Service Enumeration

Determine the exact application name and version number.

This allows us to find specific exploits (CVEs) for that exact version, rather than guessing.

1. Service Version Detection (sV)

Running a full version scan on all ports immediately can be slow.

Strategy: Quick scan first → Targeted version scan on open ports.

Basic Version Scan:

Press [Space Bar] during the scan to check status.

sudo nmap 10.129.2.28 -p- -sV

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:44 CEST
[Space Bar]
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 3.64% done; ETC: 19:45 (0:00:53 remaining)

Automated Status Updates (-stats-every):

Useful for long scans to get periodic updates without manual interaction.

sudo nmap 10.129.2.28 -p- -sV --stats-every=5s

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:46 CEST
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 13.91% done; ETC: 19:49 (0:00:31 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 39.57% done; ETC: 19:48 (0:00:15 remaining)

Verbose Mode (-v or -vv):

Shows open ports as they are found, rather than waiting for the scan to finish.

sudo nmap 10.129.2.28 -p- -sV -v

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:03 CEST
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 20:03
Scanning 10.129.2.28 [1 port]
Completed ARP Ping Scan at 20:03, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:03
Completed Parallel DNS resolution of 1 host. at 20:03, 0.02s elapsed
Initiating SYN Stealth Scan at 20:03
Scanning 10.129.2.28 [65535 ports]
Discovered open port 995/tcp on 10.129.2.28
Discovered open port 80/tcp on 10.129.2.28
Discovered open port 993/tcp on 10.129.2.28
Discovered open port 143/tcp on 10.129.2.28
Discovered open port 25/tcp on 10.129.2.28
Discovered open port 110/tcp on 10.129.2.28
Discovered open port 22/tcp on 10.129.2.28

2. Banner Grabbing

Banner grabbing is a reconnaissance technique used to gather information about network services running on target systems. When you connect to a service (like SSH, HTTP, SMTP, etc.), it often sends an identification banner containing:

Service name

Version number

Operating system

Sometimes additional configuration details

Nmap's Role in Banner Grabbing

The command you see:

sudo nmap 10.129.2.28 -p- -sV

p-: Scans ALL 65,535 ports

sV: Performs version detection (banner grabbing)

Example Results Breakdown

PORT    STATE SERVICE    VERSION
22/tcp  open  ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
25/tcp  open  smtp       Postfix smtpd
80/tcp  open  http       Apache httpd 2.4.29 ((Ubuntu))

This tells us:

SSH is running OpenSSH 7.6 on Ubuntu

SMTP is running Postfix

Web server is Apache 2.4.29 on Ubuntu

The "Hidden" Information Problem

Nmap sometimes truncates or doesn't show all banner information. In your example:

What Nmap showed:

25/tcp open smtp Postfix smtpd

What the actual banner contains:

220 inlane ESMTP Postfix (Ubuntu)

The banner contains extra detail ("Ubuntu") that Nmap's concise output omitted.

Manual Banner Grabbing (The Solution)

To reveale what the actual banner contains you can manually grab banners using Netcat or tcpdump.

Manual Verification (Netcat)

Using nc allows us to see the raw banner, revealing the OS is Ubuntu.

nc -nv 10.129.2.28 25

Connection to 10.129.2.28 port 25 [tcp/*] succeeded!
220 inlane ESMTP Postfix (Ubuntu)

Packet Analysis (The PSH Flag)

After the 3-way handshake, the server sends the banner in a packet flagged with PSH (Push). This flag tells the client to process the data immediately.

Intercepting Traffic (tcpdump):

sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

The Capture:

Lines 1-3 are the handshake. Line 4 (Flags [P.]) is the banner.

18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0
18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0
18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0
18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu)
18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0

Service Enumeration Cheat Sheet

Flag	Function	Description
-sV	Version Detection	Interacts with ports to determine service versions.
-p-	All Ports	Scans ports 1–65535 (default is top 1000).
-v	Verbose	Increases output detail (shows open ports immediately).
--stats-every=Xs	Status	Prints scan progress every X seconds.
nc -nv <IP> <Port>	Netcat	Manually connects to a port to grab the raw banner.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:44 CEST [Space Bar] Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 3.64% done; ETC: 19:45 (0:00:53 remaining)

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 19:46 CEST Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 13.91% done; ETC: 19:49 (0:00:31 remaining) Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 39.57% done; ETC: 19:48 (0:00:15 remaining)

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-15 20:03 CEST NSE: Loaded 45 scripts for scanning. Initiating ARP Ping Scan at 20:03 Scanning 10.129.2.28 [1 port] Completed ARP Ping Scan at 20:03, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 20:03 Completed Parallel DNS resolution of 1 host. at 20:03, 0.02s elapsed Initiating SYN Stealth Scan at 20:03 Scanning 10.129.2.28 [65535 ports] Discovered open port 995/tcp on 10.129.2.28 Discovered open port 80/tcp on 10.129.2.28 Discovered open port 993/tcp on 10.129.2.28 Discovered open port 143/tcp on 10.129.2.28 Discovered open port 25/tcp on 10.129.2.28 Discovered open port 110/tcp on 10.129.2.28 Discovered open port 22/tcp on 10.129.2.28

sudo tcpdump -i eth0 host 10.10.14.2 and 10.129.2.28 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

18:28:07.128564 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [S], seq 1798872233, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 331260178 ecr 0,sackOK,eol], length 0 18:28:07.255151 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [S.], seq 1130574379, ack 1798872234, win 65160, options [mss 1460,sackOK,TS val 1800383922 ecr 331260178,nop,wscale 7], length 0 18:28:07.255281 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 1, win 2058, options [nop,nop,TS val 331260304 ecr 1800383922], length 0 18:28:07.319306 IP 10.129.2.28.smtp > 10.10.14.2.59618: Flags [P.], seq 1:36, ack 1, win 510, options [nop,nop,TS val 1800383985 ecr 331260304], length 35: SMTP: 220 inlane ESMTP Postfix (Ubuntu) 18:28:07.319426 IP 10.10.14.2.59618 > 10.129.2.28.smtp: Flags [.], ack 36, win 2058, options [nop,nop,TS val 331260368 ecr 1800383985], length 0

Flag

Function

Description

-sV

Version Detection

Interacts with ports to determine service versions.

-p-

All Ports

Scans ports 1–65535 (default is top 1000).

-v

Verbose

Increases output detail (shows open ports immediately).

--stats-every=Xs

Status

Prints scan progress every X seconds.

nc -nv <IP> <Port>

Netcat

Manually connects to a port to grab the raw banner.