 Hello, I'm DDS Davens. In this video, I'm going to show you Nmap service detection, and if you have unknown services, you can interpret the fingerprint that you get, and eventually use that fingerprint to create your own detection by updating the Nmap service probe file. So here we are going to scan a malicious cobalt strike server, so Nmap. I'm not going to do any host discovery or name lookup here. I'm going to just scan port 12890 on the malicious cobalt strike server. And here we see that the port 12890 is open, but that it is unknown. We don't know what service is behind this. And we can use service detection to try to determine what is behind that port, so option SV for service detection. This is going to take some time, and I'm going to fast forward here in the video. Okay, so again here, the service is still unknown, so the service detection functionality was not able to determine which service is listening here. And then we get this fingerprint, SF service fingerprint. Now I'm going to show you how you can analyze this and interpret the data. Let me copy this. And I'm going to copy this over in my editor. Now this here, SF service fingerprint colon, together with the new line here. So that is actually the character, well, a set of characters that is used to do line wrapping. And I'm just going to remove this. So I'm going to do a search and replace for this and replace this with nothing like this. Okay, and then I have a single line here. The colon, it's a start of the entry for the fingerprint. So here you can see the port, the port that it was TCP percent here, that's a separator. So I'm going to replace the percent with the new line so that we have the different entries on different lines like this. And then you have different information like here, the version of nMap. And here you have different requests that were sent to the port together with the reply. So the first line here is a get request that was sent. The reply from the service on the port was 6D hexadecimal bytes long. And here you have representation of that reply. It's truncated. Well, not actually in this case because 6D is long enough, but in most cases it is truncated. And so you have here one for options request. And we are going to take a closer look here at this one 404 request. 404 request is a request that is sent by nMap to trigger a 404 reply from an HTTP server. And that's what we get here. You can see in reply HTTP 1.1 404 is not found. Cargis return new line. But what's special here is that after the not found, so after the status, you have a space character and then a Cargis return new line. And FoxIT published an article at the beginning of the year to tell us that the presence of a space character after HTTP status message and before the Cargis return new line is an indication of the nano HTTP open source HTTP server written in Java. And that is used by the cobalt strike pentastic framework. So this is a strong indication that we are dealing with a cobalt strike server here. And I'm going to use this here to add a detection for that. So what I'm going to do is copy this. And I'm going to add this to the nMap services probe file like this. So I can do a grep for 404 in file user local share nMap nMap services probes. And here you can see the TCP probe for a full request, the query to be done and here you can see the get statement. And the get statement searches for a file that will not be found on servers nice ports trinity.txt.back. So I'm going to copy this file before I modify it. I'm going to make a backup of that file. This way I can keep this way I can keep the original file while modifying a copy of it. Okay, I'm going to search for probe TCP for like this. Okay. So here you have the probe definition, some other parameters like the rarity, the ports as NSSL ports where to look on. And then after that, you have different match lines. These will try to match the reply for this request. And if there is a match, then a service is identified. So I'm going to add my own match for that special reply with an extraneous space character. And I'm going to add this at the end of the matches for the 404 request. Okay, so that's here. So a match for the nano HTPD server. And I'm going to give the regular expression for the match m pipe character start of the regular expression. And then here I paste the data that I got from the fingerprint. And I close off with the pipe character. So which product is this? This is the nano HTPD server. And I can also provide some extra information with I. So this is a potential cobalt strike server with a version lower than 3.13. Because this extraneous space character was fixed with the release of version 3.13. And that is why Foxit published that article. So that is my update of the service probe file with an own definition based on on the fingerprint. You will see that the fingerprint is already escaped for regular expressions. The dot in a regular expression will match any character. But here we actually want to match a dot. So you see that it already says backslash dot to escape the special character dot. So let me save this. And now I can perform my scan again. This too will take some time. But it will be shorter because there will be a hit for one of the requests and namely the four or four requests. Okay. And as you can see this time we have no fingerprint. And we have no unknown service. It was identified as the nano HTPD service and the version nano HTPD and then information that this might be a cobalt strike server prior to version 3.13. So that is how you can analyze fingerprints. And if you have a bit of knowledge about the server you are scanning you can use that to roll your own fingerprints. Now as a bonus here I'm going to show you an extra method to identify that this is indeed a cobalt strike server. So cobalt strike servers by default have their management service listening on port 55050. So let's see if this port is open 50,050 on that server. And indeed that port is also open unknown service. So this is indeed the next indication that we are dealing with a cobalt strike server. And port 50,050 uses TLS. So I'm going to run the script to retrieve the SSL certificate because that's also a good indication. Okay. Now we get no SSL certificate and that is because NMAP was not able to determine that the service listening is actually an SSL service. So we have to do service detection together with the script to actually get the script to run properly and retrieve the certificates with the information that we want to see. So I'm going to do service detection which also will take some time. Okay. And here you can see in the subject and issuer data that we are indeed dealing with a cobalt strike server. It's in the certificate. And then if you look at the timestamps and not valid before we'll tell you when this actual server was installed.