Nmap from Scratch | Part-5 | Service and OS detection

Detecting what version of what service is running on a port is very crucial, because that’s the whole point of scanning, we scan the ports then we figure out the services and their version, and finally, we check if there’s any vulnerability in the service running which can be exploited.

In this blog, we’ll cover different service and OS detection techniques to make the scan more efficient.

Service Detection


nmap -sV nmap.scanme.org


The above result shows us the version of ssh running on port 22.

[IMPORTANT]: Sometimes Nmap fails to detect services because the service fingerprint might not be present in its database, in that case, Nmap will simply show the fingerprint and if you know what service does the fingerprint belongs to, you can submit it to Nmap.

Options with service detection:

  • –allports : Don’t skip any port for version detection.


nmap -sV --allports nmap.scanme.org
  • –version-intensity : We can specify the type of probes to be sent for the service detection, the higher the number of probes better will be the service detection, the range for version intensity is between 0 to 9, the default is 7.


nmap -sV --version-intensity 8 nmap.scanme.org
  • –version-light : Light scan is an alias for –version-intensity 2 , it is faster but it’s slightly less likely to detect services.


nmap -sV --version-light nmap.scanme.org
  • –version-all : This is scan is an alias for –version-intensity 9, every single probe is sent to every single port but it takes more time to complete.


nmap -sV --version-all nmap.scanme.org

OS Detection

  • -O ( OS detection ) : This option allow us to perform OS detection scan.


nmap -O nmap.scanme.org


In the above result, we can see that instead of shown one OS, Nmap shows multiple OS with different percentages, this usually happens when Nmap is unable to detect the exact OS, so instead, it tries to compare the fingerprint and gives us the percentage match. OS detection scans can generate false negatives, so it’s better to run it more than once to be sure.

Options with OS detection:

  • –osscan-limit : Nmap uses criteria for good OS detection that is at least one TCP port should be open and one TCP port should be closed, all the hosts which don’t match this criterion are skipped.


nmap -O --osscan-limit nmap.scanme.org
  • –max-os-tries : Specify number of attempts to detect OS, by default it’s 5 .


nmap -O --max-os-tries 3                             #three attempts

This is it for this blog, in next we’ll cover the powerful NSE ( Nmap Scripting Engine ).




Infosec Enthusiast | Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What you need to know about Multi-factor authentication

{UPDATE} JustClub Hack Free Resources Generator

{UPDATE} لعبة تعلم الحروف Hack Free Resources Generator

Bienvenue / Welcome Qwant

Logo de Qwant à coté du logo de Samsung Internet — friends!

$PLUT Farming Pool will Go Live on WeStarter on August 26th

Just a week ago, Rematic Tokens LLC revealed that it fell for a sophisticated scam during its…

Use WiFi Router as an Access Point

{UPDATE} Milioná? 2019 Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Infosec Enthusiast | Student

More from Medium

Understanding Memories (Binex-1)

What is Stack-based Buffer Overflow? How does it work?

The Dirty Pipe Vulnerability On Linux

Linux Dirty Pipe Vulnerability CVE-2022–0847

Exploiting Windows 2008 Server by Eternal Blue Vulnerability to perform Data breach attack using…