Host vulnerability scans involve running tests against an operating system, including its default services. Often the focus is a single host. Hosts can not only run common network services, but they also often have specialized applications that use non-standard, dynamically chosen ports. Compromised hosts might also have malware backdoors listening on unusual ports. The challenge will be to map the discovered port to the actual listening process. You cannot assume that a well-known port is actually being used by the expected service.

Here are some examples of using Nmap for host vulnerability scanning.

nmap -Pn --script vuln <target> (Check for common vulnerabilities.)

nmap -Pn --script exploit <target> (Scan for vulnerabilities and attempt to automatically exploit them.)

nmap --script dos -Pn <target> (Test to see if a host is vulnerable to DoS attacks.)

nmap -sV -vv <target> (Scan and interrogate ports for service version information. Produce very verbose output.)

A good vulnerability scanner should be able to identify common services running on a host. If you are scanning for defensive purposes and cannot identify the underlying process, you can run the netstat command on the host for more information.

Linux: netstat -natp

Windows: netstat -nabo

Nmap scan displaying unknown port result