`

|_http-server-header: Apache/2.4.54 (Debian)

--snip--

When the banner-grabbing script finds a banner, the output line

containing that banner will begin with a special character sequence

(|_). We can filter for this sequence to extract banner information,

like so:

$ nmap -sV --script=banner.nse -iL 172-16-10-hosts.txt | grep "|_banner\||http-server-header"

You may have noticed that, in the case of 172.16.10.10 (p-web-

01) port 8081, Nmap responded with the following:

PORT STATE SERVICE VERSION

8081/tcp open blackice-icecap?

| fingerprint-strings:

--snip--

The blackice-icecap? value indicates that Nmap was

unable to discover the identity of the service definitively. But if you

look closely at the fingerprint-strings dump, youll see

some HTTP-related information that reveals the same response

headers we found when banner grabbing manually using cURL.

Specifically, note the Werkzeug web server banner. With a bit of

Googling, youll find that this server runs on Flask, a Python-based

web framework.

Detecting Operating Systems

Nmap can also guess the target servers running operating system

by using a technique called TCP/IP fingerprinting, which is part of

its operating system detection scan. This technique identifies the

implementation of the operating system’s TCP/IP stack by crafting

packets in various ways and analyzing the returned responses. Each

operating system, such as Linux, Windows, and macOS, implements

the TCP/IP stack slightly differently, and Nmap analyzes these

subtle differences to identify the running system. In some cases,

Nmap may also be able to identify the running kernel version.

To run an operating system detection scan, use the -O flag in

Nmap. Note that this scan requires sudo privileges:

$ sudo nmap -O -iL 172-16-10-hosts.txt

--snip--

21/tcp open ftp

80/tcp open http

MAC Address: 02:42:AC:10:0A:0B (Unknown)

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks