Welcome to the fifth episode of our comprehensive Nmap course! In this module, we'll focus on service and version detection - the critical skill that transforms basic port scanning into actionable security intelligence. You'll learn how to identify exactly what services are running on open ports and determine their specific versions.
Knowing a port is open isn't enough—you need to know what's running on it. In network security, identifying exactly what service and version is running on an open port is like checking the ID of everyone entering your building.
This information is vital for security assessments, vulnerability management, and network documentation.
By the end of this module, you'll be able to accurately fingerprint services across your network—even those running on non-standard ports or attempting to hide their identity.
Service Enumeration Fundamentals
What is Service Enumeration?
Service enumeration is the process of identifying and gathering information about services running on a network. While port scanning tells us which ports are open, service enumeration tells us what's actually running on those ports.
This distinction is crucial because:
Port numbers are merely conventions, not guarantees
Services can run on non-standard ports
Malicious services might masquerade as legitimate ones
The same port might host different services on different systems
Effective service enumeration provides the foundation for vulnerability assessment, penetration testing, and network security management.
The Importance of Version Detection
Version detection is critical because vulnerabilities are version-specific. Knowing that a web server is running Apache isn't enough—you need to know if it's Apache 2.4.49 with a critical path traversal vulnerability or a patched version.
Version information enables:
Precise vulnerability mapping: Match services to known vulnerabilities
Accurate security assessments: Evaluate risk based on actual versions
Effective patch management: Identify systems needing updates
Compliance verification: Ensure systems meet security requirements
Unauthorized service detection: Identify rogue or unexpected services
For attackers, version information reveals potential exploit paths. For defenders, it highlights security gaps that need to be addressed. This is why version detection is a cornerstone of both offensive and defensive security operations.
How Nmap Identifies Services
Nmap's service detection is sophisticated and multi-layered:
The Service Detection Process
Port Scanning: First, Nmap identifies open ports
Initial Probes: Nmap sends general probes to elicit responses
Response Analysis: Responses are compared against signature database
Follow-up Probes: Based on initial responses, more specific probes are sent
Banner Grabbing: Nmap captures and analyzes service banners
Protocol Behavior Testing: Nmap tests how services respond to protocol-specific requests
Confidence Scoring: Each match is assigned a confidence level
This process is governed by the nmap-service-probes database, which contains thousands of fingerprints for different services and versions.
Service Probe Database
The nmap-service-probes file contains patterns that match service responses:
# Example from nmap-service-probes
Probe TCP GetRequest q|GET / HTTP/1.0
|
rarity 1
ports 80,81,631,1080,3128,8000,8080,8081
sslports 443,8443
Each probe specifies:
The protocol (TCP/UDP)
The probe name
The actual data sent
Rarity (how common the service is)
Ports where this service is typically found
Nmap uses these probes strategically, starting with the most common ones and proceeding to rarer probes only when necessary.
Basic Version Detection
Let's start with basic version detection commands:
Standard Version Scan
nmap -sV 192.168.1.1
This enables version detection with default settings. The -sV option tells Nmap to attempt to determine the service version on all open ports.
Show Example Output
Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 18:00 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
8443/tcp open ssl/http Apache Tomcat 9.0.60
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.52 seconds
Notice how Nmap identifies not just the service type, but specific versions and even distribution information. This level of detail is crucial for security assessment.
Version Scan with Specific Ports
nmap -sV -p 22,80,443 192.168.1.1
This focuses version detection on specific ports, which is useful when you're only interested in certain services or want to speed up the scan.
Show Example Output
Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 18:05 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.21 seconds
Combining Version Detection with Other Scan Types
Version detection can be combined with different scan types:
# SYN scan with version detection
sudo nmap -sS -sV 192.168.1.1
# UDP scan with version detection
sudo nmap -sU -sV -p 53,123,161 192.168.1.1
# Comprehensive scan with version detection
sudo nmap -sS -sU -sV -p T:1-1000,U:53,123,161 192.168.1.1
Controlling Version Detection Intensity
Nmap offers different intensity levels for version detection, balancing thoroughness with speed and intrusiveness:
Light Version Detection
nmap -sV --version-intensity 0 192.168.1.1
This uses minimal probes, focusing on speed and stealth. Useful for:
Quick initial assessments
Scanning sensitive systems
Situations where minimal network traffic is desired
Regular monitoring where full details aren't always needed
Standard Version Detection
nmap -sV 192.168.1.1
This uses default intensity (7), balancing thoroughness and efficiency. Suitable for:
Routine security assessments
General network documentation
Most security testing scenarios
Aggressive Version Detection
nmap -sV --version-intensity 9 192.168.1.1
This uses all available probes for maximum accuracy. Appropriate for:
Critical security assessments
Penetration testing
Detailed network documentation
Investigating suspicious services
Version All
nmap -sV --version-all 192.168.1.1
This tries every single probe regardless of port state. Thorough but potentially disruptive. Used for:
Comprehensive security audits
Forensic investigations
Research purposes
Comparison of Intensity Levels
Intensity
Speed
Accuracy
Intrusiveness
Use Case
0 (Light)
Fast
Basic
Low
Quick scans, sensitive systems
1-3
Faster
Limited
Lower
Regular monitoring
4-6
Moderate
Good
Moderate
General assessments
7 (Default)
Slower
Very Good
Moderate
Security assessments
8-9
Slow
Excellent
Higher
Critical security testing
--version-all
Very Slow
Maximum
Highest
Comprehensive audits
Examining Version Detection in Action
Let's look at how version detection works in practice by examining the packets and responses:
Tracing Version Detection
To see the exact probes Nmap sends during version detection, use the --version-trace option:
nmap -sV --version-trace 192.168.1.1 -p 80
Show Example Output
Starting Nmap 7.94 ( https://nmap.org ) at 2025-04-14 18:15 EDT
Service scan sending probe GetRequest to 192.168.1.1:80
Service scan sending probe HTTPOptions to 192.168.1.1:80
Service scan sending probe RTSPRequest to 192.168.1.1:80
Service scan sending probe Help to 192.168.1.1:80
Service scan sending probe SSLSessionReq to 192.168.1.1:80
Service scan match (GetRequest): 192.168.1.1:80 is http. Version: Apache httpd 2.4.41
Nmap scan report for 192.168.1.1
Host is up (0.0023s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.82 seconds
This output shows:
Nmap sends a series of probes (GetRequest, HTTPOptions, etc.)
The GetRequest probe successfully identifies the service
Nmap stops sending probes once it has a high-confidence match
Packet Analysis
Let's examine the actual packets with --packet-trace:
sudo nmap -sV -p 80 --packet-trace 192.168.1.1
Show Example Output
SENT (0.0429s) TCP 10.10.14.2:63090 > 192.168.1.1:80 S ttl=56 id=57322 iplen=44 seq=1699105818 win=1024 <mss 1460>
RCVD (0.0573s) TCP 192.168.1.1:80 > 10.10.14.2:63090 SA ttl=64 id=0 iplen=44 seq=3349149304 win=64240 <mss 1460>
Service scan sending probe GetRequest to 192.168.1.1:80
SENT (0.0574s) TCP 10.10.14.2:63090 > 192.168.1.1:80 A ttl=56 id=57323 iplen=40 seq=1699105819 win=1024
SENT (0.0574s) TCP 10.10.14.2:63090 > 192.168.1.1:80 PA ttl=56 id=57324 iplen=56 seq=1699105819:1699105835 win=1024
RCVD (0.0718s) TCP 192.168.1.1:80 > 10.10.14.2:63090 A ttl=64 id=1 iplen=40 seq=3349149305 win=64240
RCVD (0.0719s) TCP 192.168.1.1:80 > 10.10.14.2:63090 PA ttl=64 id=2 iplen=479 seq=3349149305:3349149744 win=64240
Service scan match (GetRequest): 192.168.1.1:80 is http. Version: Apache httpd 2.4.41
This detailed trace shows:
The initial TCP handshake
Nmap sending the GetRequest probe
The server's response
Nmap matching the response to Apache httpd 2.4.41
Detecting Services on Non-Standard Ports
Services don't always run on their standard ports. Let's explore how Nmap handles this challenge:
Scanning All Ports with Version Detection
nmap -sV -p- 192.168.1.1
This scans all 65,535 ports and attempts version detection on any that are open. It's thorough but time-consuming.
Targeted Non-Standard Port Scanning
nmap -sV -p 8080,8443,10000 192.168.1.1
This checks specific non-standard ports that commonly host web services or admin interfaces.
Example: Web Server on Non-Standard Port
PORT STATE SERVICE VERSION 8080/tcp open http Apache httpd 2.4.41
Nmap correctly identifies the HTTP service despite it running on port 8080 instead of the standard port 80.
Example: SSH on Non-Standard Port
PORT STATE SERVICE VERSION 2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
Nmap correctly identifies SSH running on port 2222 instead of the standard port 22.
Advanced Service Enumeration Techniques
Banner Grabbing
Banner grabbing is a technique to extract information from service banners. Nmap does this automatically during version detection, but you can also do it manually:
# For HTTP
nc -v 192.168.1.1 80
GET / HTTP/1.0
# For SMTP
nc -v 192.168.1.1 25
# For FTP
nc -v 192.168.1.1 21
# For SSH
nc -v 192.168.1.1 22
The "Server" header reveals the web server version.
Service Fingerprinting with NSE Scripts
Nmap Scripting Engine (NSE) provides additional service fingerprinting capabilities:
# Basic service information
nmap --script=banner 192.168.1.1
# HTTP server information
nmap --script=http-server-header 192.168.1.1
# SSL/TLS certificate information
nmap --script=ssl-cert 192.168.1.1
# SSH server information
nmap --script=ssh2-enum-algos 192.168.1.1
These scripts extract more detailed information than standard version detection.
Comprehensive Service Enumeration
For a complete service assessment, combine version detection with relevant NSE scripts:
nmap -sV --script=banner,version 192.168.1.1
This provides both version detection and additional service information.
Service-Specific Enumeration Techniques
Different services require different enumeration approaches. Let's explore techniques for common services:
Web Server Enumeration
# Basic web server information
nmap -sV -p 80,443,8080,8443 --script=http-server-header 192.168.1.1
# Detect web applications
nmap -p 80,443 --script=http-enum 192.168.1.1
# Check for common vulnerabilities
nmap -p 80,443 --script=http-vuln* 192.168.1.1
Show Example Output
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-enum:
| /admin/: Admin login page
| /wp-login.php: WordPress login page
|_ /phpmyadmin/: phpMyAdmin
PORT STATE SERVICE VERSION
25/tcp open smtp Postfix smtpd
|_smtp-commands: inlane.philocyber.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
PORT STATE SERVICE VERSION
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds
| smb-os-discovery:
| OS: Windows 10 Pro 21H2 (Windows 10 Pro 6.3)
| OS CPE: cpe:/o:microsoft:windows_10::-
| Computer name: WORKSTATION01
| NetBIOS computer name: WORKSTATION01�
| Domain name: example.local
| Forest name: example.local
| FQDN: WORKSTATION01.example.local
|_ System time: 2025-04-14T14:25:00-04:00
Dealing with Challenging Services
Some services are designed to be difficult to fingerprint or may behave in ways that confuse standard detection methods.
Dealing with Filtered Ports
When ports are filtered by firewalls, version detection may fail:
# Skip host discovery and use increased timeouts
nmap -Pn -sV --max-retries 2 --min-rate 100 192.168.1.1
# Use TCP connect scan instead of SYN scan
nmap -sT -sV 192.168.1.1
Handling Unusual or Custom Services
For unusual or custom services:
# Use aggressive version detection
nmap -sV --version-intensity 9 --version-all 192.168.1.1
# Try all NSE version scripts
nmap -sV --script=version 192.168.1.1
Perform basic version detection on your target network:
# Scan your default gateway (replace with actual IP)
nmap -sV 192.168.1.1
# Scan a web server (replace with actual domain/IP)
nmap -sV -p 80,443 philocyber.com
Create a table with:
IP address/hostname
Open ports
Service name
Version information
Additional details (OS, product, etc.)
Exercise 2: Comparing Intensity Levels
Compare different version detection intensity levels:
# Light detection (replace with actual IP)
time nmap -sV --version-intensity 0 192.168.1.1 -oN light_scan.txt
# Standard detection
time nmap -sV 192.168.1.1 -oN standard_scan.txt
# Aggressive detection
time nmap -sV --version-intensity 9 192.168.1.1 -oN aggressive_scan.txt
Compare the results:
How much time did each scan take?
What additional information did higher intensity scans provide?
Were there any services that were only correctly identified at higher intensities?
Exercise 3: Non-Standard Port Detection
Test Nmap's ability to identify services on non-standard ports:
Configure a service to run on a non-standard port (e.g., SSH on port 2222).
Scan with version detection:
nmap -sV -p 2222 192.168.1.1
Try to confuse Nmap by running a different service than expected on a standard port:
# Run a web server on port 22 (example, requires setup)
# Then scan it
nmap -sV -p 22 192.168.1.1
Document how accurately Nmap identifies these services.
Exercise 4: Comprehensive Service Inventory
Create a comprehensive service inventory of your network:
# Scan all hosts with version detection (replace network range)
nmap -sV 192.168.1.0/24 -oX network_services.xml
# Convert to HTML report (requires xsltproc)
xsltproc network_services.xml -o network_services.html
Analyze the results:
What are the most common services on your network?
Are there any unexpected or potentially vulnerable service versions?
