Sponsored By:


www.tenablesecurity.com


http://twitter.com/pauldotcom


http://www.facebook.com/group.php?gid=6678027341


www.youtube.com/pauldotcom




Banner Grabbing with Nmap: Reloaded

By
Larry Pesce
on December 16, 2008 4:31 PM |

by Paul Asadoorian

Back when I worked for a university I need to write a fast banner grabber. This had to grab banners either on a specific port, or a set of ports and run against two class B networks. Speed was key, the faster the better as my incident response process relied on saving time. Why? I was trying to look for one of two things:

* Compromised hosts listening on a particular port using a backdoor or FTP server that had a known banner

* Vulnerable software that had a specific banner which was being used by attackers to compromise systems

bootoutput.jpgI wrote a quick banner grabber in C because Nmap was not quite right (at the time). Nmap was awesome at finding ports, and awesome at sending a bunch of packets at a port to determine the version and type of service running. With two class B networks, I didn't have time to wait for Nmap to send a whole bunch of packets to each port. I want to complete the handshake, send one packet with a "\n\r", and grab what comes back. Turns out, Nmap Scripting Engine solved my problem! Now with a little bit of Lua-Foo I can do what I want with Nmap, and take advantage of all of its powerful features (such as host discovery). I took my banner grabbing problem and just a few lines of code later, I had ported this functionality to Nmap:




id="Banner"

description="connects to each open port and send CRLF to grab banner"

author = "Paul Asadoorian (paul@pauldotcom.com)"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery"}


require "comm"

require "shortport"


portrule = function(host, port)

  return (port.number and port.protocol == "tcp")

end


action = function(host, port)

	local try = nmap.new_try()


return  try(comm.exchange(host, port, "\r\n", {lines=100, proto=port.protocol, timeout=500}))


end

The output looks as follows:




# Nmap 4.76 scan initiated Wed Oct  8 23:15:50 2008 as: nmap -sV -oA bannertest%T%D -T4 -sS --script=bannergrab.nse -p1-65535 192.168.1.230 

Interesting ports on 192.168.1.230:

Not shown: 65531 closed ports

PORT     STATE SERVICE    VERSION

23/tcp   open  telnet     HP JetDirect printer telnetd

|  Banner: \xFF\xFC\x01

|  Please type [Return] two times, to initialize telnet configuration

|  For HELP type "?"

|_ > 

515/tcp  open  printer?

9099/tcp open  unknown?

9100/tcp open  jetdirect?

MAC Address: 00:60:B0:BD:68:B0 (Hewlett-packard CO.)

Service Info: Device: printer


Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

# Nmap done at Wed Oct  8 23:27:14 2008 -- 1 IP address (1 host up) scanned in 684.29 seconds


I ran both my script and -sV so you can see an example of the difference.

- Paul Asadoorian, PaulDotCom Enterprises

[Editor's note: Awesome work Paul! A great compliment to the official release of Fyodor's Nmap book. Hail the power of NSE!]

Categories: