend to always register services for both protocols. Because Nmap scans ports listed in nmap-services by default, this aspect slows Nmap down by bloating the port list size. The nmap-services list will be cleaned up eventually to remove these redundant entries.

The grammar of this file is pretty simple. There are two whitespace-separated columns. The first is the service name or abbreviation, as seen in the SERVICE column of Nmap output. The second column gives the port number and protocol, separated by a slash. That syntax is seen in the PORT column of Nmap output. Nmap disregards anything beyond the second column, but most lines continue with whitespace then and a pound (‘#’) character, followed by a comment. Lines may be blank or contain just a pound character followed by comments.

Astute readers notice the similarity in structure between nmap-services and /etc/services (usually found at c:\winnt\system\drivers\etc\services on Windows). This is no coincidence. The format was kept to allow systems administrators to copy in any custom entries from their own /etc/services, or even to substitute their own version of that file entirely. The /etc/services format allows a third column providing alias names for a service. Nmap allows (but ignores) these in nmap-services.

Administrators sometimes change this file to reflect custom services running on their network. For example, an online services company I once consulted for had dozens of different custom daemons running on high-numbered ports. Adding these port numbers to nmap-services ensures that they are scanned by default. If -p1-65535 is used to scan all ports, the open ports will show up anyway. Adding them to the file is still helpful because Nmap will then print the proper names rather than unknown. Services specific to a single organization should generally stay in their own nmap-services, but other port registrations can benefit everyone. If you find that the default port for a major worm, trojan, file sharing application, or other service is missing from the latest nmap-services, please send it to me (<fyodor@insecure.org>) for inclusion in the next release. This helps all users while preventing you from having to maintain and update your own custom version of nmap-services.

Similarly, a certain registered port may be frequently wrong for a certain organization. nmap-services can only handle one service name per port number and protocol combination, yet sometimes several different types of applications end up using the same default port number. In that case, I try to choose the most popular one for nmap-services. Organizations which commonly use another service on such a port number may change the file accordingly.

Another common customization is to strip nmap-services down to only the most common, essential services for an organization. Then the Nmap -F option will scan only those ports and be much faster than with the original file. The file should normally be placed in a custom location accessible with the --datadir option rather than where Nmap will use it by default. the section called “Using Customized Data Files” provides advice for customizing these files, including ways to prevent Nmap upgrades from wiping out your modified versions.


Prev Up Next
Chapter 14. Understanding and Customizing Nmap Data Files Home Version Scanning DB: nmap-service-probes
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]