Nmap Service Detection

Learn how to identify services running on open ports using Nmap's version detection capabilities

Service detection is one of Nmap's most powerful features, allowing you to identify the specific applications and their versions running on open ports. This information is crucial for security assessments, as it helps identify potentially vulnerable services.

Basic Service Detection

Standard Version Detection

nmap -sV 192.168.1.1

Performs service detection on all open ports found during the scan.

Combined with SYN Scan

nmap -sS -sV 192.168.1.1

Performs a SYN scan followed by version detection on open ports.

With OS Detection

nmap -sV -O 192.168.1.1

Combines service and operating system detection.

How Service Detection Works

The Detection Process

Nmap's service detection follows a systematic approach:

Port Scanning: First, Nmap identifies open ports using techniques like SYN, Connect, or UDP scanning
Probe Selection: For each open port, Nmap selects appropriate probes based on the port number and previous responses
Probe Sending: Nmap sends these probes to the target service and analyzes the responses
Pattern Matching: Responses are compared against Nmap's database of service signatures
Result Classification: Based on the match quality, Nmap assigns confidence levels to its findings

The entire process is guided by the nmap-service-probes file, which contains patterns for identifying thousands of services.

Version Intensity Levels

The --version-intensity option controls how aggressive Nmap is when performing service detection:

Level 0: Only uses the most basic probes, typically just TCP/IP handshakes
Level 1-2: Uses a small number of common probes
Level 3-4: Uses a moderate number of probes
Level 5: Default level, balances accuracy and speed
Level 6-8: Uses more probes, including some that might be intrusive
Level 9: Uses all available probes, maximum accuracy but slowest

Higher intensity levels increase accuracy but also:

Take longer to complete
Generate more network traffic
May trigger intrusion detection systems
Could potentially disrupt unstable services

Confidence Levels

Nmap assigns confidence levels to its service detection results:

Service name: How confident Nmap is about the service type (e.g., HTTP, SSH)
Version number: How confident Nmap is about the specific version

In the output, you might see:

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

Or with less certainty:

80/tcp open  http?

The question mark indicates lower confidence in the service identification.

Advanced Service Detection Techniques

Customizing Service Detection

# Limit the number of probes sent to each port
nmap -sV --version-limit 2 192.168.1.1

# Scan all ports for services
nmap -sV -p- 192.168.1.1

# Aggressive detection with all scripts
nmap -sV -A 192.168.1.1

Service Detection Output

# Save detailed service information to XML
nmap -sV -oX services.xml 192.168.1.1

# Grep-friendly output format
nmap -sV -oG services.txt 192.168.1.1

Combining with Other Techniques

# Comprehensive scan with service and OS detection
nmap -sS -sV -O -T4 192.168.1.1

# Service detection with specific NSE scripts
nmap -sV --script=banner,version 192.168.1.1

Interpreting Service Detection Results

Service detection results typically include:

Port number and protocol: e.g., 80/tcp
Port state: Usually open, closed, or filtered
Service name: e.g., http, ssh, ftp
Application name: e.g., Apache httpd, OpenSSH, vsftpd
Version number: e.g., 2.4.29, 7.6p1
Additional details: Platform information, configurations, etc.

Example output:

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http          Apache httpd 2.4.29 ((Ubuntu))
443/tcp  open  ssl/http      Apache httpd 2.4.29 ((Ubuntu))
3306/tcp open  mysql         MySQL 5.7.33-0ubuntu0.18.04.1

Best Practices for Service Detection

Start with lower intensity: Begin with default settings and increase intensity only if needed
Target specific ports: When possible, specify ports of interest to reduce scan time
Consider the environment: Use lower intensity in sensitive environments
Combine with scripts: Use NSE scripts to gather additional service information
Save results: Always save scan results for later analysis and comparison

Practical Examples

Basic Web Server Scan

nmap -sV -p 80,443,8080,8443 192.168.1.0/24

Detailed Web Server Analysis

nmap -sV --script=http-enum,http-headers,http-title -p 80,443 192.168.1.1

Web Server Version with Banner Grabbing

nmap -sV --script=banner -p 80,443 192.168.1.1

Next Steps

Now that you understand how to perform service detection with Nmap, you can explore:

OS Detection - Learn how to identify operating systems
Scripting Engine - Discover how to extend Nmap's capabilities with scripts

PreviousAdvanced Techniques

NextOS Detection

Penetration Testing Guide

Hashcat Guide

Hydra Guide

Nikto Guide

OWASP ZAP Guide

Burp Suite Guide

XSS Guide

SQLMap Guide

Reverse Shells Guide

John the Ripper Guide

Nmap Guide