LabEx
Log InJoin For Free

Detect Service Banners in Nmap

NmapNmapBeginner
Practice Now

Introduction

In this lab, you will learn how to detect service banners using Nmap. The main goal is to gather information about network services running on a target machine, such as service names, versions, and operating systems. You'll run the banner script on a target IP, scan specific ports, add verbosity to the scan, save the results, and review and compare banners in the Xfce terminal.

You'll start by using the nmap --script banner command to scan all default ports on a target. Then, you'll scan specific ports, increase verbosity for more detailed output, save the results to a file, and finally analyze the banners to understand the services running on the target.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL nmap(("Nmap")) -.-> nmap/NmapGroup(["Nmap"]) nmap/NmapGroup -.-> nmap/output_formats("Output Formats") nmap/NmapGroup -.-> nmap/save_output("Save Output to File") nmap/NmapGroup -.-> nmap/port_scanning("Port Scanning Methods") nmap/NmapGroup -.-> nmap/target_specification("Target Specification") nmap/NmapGroup -.-> nmap/verbosity("Verbosity Levels") nmap/NmapGroup -.-> nmap/os_version_detection("OS and Version Detection") nmap/NmapGroup -.-> nmap/service_detection("Service Detection") nmap/NmapGroup -.-> nmap/scripting_basics("Scripting Engine Basics") nmap/NmapGroup -.-> nmap/script_management("Script Categories and Updating") subgraph Lab Skills nmap/output_formats -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/save_output -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/port_scanning -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/target_specification -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/verbosity -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/os_version_detection -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/service_detection -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/scripting_basics -.-> lab-547095{{"Detect Service Banners in Nmap"}} nmap/script_management -.-> lab-547095{{"Detect Service Banners in Nmap"}} end

In this step, we will use Nmap's banner grabbing script to identify the services running on a target machine. Banner grabbing is a technique used to gather information about a network service by examining the banner it transmits when a connection is established. This banner often contains details such as the service name, version, and operating system.

First, let's understand the command we'll be using:

nmap --script banner 192.168.1.1

  • nmap: This is the command-line network scanner.
  • --script banner: This option tells Nmap to use the banner script, which is designed to grab banners from open ports.
  • 192.168.1.1: This is the target IP address. You'll need to replace this with the actual IP address of a machine on your network that you have permission to scan. For this lab environment, we will use 127.0.0.1 (localhost) as the target. This ensures you are scanning your own machine and avoids any potential ethical or legal issues.

Now, let's execute the command. Open your Xfce terminal and type the following:

nmap --script banner 127.0.0.1

This command will scan all the default ports on 127.0.0.1 and attempt to grab banners from any open services.

You might see output similar to this (the exact output will depend on the services running on your machine):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

In this example, Nmap found an SSH service running on port 22. The banner reveals that it's OpenSSH version 8.2p1 running on Ubuntu.

If you don't have any services running on your machine, you might not see any banner information. Don't worry, the command is still working. In later steps, we will configure services to ensure we have banners to capture.

In the previous step, we scanned all default ports using the banner script. Now, we'll focus on scanning specific ports. This is useful when you know which services you're interested in, or when you want to reduce the scan time.

The command we'll be using is:

nmap --script banner -p 22,80 127.0.0.1

Let's break down the command:

  • nmap: The network scanner.
  • --script banner: Specifies the banner grabbing script.
  • -p 22,80: This option tells Nmap to only scan ports 22 and 80. Port 22 is commonly used for SSH (Secure Shell), and port 80 is commonly used for HTTP (web server).
  • 127.0.0.1: The target IP address (localhost).

Before running the command, let's make sure we have services running on these ports. The LabEx VM should have SSH running on port 22 by default. We'll install a simple web server on port 80.

Open your Xfce terminal and run the following commands to install a basic HTTP server using Python:

sudo apt update
sudo apt install -y python3-pip
sudo python3 -m pip install http.server

Now, start the HTTP server on port 80. Navigate to your ~/project directory first.

cd ~/project
python3 -m http.server 80

Keep this terminal window open and running the HTTP server. Open a new Xfce terminal window to continue with the Nmap scan.

Now, in the new terminal window, execute the Nmap command:

nmap --script banner -p 22,80 127.0.0.1

You should see output similar to this:

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_
80/tcp open  http
| banner: Server: SimpleHTTP/3.10 Python/3.10
|_

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

This output shows that Nmap scanned ports 22 and 80, grabbed the banners, and displayed the service information. You can see the SSH banner and the SimpleHTTP server banner.

Remember to stop the python http server after you are done with this step by pressing Ctrl+C in the terminal where it is running.

In this step, we will add verbosity to our Nmap scan. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding what Nmap is doing behind the scenes.

The command we'll be using is:

nmap -v --script banner 127.0.0.1

Let's break down the command:

  • nmap: The network scanner.
  • -v: This option increases the verbosity level. You can use -vv for even more verbosity.
  • --script banner: Specifies the banner grabbing script.
  • 127.0.0.1: The target IP address (localhost).

Before running the command, make sure the python http server is still running from the previous step. If not, start it again in a separate terminal window:

cd ~/project
python3 -m http.server 80

Now, in a new terminal window, execute the Nmap command with verbosity:

nmap -v --script banner 127.0.0.1

You should see output similar to this (the exact output will depend on the services running on your machine):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
Initiating Ping Scan at 10:10
Scanning localhost (127.0.0.1) [2 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:10
Completed Parallel DNS resolution of 1 host. at 10:10, 0.00s elapsed
Initiating Connect Scan at 10:10
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed Connect Scan at 10:10, 0.00s elapsed (1000 total ports)
Initiating Service scan at 10:10
Scanning 2 services on localhost (127.0.0.1)
Completed Service scan at 10:10, 0.01s elapsed (2 services total)
Initiating NSE script scan at 10:10
Scanning localhost (127.0.0.1)
Completed NSE script scan at 10:10, 0.09s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_
80/tcp open  http
| banner: Server: SimpleHTTP/3.10 Python/3.10
|_

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds

Notice the additional information provided by the -v option. You can see the different stages of the scan, such as the Ping Scan, DNS resolution, and Connect Scan. This can be very useful for understanding how Nmap works and for diagnosing any issues.

Remember to stop the python http server after you are done with this step by pressing Ctrl+C in the terminal where it is running.

In this step, we will save the results of our Nmap scan to a file. This is useful for later analysis or for reporting purposes.

The command we'll be using is:

nmap --script banner -oN banners.txt 127.0.0.1

Let's break down the command:

  • nmap: The network scanner.
  • --script banner: Specifies the banner grabbing script.
  • -oN banners.txt: This option tells Nmap to save the results in "normal" format to a file named banners.txt. Other output formats are available (e.g., -oG for Grepable output, -oX for XML output), but -oN is a human-readable format.
  • 127.0.0.1: The target IP address (localhost).

Before running the command, make sure the python http server is still running from the previous step. If not, start it again in a separate terminal window:

cd ~/project
python3 -m http.server 80

Now, in a new terminal window, execute the Nmap command to save the results to a file:

nmap --script banner -oN banners.txt 127.0.0.1

You won't see the scan results printed to the terminal this time. Instead, Nmap will save the output to the banners.txt file in your current directory (~/project).

To verify that the file was created and contains the scan results, you can use the cat command:

cat banners.txt

You should see output similar to this in the terminal:

## Nmap 7.80 scan initiated Fri Oct 27 10:15:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_
80/tcp open  http
| banner: Server: SimpleHTTP/3.10 Python/3.10
|_

## Nmap done at Fri Oct 27 10:15:00 2023 -- 1 IP address (1 host up) scanned in 0.10 seconds

This confirms that the scan results were saved to the banners.txt file.

Remember to stop the python http server after you are done with this step by pressing Ctrl+C in the terminal where it is running.

In this step, we will review the banner details that we saved in the banners.txt file in the previous step. We'll use the Xfce terminal to view the contents of the file and understand the information it contains.

First, ensure you have the banners.txt file in your ~/project directory. If you haven't completed the previous step, please do so before proceeding.

To view the contents of the banners.txt file, open a terminal window and use the cat command:

cat banners.txt

The output will display the contents of the file, which should look similar to this:

## Nmap 7.80 scan initiated Fri Oct 27 10:20:00 2023
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (alias(es)): localhost

PORT   STATE SERVICE
22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_
80/tcp open  http
| banner: Server: SimpleHTTP/3.10 Python/3.10
|_

## Nmap done at Fri Oct 27 10:20:00 2023 -- 1 IP address (1 host up) scanned in 0.10 seconds

Let's analyze the output:

  • Nmap scan report for localhost (127.0.0.1): This indicates that the scan was performed on the localhost (127.0.0.1).
  • Host is up: This confirms that the target host is reachable.
  • PORT STATE SERVICE: This section provides information about the open ports on the target host.
  • 22/tcp open ssh: This indicates that port 22 is open and running the SSH service.
  • | banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5: This is the banner information for the SSH service. It reveals the SSH version and the operating system.
  • 80/tcp open http: This indicates that port 80 is open and running the HTTP service.
  • | banner: Server: SimpleHTTP/3.10 Python/3.10: This is the banner information for the HTTP service. It reveals the server software and version.

By reviewing the banner details, you can gain valuable information about the services running on the target host. This information can be used for vulnerability analysis or for identifying potential security risks.

Remember to stop the python http server after you are done with this step by pressing Ctrl+C in the terminal where it is running.

Compare banners across ports in Xfce terminal

In this step, we will compare the banner information obtained from different ports. This can help us identify the services running on those ports and understand their versions. We'll use the Xfce terminal and the grep command to extract and compare the banner information from the banners.txt file.

First, ensure you have the banners.txt file in your ~/project directory, which contains the Nmap scan results from the previous steps.

To extract the banner information for port 22 (SSH), use the following command:

grep "22/tcp" banners.txt

This will output the line containing information about port 22, including the banner:

22/tcp open  ssh
| banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
|_

Similarly, to extract the banner information for port 80 (HTTP), use the following command:

grep "80/tcp" banners.txt

This will output the line containing information about port 80, including the banner:

80/tcp open  http
| banner: Server: SimpleHTTP/3.10 Python/3.10
|_

Now, let's compare the banner information. We can see that:

  • Port 22 is running SSH, and the banner reveals that it's OpenSSH version 8.2p1 on Ubuntu.
  • Port 80 is running HTTP, and the banner reveals that it's a SimpleHTTP server implemented in Python 3.10.

By comparing the banner information, we can quickly identify the services running on these ports and their versions. This information is valuable for security assessments and vulnerability analysis. For example, knowing the specific version of SSH or HTTP server allows us to check for known vulnerabilities associated with those versions.

In this simple example, we only compared two ports. However, you can extend this technique to compare banners across many different ports and hosts to gain a comprehensive understanding of the network services running in your environment.

Remember to stop the python http server after you are done with this step by pressing Ctrl+C in the terminal where it is running.

Summary

In this lab, participants learn to use Nmap to detect service banners. They start by running the banner script with nmap --script banner on a target IP, using 127.0.0.1 to avoid ethical and legal issues. They also learn to scan specific ports, add verbosity to the scan, and save the results to a file. Finally, they review and compare banner details in the Xfce terminal.

Related Nmap Courses
Quick Start with Nmap

Quick Start with Nmap

CybersecurityNmap
Beginner