Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

Nginx. Some organizations even create honeypot servers to lure

threat actors (or penetration testers). Honeypots make use of

deception technologies to masquerade as vulnerable servers, but their

real purpose is to detect and analyze attacker activity. More often

than not, however, banners transmit default settings that system

administrators haven’t bothered to change.

Performing Active Banner Grabbing with Netcat

To demonstrate what active banner grabbing looks like, we’ll use

the following Netcat command to connect to port 21 (FTP) running

on the IP address 172.16.10.11 (p-ftp-01):

$ nc 172.16.10.11 -v 21

172.16.10.11: inverse host lookup failed: Unknown host

(UNKNOWN) [172.16.10.11] 21 (ftp) open

220 (vsFTPd 3.0.5)

As you can see, 172.16.10.11 is running the FTP server vsFTPd

version 3.0.5. This information may change if the vsFTPd version

gets upgraded or downgraded, or if the system administrator decides

to disable banner advertisement completely in the FTP server’s

configuration.

Netcat is a good example of a tool that doesn’t natively support

probing multiple IP addresses. So, knowing a bit of bash scripting

can really help us out. Listing 4-14 will use Netcat to grab banners

on port 21 from multiple hosts saved in a file.

#!/bin/bash

FILE="${1}"

PORT="${2}"

1 if [[ "$#" -ne 2 ]]; then

echo "Usage: ${0} <file> <port>"

exit 1

fi

2 if [[ ! -f "${FILE}" ]]; then

echo "File: ${FILE} was not found."

exit 1

fi

3 if [[ ! "${PORT}" =~ ^[0-9]+$ ]]; then

echo "${PORT} must be a number."

exit 1

fi

4 while read -r ip; do