ELI5: How does Nmap figure out what ports are open, what services/versions are running, and even what operating system is used?
ELI5: How does Nmap figure out what ports are open, what services/versions are running, and even what operating system is used?
Comments
It just checks all ports to see what ports are opened.
To detect what kind of services run on these ports it will use a big database of common known services and compare the output of these ports while doing generic requests(so something like a generic TLS handshake)
In the easiest way you just try to talk with a certain port at the target PC. If you get a connection, then you know the port is open.
It is more complicated if the port is blocked by a firewall or similar, then you can try to deduct from the response (or non response), if there is a firewall present.
The operating system detection is similar. Windows and Linux make slightly differences in the way how they react to incoming packages and how the sent packages look like. By analysing the relevant Information you can deduct what system the target is running.
Data packages also contain a number which is counting up. From this number you can also derive how long the target computer is already running (the uptime).
Sends packet to port.
If response, it’s open.
Checks response packet for known things that return specific packets (ftp, email, web, etc)
A lot of times those returns include OS type.
Bonus: It also knows if there’s a firewall if the firewall drops the packet over a force RST packet.
Actual ELI5 answer:
The same way a 5 year old figures out boundaries. Just start trying things and see what works and what doesn’t work.
Talk back to your mom and get a timeout, that port is blocked. Use the potty and get a reward, that port is open.
As far as the operating system, it’s a guess based on various things. Some operating systems are more likely to have certain ports open, and other operating systems are likely to not have those open, for example.
knock, knock, who’s there?
NMAP basically connects to all ports in a loop (or in parallel), At first sends a “SYN” (synchronise) packet to the server with the current port number set as the destination port in the packet header.
If the port is open, the server will respond with a SYN-ACK (synchronize-acknowledge) packet.
If the port is closed, the server will respond with a SYN-RST (synchronize-reset) packet.
As for specific services/versions, this can often be done with a simple “banner grab”. Typically (for more traditional/older services like SMTP/POP3/FTP etc at least) a specific server process will (after the connection has been established) respond with a string of ASCII text that provides the software name / version and sometimes other details.
For example:
“220 mail.example.com ESMTP Sendmail 8.15.2/8.15.2; Mon, 7 Jul 2025 22:45:46 +0000”
Which tells nmap that the server is running the “Sendmail” SMTP server software with version 8.15.2 on whichever port it tried to connect to (probably 25 or 587 in the case of SMTP).
There may be other ways of fingerprinting, like specific byte sequences that differ between versions, or responses to specific commands.
Often nmap will try to guess the type of service based on the port number, this guess is often wrong however.
There are only 65000 possible ports, the program simply checks all of them by sending a message to each. If it gets a reply then that port is open, and usually that reply contains some info about what kind of service is running on that port.