After discovering open ports with Nmap, the next critical step is service fingerprinting — determining exactly which software, version, and configuration is running on each open port. Knowing that port 80 is open is useful; knowing it is running Apache 2.4.49 with mod_ssl 2.4.50 is actionable. This intelligence directly feeds into vulnerability assessment and exploitation planning.
Nmap's service version detection probes open ports with various requests and matches the responses against a database of over 650 service signatures. This is one of the most valuable features in a penetration tester's toolkit.
Look at the intelligence we just gathered: vsftpd 2.3.4 (which has a famous backdoor vulnerability — CVE-2011-2523), Apache 2.4.49 (path traversal — CVE-2021-41773), and MySQL 5.7.38. Each version number is a potential vulnerability lookup.
Nmap can also identify the target's operating system by analyzing subtle differences in TCP/IP stack implementation — things like initial TTL values, TCP window sizes, and IP ID sequencing. Different operating systems implement the TCP/IP stack slightly differently, creating a fingerprint.
Nmap has identified the target as running Linux kernel 5.4 to 5.15. This narrows down the potential attack surface significantly — we can now focus on Linux-specific exploits and misconfigurations.
💡 OS detection requires at least one open port and one closed port to function. If the target has a firewall that filters all ports, Nmap cannot gather enough data for an accurate fingerprint.
The -A flag enables OS detection, version detection, script scanning, and traceroute all at once. It is the most comprehensive single-flag scan, but it is also the noisiest.
The aggressive scan revealed additional details: anonymous FTP login is enabled (a serious misconfiguration), SSH host keys are visible, the web server title is 'Vulnarex Corp - Home', and the HTTP server header confirms the Apache version. Each of these details is a potential finding.
⚠️ Anonymous FTP login allows anyone to connect without credentials. If sensitive files are stored in the FTP directory, this is a critical finding. Always check anonymous FTP access during your assessment.
The Nmap Scripting Engine is one of Nmap's most powerful features. NSE scripts are written in Lua and can perform vulnerability detection, brute-force attacks, and advanced fingerprinting. Scripts are organized into categories.
| Category | Description | Example Scripts |
|---|---|---|
| default | Run with -sC flag — safe and useful | http-title, ssh-hostkey, ssl-cert |
| safe | Unlikely to crash services or be detected | banner, dns-nsid, http-methods |
| vuln | Check for specific vulnerabilities | smb-vuln-ms17-010, http-shellshock |
| exploit | Attempt to exploit discovered vulnerabilities | http-shellshock, ftp-vsftpd-backdoor |
| auth | Test for authentication weaknesses | ftp-anon, smb-enum-users |
| brute | Perform brute-force password attacks | ssh-brute, mysql-brute |
The default scripts revealed that the HTTP server allows the TRACE method (potential for cross-site tracing attacks) and extracted MySQL connection details including the salt value. The -sC flag is equivalent to --script=default.
The vuln script category confirmed that the Apache 2.4.49 server is likely vulnerable to CVE-2021-41773 (path traversal and remote code execution). The SMB server, however, is patched against EternalBlue (MS17-010). This is exactly the kind of actionable intelligence that drives the next phase of a penetration test.
Verify exercises to earn ★ 150 XP and unlock next lab level.