Banner Grabbing with NetCat and Nmap Exercise

This exercise complements material in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.

This lab shows you two methods of grabbing a banner from a system.

Requirements: This exercise assumes you’re running a Windows system and know how to access the command line.

Download a copy of NetCat.

Note. If you have access to a Linux Kali system, you can skip these steps. NetCat is available from the terminal within Kali.

1. Use your favorite search engine and enter the following search term

download NetCat for Windows

2. Click on one of the locations where it’s available and download the zip file.

3. Locate the zip file and extract the contents into a folder.

4. For easy access, rename the folder to netcat.

5. Copy the folder to a location where you can easily access it. I copied it to the SecurityLabs folder on my system.

Use NetCat to Grab a Banner

1. Open a command prompt.

2. Change the current directory to the location of of the netcat files. For example, on my system I would enter the following command.

cd \securitylabs\netcat

You can use the same command if you placed the netcat folder into the securitylabs folder. Modify the command as needed if you placed the folder somewhere else.

3. Enter the following command to identify the IP address for the site:



Pinging [] with 32 bytes of data:
Reply from bytes=32 time=53ms TTL=55
Reply from bytes=32 time=48ms TTL=55
Reply from bytes=32 time=56ms TTL=55
Reply from bytes=32 time=50ms TTL=55

Ping statistics for
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 48ms, Maximum = 56ms, Average = 51ms

Notice that the first line in the response shows that the IP address is

Pinging [] with 32 bytes of data:

4. Type in the following command to grab the banner from the server.

Note: Do NOT perform this command against any other site without obtaining express written permission first. Your actions can be interpreted as malicious and in some cases even illegal.

As a learning exercise, you are authorized to perform the command against However, this authorization does NOT extend to the use of any other vulnerability scans or penetration testing tests.

echo “”  | nc -vv -n -w1 80

  • echo “” sends a blank command to the server.
  • | is the pipe symbol indicating the echo command will send the blank command after the connection is established.
  • nc is the netcat command.
  • -vv is the verbose command on Windows versions of netcat. Linux versions use -v.
  • -n indicates don’t attempt to resolve the name from the IP address.
  • w1 says to wait no more than one second for a reply.
  • is the IP address of the server.
  • 80 is the port for HTTP.

You’ll see a reply similar to this:

(UNKNOWN) [] 80 (?) open
HTTP/1.1 400 Bad Request
Date: Thu, 25 May 2017 13:54:44 GMT
Server: Apache/2.4.18 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 
Accept-Ranges: bytes
Connection: close
Content-Type: text/html

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “”>
<title>400 Bad Request</title>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″ />
<style type=”text/css”>
body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 12px;
scrollbar-base-color: #005B70;
scrollbar-arrow-color: #F3960B;
scrollbar-DarkShadow-Color: #000000;
color: #FFFFFF;
a { color:#021f25; text-decoration:none}
h1 {
font-size: 18px;
color: #FB9802;
padding-bottom: 10px;
background-image: url(sys_cpanel/images/bottombody.jpg);
background-repeat: repeat-x;
padding:5px 0 10px 15px;
#body-content p {
padding-left: 25px;
padding-right: 25px;
line-height: 18px;
padding-top: 5px;
padding-bottom: 5px;
h2 {
font-size: 14px;
font-weight: bold;
color: #FF9900;
padding-left: 15px;
<div id=”body-content”>
<!– start content–>

instead of REQUEST_URI, we could show absolute URL via:
but what if its https:// or other protocol?

SERVER_PORT_SECURE doesn’t seem to be used
SERVER_PORT logic would break if they use alternate ports

<h1>400 Bad Request</h1>
<p>Your browser sent a request that this server could not understand:</p>
(none) (port 80)
Please forward this error screen to’s
<a href=” message [400] 400 Bad Request for (none) port 80 on Thursday 09:54:44 EDT”>
<hr />

<!– end content –>
sent 6, rcvd 2207: NOTSOCK


HTTP/1.1 400 Bad Request indicates the server doesn’t understand the echo “” command. Still it returns a lot of information on the server. This includes:

  • (UNKNOWN) [] 80 (?) open: This indicates port 80 is open.
  • Apache/2.4.18 (Unix): This is an Apache web server version 2.4.18 running on a Unix-based system.
  • OpenSSL/1.0.0-fips – This is an open source implementation of SSL and TLS protocols using Federal Information Processing Standard (fips)
  • mod_bwlimited/1.4 – this identifies a CPanel modules used for monitoring bandwidth.

The server is assuming this request came from a web browser and the remaining data is HTML code that would display a web page (if it was returned to a web browser instead of a command line window).

Nmap and Banner Grabbing

You can also use nmap for banner grabbing by using these steps:

1. Install nmap using the Download and Install Nmap lab in the Chapter 8 labs.

2. Open a command prompt with administrative privileges.

3. Identify the IP address of a system in your network. Your router is typically using the IP address of or

4. Verify that a system is using the IP address with the ping command.



One of these will give you an answer so use it in the next step.

3. Enter the following command:

nmap -sV –script=banner

It may take as long as two or three minutes to get a response, but as long as you have installed nmap properly and launched the command prompt with administrative privileges, you will get a response.

You’ll notice that nmap is providing a lot more information than the netcat banner grab did. This is because it is also showing you all the open ports.

Starting Nmap 7.50 ( ) at 2018-06-04 09:11 Eastern Daylight Time
Nmap scan report for
Host is up (0.0083s latency).
Not shown: 993 closed ports
21/tcp filtered ftp
53/tcp open domain dnsmasq 2.39
80/tcp open http uhttpd 1.0.0 (Netgear Orbi WAP http config)
443/tcp open ssl/https?
631/tcp open ipp?
5555/tcp open freeciv?
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.1 404 Not found
| Connection: close
| Content-type: text/html
| <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL was not found on this server.</BODY></HTML>
| GenericLines, SIPOptions:
| HTTP/1.1 400 Bad Request
| Connection: close
| Content-type: text/html
| <HTML><HEAD><TITLE>400 Bad Request</TITLE></HEAD><BODY><H1>Bad Request</H1>The requested was bad on this server.</BODY></HTML>
| HTTPOptions, RTSPRequest:
| HTTP/1.1 501 Not Implemented
| Connection: close
| Content-type: text/html
|_ <HTML><HEAD><TITLE>501 Not Implemented</TITLE></HEAD><BODY><H1>Not Implemented</H1>The HTTP Method is not implemented by this server.</BODY></HTML>
20005/tcp open btx?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
MAC Address: 9C:3D:CF:E5:66:28 (Netgear)
Service Info: Device: WAP; CPE: cpe:/h:netgear:orbi

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 137.18 seconds

Back to SY0-501 Security+ labs.