Banner grabbing is the method used to identify what version of software is being used on a target port. The value of this is that by gaining an increased understanding of the versions, it is possible to identify if any existing vulnerabilities or common misconfigurations exist.

When conducting a standard port scan, nmap will identify which port is open and make an assumption that it is running the standard service for that port. E.g. if nmap identifies TCP Port 23 & 80 as open, it will assume that Telnet and HTTP are running. While these assumptions are usually correct, it is possible to run services on different ports. By conducting a banner grabbing attack, it is possible to confirm what services are running and gather potentially helpful information.

The syntax to trigger a Version Scan that will conduct banner grabbing is:

nmap -sV <IP address>

This scan will identify open TCP/UDP ports through standard methods and will then attempt to identify the service by requesting anything from service name, to OS family.

Banner grabbing on non-standard ports can be helpful when it comes to understanding what service an unknown port is providing.

‍