Service version detection is one of the most powerful features of Nmap, allowing you to identify the versions of services running on open ports. By knowing the version of the service, you can assess vulnerabilities, outdated software, or misconfigurations that could pose a security risk. When a service is running on a port (like HTTP on port 80, FTP on port 21, or SSH on port 22), Nmap can send specific probes to determine the exact version of the service. This is especially helpful for penetration testing, as certain versions of software may have known vulnerabilities that can be exploited.

How Does Nmap Service Version Detection Work?

• When you scan a target for service version detection, Nmap sends a series of probes to the open ports to identify the specific version of the service running.
• The service may respond with information that includes the version number, protocol details, and other relevant metadata.
• Nmap uses a collection of service probes and matching patterns to identify the versions of common services such as:
  • Web servers (Apache, Nginx, IIS)
  • Databases (MySQL, PostgreSQL)
  • File transfer protocols (FTP, SFTP)
  • Remote access protocols (SSH, RDP)
  • And many more...
• Nmap also has a Nmap Scripting Engine (NSE) that further enhances service version detection by running scripts to gather more specific details, such as supported protocols, known vulnerabilities, and misconfigurations.

Basic Command for Service Version Detection

• To perform service version detection with Nmap, use the -sV option. Here's the syntax: nmap -sV [target]

  • -sV: This option enables version detection.
  • [target]: This is the IP address or hostname of the system you want to scan.

  Example: Scan a single host for open ports and service versions: nmap -sV 192.168.1.5 This will show the services running on the target system and the versions of those services.

Nmap Output:

Try scanning scanme.nmap.org. This site has given permission to scan itself and test your provess. But be aware to not scan it too much, as it is a public server.

$ nmap -sV scanme.nmap.org

Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2024-12-15 16:21 IST
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.27s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 993 closed tcp ports (reset)
PORT      STATE    SERVICE      VERSION
22/tcp    open     ssh          OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http         Apache httpd 2.4.7 ((Ubuntu))
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1434/tcp  filtered ms-sql-m
9929/tcp  open     nping-echo   Nping echo
31337/tcp open     tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds

Explanation of Output:

• Port: The port number and protocol (22/tcp, 80/tcp, 139/tcp, 445/tcp, 1434/tcp, 9929/tcp, 31337/tcp).
• State: The port's state (open, filtered).
• Service: The service running on the open port (ssh, http, netbios-ssn, microsoft-ds, ms-sql-m, nping-echo, tcpwrapped).
• Version: The version of the service running on the port (OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13, Apache httpd 2.4.7 ((Ubuntu))).

In this example, Nmap found several services running on the target host, including SSH, HTTP, ms-sql-m, tcpwrapped and detected their versions.

Using Nmap with Version Detection on Specific Ports

You can limit the service version detection to specific ports if you know the target’s service configuration. Use the -p option to specify which ports to scan for version detection.

Example: Scan only HTTP (port 80) and MySQL (port 3306) on a target: nmap -sV -p 80,3306 192.168.1.5 This will check the version of the HTTP and MySQL services on the specified ports.

Service Version Detection with Nmap Scripting Engine (NSE)