Service Enumeration is the process of identifying and gathering detailed information about the services running on open ports. This is essential for understanding what software is running on a target system, what versions are installed, and any potential vulnerabilities associated with those services.
Nmap provides several options to perform service enumeration and version detection. This helps determine specific details like the software name, version, and any potential misconfigurations that could pose a security risk.
-sV (Service Version Detection)
The -sV option enables Nmap to detect service versions by probing open ports with specific service probes. It attempts to determine the exact version of the services running on those ports.
nmap -sV 192.168.1.10--version-all (Full Version Detection)
The --version-all option is more aggressive and instructs Nmap to attempt every probe it can to detect the version of the services running. This increases the scan time but provides more detailed version information.
nmap -sV --version-all 192.168.1.10--version-intensity (Adjust Version Detection Intensity)
The --version-intensity option allows you to control the intensity of the version detection. It can range from 0 (lowest) to 9 (highest). Higher intensity levels increase the number of probes sent, which may yield more detailed results but take longer.
nmap -sV --version-intensity 5 192.168.1.10-sC (Default Scripts for Service Detection)
The -sC option runs the default Nmap scripts, which includes service enumeration and version detection scripts. It’s a quick way to identify running services and their versions with common Nmap scripts.
nmap -sC 192.168.1.10Example of Full Service Enumeration Scan
This command performs a full service enumeration on all ports with aggressive version detection and default scripts:
nmap -sV -sC --version-intensity 9 192.168.1.10Key points
-sV: Service version detection-sC: Default script scanning--version-intensity 9: Highest level of version detection probes- Comprehensive scan for services and versions
Service Enumeration Output Example
Here’s an example of the output when running nmap -sV:
Nmap scan report for 192.168.1.10
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
443/tcp open https OpenSSL 1.0.2g
8080/tcp open http Apache Tomcat/Coyote JSP engine 9.0.14
Nmap done: 1 IP address (1 host up) scanned in 1.34 secondsService Enumeration Options Summary
| Option | What It Does | Use Case |
|---|---|---|
-sV | Detects services and their versions | General-purpose service enumeration |
--version-all | Performs aggressive version detection | When maximum version detail is needed |
--version-intensity | Adjusts intensity of version detection probes | To fine-tune the speed vs. detail of scans |
-sC | Runs default service detection scripts | Quick service and version detection |
-p | Limits scan to specified ports | When focusing on specific ports |
--script | Runs custom NSE scripts for service enumeration | For deep or specific service queries |