Skip to content

13. Nmap Banner Grabbing

Banner Grabbing is a technique used to gather information about the services running on open ports of a system. The information obtained often includes software names, versions, and other metadata, which can help in identifying potential vulnerabilities.

In Nmap, the banner NSE script is used to perform banner grabbing on open ports.

Syntax

nmap -p <port(s)> --script banner <target>
  • -p <port(s)>: Specifies the ports to scan.
  • --script banner: Executes the banner NSE script to retrieve service banners.
  • <target>: The target IP address or hostname.

Examples

1. Banner Grabbing on Specific Ports

nmap -p 22,80 --script banner 192.168.1.1

Explanation:

  • -p 22,80: Scans ports 22 (SSH) and 80 (HTTP).
  • --script banner: Retrieves service banners for the specified ports.
  • 192.168.1.1: Target IP address.

Output (Example):

PORT   STATE SERVICE
22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.4p1 Debian-5
80/tcp open  http
| banner: Apache/2.4.41 (Ubuntu)
|_Server: Apache/2.4.41 (Ubuntu)

Interpretation:

  • Port 22 is running OpenSSH version 8.4p1.
  • Port 80 is hosting an HTTP service using Apache version 2.4.41.

2. Banner Grabbing on Multiple Common Ports

nmap -F --script banner 192.168.1.1

Explanation:

  • -F: Performs a fast scan, which checks a predefined list of 100 common ports instead of all 65,535 ports.
  • --script banner: Retrieves banners for any open services on these ports.
  • 192.168.1.1: Target IP address.

Output (Example):

PORT     STATE SERVICE
21/tcp   open  ftp
| banner: 220 (vsFTPd 3.0.3)
22/tcp   open  ssh
| banner: SSH-2.0-OpenSSH_8.4p1 Debian-5
80/tcp   open  http
| banner: Apache/2.4.41 (Ubuntu)
443/tcp  open  https
| banner: nginx/1.18.0 (Ubuntu)

Interpretation:

  • Port 21 is running vsFTPd version 3.0.3.
  • Port 22 is running OpenSSH version 8.4p1.
  • Port 80 is running Apache 2.4.41.
  • Port 443 is running nginx version 1.18.0.

Key Points

  • Purpose: Banner grabbing helps identify the software and versions running on a target, which is useful for security assessments.
  • Advantages:
    • Quickly identify services and their versions.
    • Provides data to match against vulnerability databases.
  • Limitations: Some services may hide or obfuscate their banners to prevent identification.

Use Cases

  • Vulnerability Assessment: Identify outdated or vulnerable services.
  • Reconnaissance: Gather intelligence about a target during penetration testing.
  • Network Troubleshooting: Validate service configurations.