I use port scanning across my internal workstations to identify unknown services or machines that match a specific profile, such as those that run IIS. You’ll find the scanner output cryptic at times. A recently deployed application might use a port that you haven’t seen before. However, you can likely find references on the Internet that list which application or service corresponds to that particular port. The basic sample that Figure A shows indicates one way to correlate Nmap output to a specific service. First, the output shows a scan of a server named Sunriver running a new installation of XP, with Nmap configured for a TCP SYN scan.
In this output, you might not recognize TCP port 5000 or the name fics. Nmap uses the nmap-services file to match port numbers to names. For some ports, the file includes a short description of the port. In this case, fics is an acronym that stands for "Free Internet Chess Server," as Figure B shows.
Because I hadn’t seen a chess server on any previous Win2K Professional installs and was fairly certain that Microsoft wasn’t including a chess server in its default build of XP, I looked further. I entered TCP port 5000 well known ports in an Internet search engine and found a security page that described this port as one that a French Trojan horse program (i.e., Socket de Troie) uses.
Still unsatisfied, I then searched the Usenet for TCP port 5000 service and discovered that XP and Windows Me use the port 5000 service for Universal Plug and Play (UPnP) features. A linked Microsoft technical support article associated these UPnP features with the Simple Service Discovery Protocol (SSDP) Service. On this server, I stopped the SSDP Service, then rescanned to confirm that the port was now closed, as Figure C shows.
I also updated the nmap-services file so that future scans would reflect this service. Specifically, I associated TCP port 5000 with the Microsoft SSDP Service by adding the line
ssdp-msft 5000/tcp # Microsoft SSDP Discovery Service
in the nnmap-services file. The change took place immediately, and other machines with TCP port 5000 open now reflect the updated name.