To better understand how nmap does service detection, I implemented a tool in Python that tries to do (more or less) the same. nmap detects what service is listening on a port, by sending it probes (particular byte sequences) and matching it with expected replies. These probes and replies can be found in file nmap-service-probes.
It allows me to experiment with service detection.
By default onion-connect-service-detection.py connects to service ports over the Tor network.
Here is an example where I use the tool to detect services on the 10 most popular ports (top:10) of example.com. With a time-out of 5 seconds.
onion-connect-service-detection_V0_0_1.zip (https)
MD5: 8C6D94E1CEE4747E18807CB95FCB1EE9
SHA256: ADC8D937522F55CC47C91E5DC01B2B7D22372E5726542DAF84134279643F8297
Article Link: New Tool: onion-connect-service-detection.py | Didier Stevens