Gathering version info

When Nmap runs a port scan, it retrieves the port info (open/closed/filtered) and then gives us the default service that is running on that port. As one can run any service on any port, that may not be adequate information. If our attack requires a particular service on a particular port, gathering the default information may not be enough. We need to know what service is actually running on that port, not the default service. For instance, knowing that port 80 is open and running HTTP is good to know, but if our attack is specific to Apache, and the target has Microsoft's IIS running on that port, it won't work. We often need the service on the port.

Nmap has a feature that interrogates the service running on each port scanned. It can be used with the -sV switch. Type nmap -sV 192.168.10.70:

Note that, in the output we received, the server is running an older version of IIS on port 80. That makes a tempting target!