Nmap Service And OS Detection



Warnings to take into consideration:
→ Scanning network without owners permission can land you in jail.
→ Aggressively scanning can cause the system to crash.

This article is for Educational Purpose Only.

Lets start this tutorial,

Operating System (OS) Detection:
The -O Parameter is used to enable operating system detection feature.
Usage: nmap -O [Target]
Example: nmap -O

In the above example we can see the Nmap (in most cases) is able to identify the
Operating System of the Target.

By analyzing the response from the target the Operating System is determined.

We know that -A option can also be used for OS detection.

OS detection is more effective when the target have at least one open and one closed port.
When you have multiple targets, use –osscan-limit option with -O so that Nmap will not perform OS scan on hosts that do not meet this criteria. This will definitely save your time.

Suppose we want to view addition information what Nmap discovers about the target,
we can use -O option with Verbose (-v).

Guessing Operating System:
Yes, this option can be used when Nmap is unable to find the OS accurately.
Usage: nmap -O –osscan-guess [Target]
Example: nmap -O –osscan-guess testphp.vulnweb.com

We can see the Nmap gives possible matches of targets operating system.We also see
the percentage beside the Operating System name indicating the confidence.

Service Version Detection:
We can detect the version of the services that are running on the target.
Usage: nmap -sV [Target]
Example: nmap -sV testphp.vulnweb.com

The result show – Port, State, Service and Version.
By using -sV option Nmap tries to identify the vendor and software version for any open ports.

Suppose we want to see the services for specific ports only then we can use the command like this –
nmap -sV -p 21,22,80,443 testphp.vulnweb.com

Troubleshooting Version Scan:
The –version-trace option is used to display verbose version scan activity.
Usage: nmap -sV –version-trace [Target]
Example: nmap -sV –version-trace testphp.vulnweb.com

This option is very useful to know any additional information about the Target.


  • All the options/parameters in Nmap used are case sensitive.(Eg. -A, -O, -sV etc)
  • Multiple parameters/options can be combined to get desired results.

I am sure there are many more handy Nmap examples. If you want to add to this list feel free to drop it into a comment.