Basic Version Detection (`-sV`) with Nmap

Introduction to Nmap and Version Detection

Nmap (Network Mapper) is one of the most powerful and widely used open-source network scanning tools. It helps security professionals, system administrators, and penetration testers identify active hosts, services, and vulnerabilities within a network. One of Nmap’s core features is version detection, which allows users to determine the specific versions of services running on open ports. This feature is enabled using the -sV flag.

In this article, we will explore the basics of version detection with Nmap, how it works, when to use it, and some advanced usage techniques to refine your scans.

Understanding the -sV Flag in Nmap

The -sV option in Nmap is used to determine the version and detailed information about services running on open ports. It sends specially crafted probes to each detected service and analyzes the responses to infer version details. This is useful for identifying outdated services, vulnerabilities, and security risks.

Why Use Version Detection?

1. Security Audits – Identifying outdated software versions helps in assessing vulnerabilities and patching them.
2. Network Inventory – Helps system administrators document all running services and their versions.
3. Penetration Testing – Enables security professionals to identify potential attack vectors based on version-specific exploits.
4. Troubleshooting – Helps in diagnosing network issues by checking the correct services and versions.

Running a Basic Version Detection Scan

To perform basic version detection, use the following command:

nmap -sV <target>

For example, scanning a host at 192.168.1.10:

nmap -sV 192.168.1.10

Example Output

Starting Nmap 7.94 ( https://nmap.org ) at 2025-03-27 12:00 UTC
Nmap scan report for 192.168.1.10
Host is up (0.003s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.4 (protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
443/tcp  open  ssl/https   OpenSSL 1.1.1
3306/tcp open  mysql       MySQL 5.7.33

Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 6.92 seconds.

In this output, Nmap successfully identified the versions of several services running on the target system, such as OpenSSH, Apache, and MySQL.

Improving Version Detection Accuracy

Nmap’s version detection operates in different intensities, allowing users to balance scan speed with accuracy. The intensity level can be adjusted using --version-intensity.

Adjusting Version Detection Intensity

The --version-intensity flag controls how aggressively Nmap probes services to determine their version. The range is from 0 (light scan) to 9 (intense scan).

• Low intensity (--version-intensity 2) – Faster but less accurate.
• Default (--version-intensity 7) – Balanced approach.
• High intensity (--version-intensity 9) – More probes, higher accuracy, but slower.

Example:

nmap -sV --version-intensity 9 192.168.1.10

This command performs a deeper scan, increasing the chances of getting precise version details.

Using --version-all for Comprehensive Scans

The --version-all option forces Nmap to run all available probes for maximum accuracy, at the cost of longer scan times.

nmap -sV --version-all 192.168.1.10

This is useful when accuracy is more important than speed, such as in security audits.

Limiting Version Detection to Specific Ports

If you only want to detect versions for specific ports, you can combine -p with -sV. For example, to check version details for SSH (port 22) and MySQL (port 3306):

nmap -sV -p 22,3306 192.168.1.10

This reduces scan time while still providing relevant information.

Combining -sV with Other Nmap Options

Using -A for Comprehensive Scanning

The -A option enables advanced detection, including OS detection, script scanning, and version detection.

nmap -A 192.168.1.10

This is useful for getting an in-depth view of a target system’s services and vulnerabilities.

Running -sV with --script for Security Checks

Nmap includes NSE (Nmap Scripting Engine) scripts that work alongside -sV to check for vulnerabilities.

For example, checking for known vulnerabilities in detected services:

nmap -sV --script=vuln 192.168.1.10

This scans the target and attempts to identify known exploits for detected versions.

Understanding Nmap’s Version Detection Database

Nmap maintains an extensive service/version database located at:

/usr/share/nmap/nmap-service-probes

This database contains signatures for thousands of services, helping Nmap accurately identify versions. Updating Nmap frequently ensures access to the latest detection signatures.

Handling Firewall and Intrusion Detection Evasion

Some firewalls and IDS/IPS systems block version detection probes. Techniques to bypass these restrictions include:

• Using Decoys:

  nmap -sV -D RND:10 192.168.1.10
  

  This generates decoy traffic to avoid detection.

• Scanning with Fragmented Packets:

  nmap -sV -f 192.168.1.10
  

  This fragments packets to evade deep packet inspection.

Conclusion

Nmap’s version detection (-sV) is an essential feature for network reconnaissance, security assessments, and troubleshooting. By fine-tuning intensity levels, combining options like -A and --script, and understanding its output, users can maximize the accuracy and effectiveness of their scans.

For more in-depth analysis, users can explore additional Nmap scripts or combine version detection with OS fingerprinting and vulnerability scanning.

Recommended Next Steps

• Experiment with different --version-intensity levels.
• Use -sV in combination with NSE scripts for vulnerability detection.
• Regularly update Nmap to maintain an up-to-date service/version database.

By mastering -sV, security professionals and system administrators can gain deeper insights into their network’s security posture and mitigate risks effectively.