Service Verification in Port Scanner

Recently I'm writting a port scanner and I need to verify if some standard services are running on remote hosts as expected. The verification method is quite simple(but took me a long time), that is, using connect() to that port, then analyze the returned messages. All messages will be returned by remote host only when the port being scanned is open, otherwise tag it as Unable to be connected.

• HTTP
  Send string "GET / HTTP\r\n\r\n" to port 80 of an ip address. The remote host will send back message like

HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8
Content-Length: 1419
Date: Tue, 02 Dec 2014 05:56:25 GMT
Server: GFE/2.0
..

Then parse the first line we can obtain the version of HTTP running on that machine is 1.0.

• SSH
  Send an empty string to port 22 of a specific ip address(129.79.247.86 is tested in my case, which is the server in my school), then we can get SSH-2.0-OpenSSH_5.3. The SSH service version is 5.3.

• SMTP
  The port 24, 25, or 587 is open, only in a mailbox ip address. So I tested my code on 113.108.16.44(smtp.qq.com) and 202.108.6.242(smtp.sina.com.cn). After sending an empty string to those hosts, I received 220 smtp.qq.com Esmtp QQ Mail Server and 220 smtp545-123.sinamail.sina.com.cn ESMTP separately. The SMTP versions are Esmtp QQ Mail Server and ESMTP.

• POP
  I checked port 110 on ip addresses 163.177.65.209(pop.qq.com) and 123.125.50.29(pop3.163.idns.yeah.net). Similarly, an empty string was sent and I received

+OK QQMail POP3 Server v1.0 Service Ready(QQMail v2.0)

and

+OK Welcome to coremail Mail Pop3 Server        (163coms[8db726ec93e9d4e3e9a2fd3d31b05251s])

Both are long statements. So I just put "POP3" in my result when there is a response.

• WHOIS
  It's not easy to find a proper ip address with 43 port open. Finally, I found one here, which is 199.7.54.74(whois.crsnic.net). This time a string "\r\n" should be sent and the following content will shown on screen.

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
<WHOIS help>
Select a sub-topic for help; '?' (with no RETURN) for a list of options;
RETURN key to return to WHOIS.
...

A lot of stuff. But we noticed that the service version is 2.0 in first line.

• IMAP
  As I did before, I sent an empty string to 163.177.65.209(imap.qq.com) and got

* OK [CAPABILITY IMAP4 IMAP4rev1 IDLE XAPPLEPUSHSERVICE ID UIDPLUS AUTH=LOGIN NAMESPACE] QQMail IMAP4Server ready

So I put "IMAP" in my result if there is a response.

This is a basic idea to verify the services on remote hosts. If the port we want to check is open, it will response something once we send a appropriate query to it. The service information is then exposed by the port itself. When the port is closed or filtered, it won't response on any request messages. In this case, the service should be unknown instead of a simply hardcode result.