One of the easiest things you can do to enumerate information is to perform banner grabbing. This involves attempting to open a session with a service and getting the service to identify itself. You can use telnet, Nmap, Netcat, and other tools to grab banners from services such as FTP, SSH, HTTP, SMTP, POP3, IMAP4, DNS, Telnet, Microsoft-DS, Microsoft netbios-ssn, and more. Acquiring these banners can help you focus your attacks on specific services.

Below are some example commands you can use to banner grab. After issuing the command, the service will either respond with information about itself, or wait for more input from you. Depending on the tool and the protocol, you will need to send input that the service knows how to respond to. You may also need to break out of the connection. You can sometimes do this by pressing Ctrl+C or Enter a few times. With Nmap, you don't need to break out of the session. Just wait a few seconds for the scan to complete. Nmap also has a script for banner grabbing.

Here are some examples of banner grabbing:

telnet <target IP> <port number> After making the connection, press Ctrl+] to break, then enter quit.

nc -vv <target IP> <port number>

Here is an example of using an HTTP GET request to elicit the web server type and version in Linux:

echo -en "GET / HTTP/1.0\n\n\n"|nc 80|grep Server

Banner grabbing with netcat

nmap -sV <target IP> -p <port number>

This NSE script attempts to grab banners from every service it can discover on a host:

nmap -sV --script=banner <target>

Nmap NSE banner script example

Note: When 301's occur, you'll want to watch for error handling so that the browser header can be updated.