Service Enumeration With Nmap
Quick Scan Strategy
Start with a fast port scan to reduce noise and avoid early detection by security tools. A full scan (-p-) can run in the background.
🔧 Basic Version Detection
sudo nmap <target> -p- -sV
| Option | Description |
|---|---|
10.129.2.28 |
Target IP |
-p- |
Scan all 65,535 ports |
-sV |
Detect service versions |
Press Space during the scan to view the progress.
Customize Scan Status Updates
sudo nmap <target> -p- -sV --stats-every=5s
| Option | Description |
|---|---|
--stats-every=5s |
Display scan progress every 5 seconds |
Increase Scan Verbosity
sudo nmap <target> -p- -sV -v
| Option | Description |
|---|---|
-v |
Show ports and findings as they appear |
Banner Grabbing
Nmap gathers version info from banners or via signature matching, which can be slower but more accurate.
Deep Scan with Packet Trace
sudo nmap <target> -p- -sV -Pn -n --disable-arp-ping --packet-trace
| Option | Description |
|---|---|
-Pn |
Skip host discovery (assume host is up) |
-n |
Disable DNS resolution |
--disable-arp-ping |
Skip ARP pings |
--packet-trace |
Show all packets sent and received |
Manual Banner Grabbing
1. Start tcpdump
sudo tcpdump -i tun0 host <local> and <target>
The above command now shows that “local” is being applied. This means you replace “local” with the IP address of your machine. For example, this could be your Kali machine.
2. Connect to SMTP via netcat
nc -nv <target> 25
TCP Handshake Breakdown
| Step | Description |
|---|---|
[SYN] |
Client initiates connection |
[SYN-ACK] |
Server acknowledges and responds |
[ACK] |
Client confirms connection |
[PSH-ACK] |
Server sends banner with data (e.g. Postfix on Ubuntu) |
[ACK] |
Client acknowledges data |
The PSH flag signals that server is pushing data (i.e., a banner) immediately after the handshake.