This file contains the probes that the Nmap service/version detection system (-sV or -A options) uses during port interrogation to determine what program is listening on a port. Example 14.2 offers a typical excerpt.

##############################NEXT PROBE##############################
# DNS Server status request: http://www.rfc-editor.org/rfc/rfc1035.txt
Probe UDP DNSStatusRequest q|\0\0\x10\0\0\0\0\0\0\0\0\0|
ports 53,135
match domain m|^\0\0\x90\x04\0\0\0\0\0\0\0\0|
# This one below came from 2 tested Windows XP boxes
match msrpc m|^\x04\x06\0\0\x10\0\0\0\0\0\0\0|
[...]
##############################NEXT PROBE##############################
Probe UDP Help q|help\r\n\r\n|
ports 7,13,37
match chargen m|@ABCDEFGHIJKLMNOPQRSTUVWXYZ|
match echo m|^help\r\n\r\n$|
match time m|^[\xc0-\xc5]...$|

The grammar of this file is fully described in Chapter 7, Service and Application Version Detection. While nmap-service-probes is more complex than nmap-services, the benefits of improving it can also be greater. Nmap can be taught to actually recognize a company's custom services, rather than simply guess based on nmap-services port registration.

The probes in this file are also used in UDP port scanning as protocol-specific payloads sent with some UDP probes. UDP scanning is difficult because most services don't send a reply to an empty probe, making it impossible to distinguish open and filtered ports. The probes here are designed to be safe to send and to elicit a positive response.

Additionally, some administrators have been using version detection for tasks well beyond its original intended purpose. A short probe can cause Nmap to print the title of web pages, recognize worm-infected machines, locate open proxies, and more. A practical example of this is provided in the section called “SOLUTION: Hack Version Detection to Suit Custom Needs, such as Open Proxy Detection”.