Banner Grabs with netcat and nmap

By | 2011/12/22

netcat can be used to quickly grab a service banner, as well as trusty nmap. I’ll show you some tips!



The netcat command is simply:

$ nc [target] [port]

Add tack v to get more verbosity.

Examples:

$ nc -v scottlinux.com 22
Connection to scottlinux.com 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_5.3p1

$ nc -v scottlinux.com 80
Connection to scottlinux.com 80 port [tcp/http] succeeded!
HEAD / HTTP/1.1
[enter, enter]

HTTP/1.1 400 Bad Request
Date: Thu, 22 Dec 2011 16:17:19 GMT
Server: Apache
Strict-Transport-Security: max-age=43200; includeSubDomains
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

$ nc -v scottlinux.com 25
Connection to scottlinux.com 25 port [tcp/smtp] succeeded!
220 *************************


And of course nmap can be used for banner grabbing as well!

The nmap command to use which will scan all open ports and report banners is:

$ sudo nmap -sV [target]

$ nmap -sV scottlinux.com

Starting Nmap 5.51 ( http://nmap.org ) at 2011-12-22 11:37 EST
Nmap scan report for scottlinux.com (173.230.156.66)
Host is up (0.083s latency).
rDNS record for 173.230.156.66: li166-66.members.linode.com
Not shown: 996 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.3p1 (protocol 2.0)
25/tcp  open  smtp     Cisco PIX sanitized smtpd
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
Service Info: Device: firewall

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.86 seconds

Sweet!