Re: [NSE] Simple Banner Grabbing, Banner Grabber and Grabber of Banners - banner.nse

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2008 09:08 AM, jah wrote:
> On 01/11/2008 05:04, Kris Katterjohn wrote:
> > On 10/31/2008 11:41 PM, jah wrote:
> > > Hi folks,
> > > I was looking at Nmap's TODO list and saw mention of a banner grabbing
> > > script, so for some light relief I tidied-up a script I had for just
> > > such a purpose.
> >
> > I guess my idea wasn't so bad after all[1] :)
> Hi Kris,
>
> Certainly not a bad idea.  Even with --version-intensity 0 it's not
> possible to do pure banner grabbing without sending any probes and so
> using a script such as this is a good way to get maximum information
> without going as far as version scanning.  And it's often helpful to
> know when a service blurts something out, without having to trawl
> through a --version-trace (which can be large with many targets or high
> intensity).

I ran your updated script against a quick 4096 random hosts and it works just
like expected:

21/tcp   open     ftp          syn-ack
|_ Banner: 220 Microsoft FTP Service\x0D\x0A
22/tcp   open     ssh          syn-ack
|_ Banner: SSH-1.5-Cisco-1.25\x0A
23/tcp   open     telnet       syn-ack
|_ Banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
80/tcp   open     http         syn-ack
|_ Banner: HTTP/1.0 403 Forbidden\x0D\x0AContent-Type: text/html\x0D\x0...
143/tcp  open     imap         syn-ack
|_ Banner: * OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS ...
3306/tcp open     mysql        syn-ack
|_ Banner: c\x00\x00\x00\xFFj\x04Host '[addr removed]...

This conglomerate list is certainly nicer looking than what my original script
would have produced since you format the data well.

I do have to say that your debug message reads funny though:

SCRIPT ENGINE DEBUG: Banner No Banner from [ip] on 80 tcp: TIMEOUT


So just for the record I'm for the inclusion of this script.  Nice job.

> The odd thing is that I did a search of nmap-dev after I saw banner
> grabbing mentioned in the TODO list to make sure the script wasn't
> already floating around.  I saw a thread from 2006 where it was
> suggested to use Amap and some stuff from 2002 which I didn't even look
> at.  Where was your cleverly titled post [1] in these results?  I guess
> my search term should have been "banner grabber" rather than "banner
> grabbing"...

I really like how I'll always be able to find this thread now ;)

> Cheers for the input,
>
> jah

Thanks,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSQ0gbv9K37xXYl36AQKUng//S0GWUK++ZuLJsPrQ6QVZ4NN6CXR/Q3KJ
GtxBe9xPQV8nd6WMHOE3Ex3NeNdhl3obPm0gBFWZ3506P4w1tN8GC97nARAQXoKL
thalwghIlbvr6of4rbbaqI6x5ZmX+pzpsCcnxgiHDkClJ34k80lRavuNvMW9FLLn
Qp3P0ziTKOhETIpk7yieAFblkKncCiS/O8mhd9Ntf1gRFaJIMGsGZf0+bt9j9/oH
bMMunwWwiIKUIgISKaSd3g9/DbQJBs/H/E1XAkdQlMAfSH/cOKJU5d8PdDWoc+Ae
6+B5+fte3XZ288C3BriXwgw41QAtzc8OZXsZ7jAdnO6vs2NHRFzxRYtkODg4pLzj
CiR+op/cXu0y4eTifjxxtTYV5cysrkG+L8WqrDnwi3DEAXoUxzjqQI2q08PU6dvx
oD0r35s7EFIYETeBj4sI0nO3HZDLnr4IClI1mAGj6w1OPnRuAPeZecmn9C5aOW45
TzC75tP+iOW7YnsPENT8iSRJvCzK00Urzx13U7nEaOOPF0zf+JtH40sps7bOzIwe
HfhOWNivgG7mV3Pnyb9EpBXc9RGtraOAiZlkAeZCrNKSBtnEmQzPOT23nT/8npAB
bbSB8bwXRPu65A0ll9slpKM72nXmM3OG2HsHlS7jv8a/xeoMSwd2ptAd1C5Qr/Jl
FeODHPEw7Z4=
=/XEr
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org