Before studying this material, it is recommended to read previous.
So, in this article, we will understand what we need to do after finding open ports on the host.
First, when we find any open port, we need to find out what service and what version of it is located there;
Before using nmap, you can use the banner-grabbing technique, where we get a service banner simply by connecting to it via a port, for example, using netcat:
As you can see, we caught a service banner that told us what kind of service it was and what version it was. By the way, nmap does almost the same thing.
nmap has the -sV flag to determine the service version:
Okay, we've got the services and their versions, now we can use NSEscripts, which will give us more information about the services, do enumeration, and search for vulnerabilities.
nmap has a -sC flag that runs a set of standard scripts:
Keep in mind that most of the vulnerabilities found may simply not work, and don't forget that such scans with special scripts create quite a lot of noise.
If we want to specify which scripts we want to use, we need to specify the --script flag and the name of the scripts separated by commas, for example, I want to use a script that scans for vulnerabilities:
A complete list of scripts and what they do can be found here.
We can also use online services like Shodan and Censys for passive information collection. The downside is that they don't scan in real time, but only show the latest scan results. They will show the ports they found, as well as the services and their vulnerabilities.
Example search in Shodan:
Example search in Censys:
Thanks for reading!
This page is not completely finished yet, and will be updated.
╰─ nmap -p 22,80 -sC 10.129.30.147
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-02 20:31 EST
Nmap scan report for 10.129.30.147
Host is up (0.13s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http
|_http-title: Security Dashboard
Nmap done: 1 IP address (1 host up) scanned in 27.96 seconds
╰─ nmap -p 22,80 --script vuln 10.129.30.147
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-02 20:35 EST
Stats: 0:01:31 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 10.129.30.147
Host is up (0.12s latency).
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.129.30.147
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.129.30.147:80/
| Form id:
| Form action: #
|
| Path: http://10.129.30.147:80/ip
| Form id:
| Form action: #
|
| Path: http://10.129.30.147:80/data/1
| Form id:
| Form action: #
|
| Path: http://10.129.30.147:80/netstat
| Form id:
|_ Form action: #
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
Nmap done: 1 IP address (1 host up) scanned in 1581.90 seconds
