Articles

Nmap Banner Grabbing: Extract Service Versions (2026)

April 18, 2026 3 min read

Nmap’s banner grabbing for service version detection is less about what it finds and more about how it finds it, often revealing the wrong thing.

Let’s watch Nmap do its thing. Imagine a web server running on 192.168.1.100 on port 80.

nmap -sV -p 80 192.168.1.100

You’ll see output like this:

Starting Nmap 7.92 ( https://nmap.org ) at 2023-10-27 10:30 PDT
Nmap scan report for 192.168.1.100
Host is up (0.0010s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

The magic happens with the -sV flag. Nmap doesn’t just see that port 80 is open; it actively probes it to figure out what service is running and which version. It does this by sending a series of probes to the open port. These probes are crafted based on common service protocols (HTTP, FTP, SSH, etc.). When the service responds, Nmap analyzes the response data – the "banner" – to identify the service and version.

Here’s the mental model:

  1. Port Scan: First, Nmap performs a standard port scan (e.g., SYN scan with -sS if run as root) to identify open ports.
  2. Probe Selection: For each open port, Nmap consults its nmap-service-probes file. This file contains a database of probes and patterns for hundreds of services. It tries to match the open port to a known service based on the port number itself (e.g., port 80 is usually HTTP).
  3. Probe Execution: Nmap sends specific, often application-level, probes to the open port. For HTTP, it might send a basic GET / HTTP/1.0\r\n\r\n. For SSH, it might send specific bytes that trigger the SSH handshake.
  4. Response Analysis: Nmap captures the response from the service. It then applies regular expressions and other pattern-matching logic from the nmap-service-probes file to the captured data. This data is the "banner."
  5. Version Guessing: Based on the successful match, Nmap reports the service name and version. If no specific match is found, it might make an educated guess or report "unknown."

The problem Nmap solves is the ambiguity of open ports. A port being open doesn’t tell you what is listening. Is it a web server, a proxy, a specific application? -sV adds a layer of intelligence by trying to identify the application and its version, which is crucial for vulnerability assessment.

The most surprising thing is how often Nmap doesn’t get the exact version, but rather a common, generic version string. This happens because many services, especially older or custom ones, don’t send specific version information in their banners. They might send a generic "Apache" or "nginx" without the precise patch level. Nmap’s probe-response matching is sophisticated, but it relies on the service actually sending discernible information. It’s also common for firewalls or proxy servers to intercept and modify banners, presenting their own identity instead of the backend service.

When Nmap can’t reliably determine the version from the banner, it might resort to other techniques like sending different protocol-specific requests or even attempting to trigger error messages that contain version information. The nmap-service-probes file is a living document, constantly updated by the Nmap community, which is why running an up-to-date Nmap version is important.

The next frontier after getting service versions is understanding the implications of those versions, particularly their known vulnerabilities.

Want structured learning?

Take the full Nmap course →