# Service Version and Script Scan
So far, we’ve looked at how to find open ports and scan them, but knowing a port is open isn’t enough. To really understand a system, you need to know **what service is running on that port**, and even better — **what version** of that service is there. That’s where **version detection** comes in.
## Detecting Service Versions with `-sV`
The `-sV` flag in Nmap tells it to go a step further after finding open ports. Instead of just saying “Port 80 is open,” it tries to figure out exactly what’s running there — like **Apache 2.4.54**, **nginx 1.18.0**, or maybe something custom.
❯ nmap -p 80 -sV 10.10.20.208 -Pn -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:05 +0545
Nmap scan report for 10.10.20.208
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.16 seconds
{% hint style="success" %}
We can also add multiple ports `-p 80,22` and nmap will do service version scan for multiple ports.
{% endhint %}
### How it finds the version information?
Answer is **BANNER GRABBING**.
For example, if it connects to port 22, it might send a basic SSH handshake to see how the server replies. Based on the banner or behavior, it can often figure out:
* The software (like OpenSSH),
* The version number (like 8.4),
* Sometimes even the OS (like “Ubuntu Linux”).
{% hint style="danger" %}
Please note our target is Windows and doesn't have any ssh service open on port 22.
{% endhint %}
### More Example
❯ nmap -sV -p 21,22,80,443 scanme.nmap.org -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:08 +0545
Nmap scan report for scanme.nmap.org (45.33.32.156)
Host is up (0.33s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
443/tcp closed https
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
Here we have an overview of the scan. As mentioned, port 21 (FTP) and port 443 (HTTPS) are closed.\
Since we also used the `-sV` option, the scan identified the service versions running on open ports. Specifically:
* **22/tcp** open — **SSH**: OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
* **80/tcp** open — **HTTP**: Apache httpd 2.4.7 ((Ubuntu))
This is really useful when you’re looking for **vulnerable services**, outdated versions, or just trying to understand what a system is doing.
## The Nmap Scripting Engine (NSE) — `-sC` and `--script`
Nmap doesn’t just stop at scanning. It has a powerful scripting engine built-in that can do **deep analysis**, **vulnerability checks**, **brute force**, and more.
To keep things simple, there are two main ways to use Nmap scripts:
### **Default Scripts (`-sC`)**
This runs a **set of safe, default scripts** that are useful for most scans. Think of it like a basic health check — it might check for things like:
* Open ports
* Service info
* Basic vulnerabilities
* OS detection add-ons
❯ nmap -sC 10.10.20.208 -Pn -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:11 +0545
Nmap scan report for 10.10.20.208
Host is up (0.19s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
53/tcp open domain
80/tcp open http
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp open msrpc
3389/tcp open ms-wbt-server
| rdp-ntlm-info:
| Target_Name: WIN-SCAN
| NetBIOS_Domain_Name: WIN-SCAN
| NetBIOS_Computer_Name: WIN-SCAN
| DNS_Domain_Name: win-scan
| DNS_Computer_Name: win-scan
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-24T07:26:55+00:00
|_ssl-date: 2025-04-24T07:26:54+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=win-scan
| Not valid before: 2025-04-23T06:30:02
|_Not valid after: 2025-10-23T06:30:02
Nmap done: 1 IP address (1 host up) scanned in 47.97 seconds
{% hint style="success" %}
We can also use it together with `-sV` like: `-sVC`
{% endhint %}
As you can see in the output above, the default script scan performed common checks that we would otherwise have to do manually for specific ports—such as checking for anonymous FTP login. In this case, we didn’t need to manually connect to the FTP service to verify anonymous access; the scan detected it automatically. This saves time, especially if we can identify such details during the scanning phase. The same applies to other protocols as well.
### **Custom Script Selection (`--script`)**
You can use the `--script` flag to run **specific scripts** or even **entire categories** like `vuln`, `auth`, `brute`, `smb`, etc.
Let’s say we’re interested in FTP (File Transfer Protocol) on a target. We can find related scripts like this:
❯ ls /usr/share/nmap/scripts/ | grep ftp
ftp-anon.nse
ftp-bounce.nse
ftp-brute.nse
ftp-libopie.nse
ftp-proftpd-backdoor.nse
ftp-syst.nse
ftp-vsftpd-backdoor.nse
ftp-vuln-cve2010-4221.nse
tftp-enum.nse
tftp-version.nse
{% hint style="info" %}
Nmap automatically used `ftp-anon.nse` and `ftp-syst.nse` when we used the flag `-sC`.
{% endhint %}
Anyways let's try to use `ftp-anon` using --script flag:
❯ nmap 10.10.20.208 -Pn -T4 --script=ftp-anon -p 21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:22 +0545
Nmap scan report for 10.10.20.208
Host is up (0.31s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
Nmap done: 1 IP address (1 host up) scanned in 31.73 seconds
You can also mention multiple scripts:
❯ nmap 10.10.20.208 -Pn -T4 --script=ftp-anon,ftp-syst -p 21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:23 +0545
Nmap scan report for 10.10.20.208
Host is up (0.19s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
Nmap done: 1 IP address (1 host up) scanned in 31.23 seconds
We can also use **script categories**, like this:
❯ nmap 10.10.20.208 -Pn -T4 --script=vuln -p 21
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:24 +0545
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.10.20.208
Host is up (0.25s latency).
PORT STATE SERVICE
21/tcp open ftp
Nmap done: 1 IP address (1 host up) scanned in 55.96 seconds
This will run all scripts in the vuln category and look for known vulnerabilities — it’s a fast way to check for weaknesses.
## Aggressive Scan (`-A`)
Nmap has a special option called **Aggressive Scan**, enabled using the `-A` flag. This is like telling Nmap,
> “Give me everything you can find — and fast!”
It combines several powerful features into one scan:
* **OS Detection**
* **Version Detection** (`-sV`)
* **Default Scripts** (`-sC`)
* **Traceroute**
That’s a lot of information from just one flag.
❯ nmap 10.10.20.208 -A -Pn -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-24 13:26 +0545
Nmap scan report for 10.10.20.208
Host is up (0.22s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=win-scan
| Not valid before: 2025-04-23T06:30:02
|_Not valid after: 2025-10-23T06:30:02
| rdp-ntlm-info:
| Target_Name: WIN-SCAN
| NetBIOS_Domain_Name: WIN-SCAN
| NetBIOS_Computer_Name: WIN-SCAN
| DNS_Domain_Name: win-scan
| DNS_Computer_Name: win-scan
| Product_Version: 10.0.17763
|_ System_Time: 2025-04-24T07:42:07+00:00
|_ssl-date: 2025-04-24T07:42:38+00:00; -1s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.37 seconds
It’s an **all-in-one recon scan**.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://handbook.ncateam.xyz/reconnaissance/network-enumeration/service-version-and-script-scan.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.