Knowing that a given port is open is valuable information, but even more valuable is knowing what exact application is running on that port. The -sV option instructs Nmap to test for application type and version for all ports found to be open. The following example shows Nmap fingerprinting the open ports on my OS X host:
bryan@firemaw:˜$ sudo nmap -n -sV 10.150.9.46
Interesting ports on 10.150.9.46:
(The 1667 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
21/tcp open ftp tnftpd 20040810
22/tcp open ssh OpenSSH 3.8.1p1 (protocol 1.99)
80/tcp open http Apache httpd 1.3.33 ((Darwin) PHP/4.4.1)
427/tcp closed svrloc
443/tcp closed https
3689/tcp open rendezvous Apple iTunes 6.0.4 (on Mac OS X)
8080/tcp open http-proxy?From the output, you can see that Nmap was able to identify the application version for all but one port (8080). Nmap relies on a user-submitted database of application fingerprints in order to identify applications. In this case, the server running on port 8080 (CherryPy) was obscure enough that a fingerprint wasn't available. When Nmap is unable to identify a port, it provides data to be submitted to the insecure.org web site so future versions will be able to identify the application out of the box.
By default, Nmap skips certain ports and less likely payloads when performing fingerprinting. To force it to use all payloads on all ports, use the -allports and -version-all options.