Banner Grabbing with Nmap: Reloaded


by Paul Asadoorian
Back when I worked for a university I need to write a fast banner grabber. This had to grab banners either on a specific port, or a set of ports and run against two class B networks. Speed was key, the faster the better as my incident response process relied on saving time. Why? I was trying to look for one of two things:
* Compromised hosts listening on a particular port using a backdoor or FTP server that had a known banner
* Vulnerable software that had a specific banner which was being used by attackers to compromise systems
bootoutput.jpgI wrote a quick banner grabber in C because Nmap was not quite right (at the time). Nmap was awesome at finding ports, and awesome at sending a bunch of packets at a port to determine the version and type of service running. With two class B networks, I didn’t have time to wait for Nmap to send a whole bunch of packets to each port. I want to complete the handshake, send one packet with a “nr”, and grab what comes back. Turns out, Nmap Scripting Engine solved my problem! Now with a little bit of Lua-Foo I can do what I want with Nmap, and take advantage of all of its powerful features (such as host discovery). I took my banner grabbing problem and just a few lines of code later, I had ported this functionality to Nmap:

description="connects to each open port and send CRLF to grab banner"
author = "Paul Asadoorian ([email protected])"
license = "Same as Nmap--See"
categories = {"discovery"}

require "comm" require "shortport"
portrule = function(host, port) return (port.number and port.protocol == "tcp") end
action = function(host, port) local try = nmap.new_try()
return try(, port, "rn", {lines=100, proto=port.protocol, timeout=500}))

The output looks as follows:

# Nmap 4.76 scan initiated Wed Oct  8 23:15:50 2008 as: nmap -sV -oA bannertest%T%D -T4 -sS --script=bannergrab.nse -p1-65535
Interesting ports on
Not shown: 65531 closed ports
23/tcp   open  telnet     HP JetDirect printer telnetd
|  Banner: xFFxFCx01
|  Please type [Return] two times, to initialize telnet configuration
|  For HELP type "?"
|_ >
515/tcp  open  printer?
9099/tcp open  unknown?
9100/tcp open  jetdirect?
MAC Address: 00:60:B0:BD:68:B0 (Hewlett-packard CO.)
Service Info: Device: printer

Service detection performed. Please report any incorrect results at . # Nmap done at Wed Oct 8 23:27:14 2008 -- 1 IP address (1 host up) scanned in 684.29 seconds

I ran both my script and -sV so you can see an example of the difference.
– Paul Asadoorian, Security Weekly Enterprises
[Editor’s note: Awesome work Paul! A great compliment to the official release of Fyodor’s Nmap book. Hail the power of NSE!]

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.