`
output to the result variable. We use grep and awk to parse the
result of curl and extract the Server header.
You can download the script at https://github.com/dolevf/Black-
Hat-Bash/blob/master/ch04/curl_banner_grab.sh. Run it, and when
prompted, provide the IP address 172.16.10.10 (p-web-01) and port
8081:
$ ./curl_banner_grab
Type a target IP address: 172.16.10.10
Type a target port (default: 80): 8081
Attempting to grab the Server header of 172.16.10.10...
Server header for 172.16.10.10 on port 8081 is: Werkzeug/2.2.3 Python/3.11.1
As you can see, the script returned the correct information from
the target IP address and port. If we didn’t specify a port in the
terminal, it would have defaulted to port 80. Note that we could have
used Netcat to send HTTP HEAD requests, too, but it’s useful to
know more than one method to achieve a given task.
Using Nmap Scripts
Nmap is more than just a port scanner; we can transform it into a
full-fledged vulnerability assessment tool. The Nmap Scripting
Engine (NSE) allows penetration testers to write scripts in the Lua
language to extend Nmap’s capabilities. Nmap comes pre-installed
with some Lua scripts, as you can see here:
$ ls -l /usr/share/nmap/scripts
-rw-r--r-- 1 root root 3901 Oct 6 10:43 acarsd-info.nse
-rw-r--r-- 1 root root 8749 Oct 6 10:43 address-info.nse
-rw-r--r-- 1 root root 3345 Oct 6 10:43 afp-brute.nse
-rw-r--r-- 1 root root 6463 Oct 6 10:43 afp-ls.nse
-rw-r--r-- 1 root root 3345 Oct 6 10:43 afp-brute.nse
-rw-r--r-- 1 root root 6463 Oct 6 10:43 afp-ls.nse
--snip--
The banner.nse script in the /usr/share/nmap/scripts folder
allows you to grab the banners from many hosts simultaneously. The
following bash command performs a banner grab and service
discovery (-sV) using this script:
$ nmap -sV --script=banner.nse -iL 172-16-10-hosts.txt
Nmap scan report for 172.16.10.12
--snip--
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.54 ((Debian))
Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks