Nmap from Scratch | Part-5 | Service and OS detection

Detecting what version of what service is running on a port is very crucial, because that’s the whole point of scanning, we scan the ports then we figure out the services and their version, and finally, we check if there’s any vulnerability in the service running which can be exploited.

In this blog, we’ll cover different service and OS detection techniques to make the scan more efficient.

Service Detection


nmap -sV nmap.scanme.org


The above result shows us the version of ssh running on port 22.

[IMPORTANT]: Sometimes Nmap fails to detect services because the service fingerprint might not be present in its database, in that case, Nmap will simply show the fingerprint and if you know what service does the fingerprint belongs to, you can submit it to Nmap.

Options with service detection:

  • –allports : Don’t skip any port for version detection.


nmap -sV --allports nmap.scanme.org
  • –version-intensity : We can specify the type of probes to be sent for the service detection, the higher the number of probes better will be the service detection, the range for version intensity is between 0 to 9, the default is 7.


nmap -sV --version-intensity 8 nmap.scanme.org
  • –version-light : Light scan is an alias for –version-intensity 2 , it is faster but it’s slightly less likely to detect services.


nmap -sV --version-light nmap.scanme.org
  • –version-all : This is scan is an alias for –version-intensity 9, every single probe is sent to every single port but it takes more time to complete.


nmap -sV --version-all nmap.scanme.org

OS Detection

  • -O ( OS detection ) : This option allow us to perform OS detection scan.


nmap -O nmap.scanme.org


In the above result, we can see that instead of shown one OS, Nmap shows multiple OS with different percentages, this usually happens when Nmap is unable to detect the exact OS, so instead, it tries to compare the fingerprint and gives us the percentage match. OS detection scans can generate false negatives, so it’s better to run it more than once to be sure.

Options with OS detection:

  • –osscan-limit : Nmap uses criteria for good OS detection that is at least one TCP port should be open and one TCP port should be closed, all the hosts which don’t match this criterion are skipped.


nmap -O --osscan-limit nmap.scanme.org
  • –max-os-tries : Specify number of attempts to detect OS, by default it’s 5 .


nmap -O --max-os-tries 3                             #three attempts

This is it for this blog, in next we’ll cover the powerful NSE ( Nmap Scripting Engine ).




Infosec Enthusiast | Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Lapsus$ Tells Us About The State Of Cybersecurity

{UPDATE} Prosty Miasto Trener Autobus Hack Free Resources Generator

New: On-Demand Bootcamp Recordings

Why DeFi Projects Should Choose Solidproof’s Auditing Services

From LastPass to KeePass · The Art of Not Asking Why

Towards cleaning up RPKI INVALIDs


Harvest Finance Joins The Armor Alliance Big Bug Bounty Challenge

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Infosec Enthusiast | Student

More from Medium

How To Convert Shell Into Meterpreter ?

Vulnerability Scanning with Metasploit

Your Cyber Travel Checklist

Cybersecurity Travel Checklist HALOCK reasonable security

Pickle Rick