SecurityTrails Blog · LAST UPDATED ON Oct 14 2021 · by Esteban Borges

Banner Grabbing: Top Tools and Techniques Explained

Reading time: 9 minutes

We shared a few details about banner grabbing in our previous article about cybersecurity fingerprinting. Today, we'll dig a little bit deeper, to define what it is, explore its different types, and examine some real-world examples showing how you can grab banners from different services on the Internet with both command-line tools and web-based interfaces.

Banner grabbing made easy Boost your software discovery with SecurityTrails SQL
HTTP banner grabbing capabilities

What is banner grabbing?

Whenever performing the intel-reconnaissance process during penetration testing or security auditing, we need to pay attention to the current web-server's exposed information.

That's where banner grabbing comes in. Banner grabbing is the act of getting software banner information (name and version), whether it's done manually, or by using any OSINT tools that can do it for you automatically.

FTP servers, web servers, SSH servers and other system daemons often expose critical information about not only the software name, but also about the exact versions and operating systems they're running—the 'banner' data in question..

Running a banner grabbing attack against any protocol can reveal insecure and vulnerable applications which could lead to service exploitation and compromise, in the case of matching a critical CVE.

How can you proceed with a banner grabbing attack? Just choose the service you want to target, launch the request, inspect the response you get, and that's it.

While it isn't exactly rocket science, there is much to consider. Due to the vast amount of services, protocols and types of banners we can get, we need to examine the many different techniques and tools which can, in the end, help us throughout the OSINT discovery process.

Banner grabbing techniques

Let's explore the different types of banner grabbing techniques.

Active banner grabbing

This is the most popular type of banner grabbing, basically the act of sending packets to the remote host and waiting for their response to analyze the data.

Active banner grabbing techniques involve opening a TCP (or similar) connection between an origin host and a remote host. It can be considered active, as your connection will be logged in the remote system. This is the most risky approach to banner grabbing as it's often detected by some IDS.

Passive banner grabbing

On the other hand, passive banner grabbing enables you to get the same information while avoiding a high level of exposure from the origin connection. Different intermediate software and platforms can be used as a gateway to avoid a direct connection and still allow you to obtain the data you need.

Using 3rd party networks tools or services such as search engines, Shodan, or sniffing the traffic to capture and analyze packets, can help you determine software versions.

Top 7 tools to perform banner grabbing

Now let's take a look at the best tools available for performing a banner grabbing attack, including both command-line-based tools and web-based interfaces.


Telnet is one of the most classic cross-platform clients available, one that allows you to interact with remote services for banner grabbing.

With telnet, you can query any service simply by typing:

telnet IP PORT

Note that IP is the IP address, and PORT is the port where the remote service is running. If you haven't done it yet, you may want to use a port scanner first, to determine the open ports on the remote server.

Quick example:

[[email protected] ~]# telnet 22
Connected to
Escape character is '^]'.
Connection closed by foreign host.
[[email protected] ~]#

This will open a connection to IP address and get a response from the remote server. In this case, we targeted the 22 OpenSSH Server port, and the result was the exact version that is running on that server right now:


Interesting! That's what we've been looking for.


Wget is another great tool that can lead us to the remote banner of any remote or local server. For this, we'll use the following syntax:

wget -q -S

The -q will suppress the normal output, and the -S parameter will print the headers sent by the HTTP server, which also works for FTP servers.

The result:

[[email protected] ~]# wget -q -S
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 11 Nov 2019 13:29:13 GMT
Content-Type: text/html
Content-Length: 5683
Last-Modified: Thu, 04 Oct 2018 17:44:09 GMT
Connection: keep-alive
ETag: "5bb65169-1633"
Accept-Ranges: bytes
[[email protected] ~]#

In this case, we were able to get the full banner of the remote HTTP server, detecting that it's running Nginx, and its exact version, 1.16.1.


cURL offers the same features to fetch remote banner information from HTTP servers. Here you can use the following syntax:

curl -s -I | grep -e "Server: "

The -s is used to avoid showing the progress or error messages, in short, it mutes the output; the -I parameter will show the header of all the requested pages, and finally we grep out the output to fetch the software information.

Expected output:

[[email protected] ~]# curl -s -I | grep -e "Server: "
Server: nginx/1.16.1
[[email protected] ~]#


Nmap is another great alternative, and here we will show you how to perform classic Nmap banner grab techniques. First, we will try some built-in features by using the following syntax:

nmap -sV --version-intensity 5 -p 80

The -sV option lets us fetch the software versions, and by adding --version-intensity 5, we can get the maximum number of possible details about the remote running software.

Expected output:

[[email protected] ~]# nmap -sV --version-intensity 5 -p 80
Starting Nmap 7.70 ( ) at 2019-11-11 11:06 -03
Nmap scan report for (
Host is up (0.20s latency).
rDNS record for
80/tcp open http-proxy Apache Traffic Server 7.1.6
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.53 seconds

By using the powerful NSE we can also try other scripts that will help us fetch remote banners easily. One good example is shown below:

nmap -sV --script=banner IP

You can launch this against IPs or hosts, as you prefer.

Expected output:

[[email protected] ~]# nmap -sV --script=banner
Starting Nmap 7.70 ( ) at 2019-11-11 11:14 -03
Nmap scan report for
Host is up (0.000040s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_8.0
80/tcp open http nginx 1.16.1
|_http-server-header: nginx/1.16.1
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 23.05 seconds
[[email protected] ~]#

As you can see by using these Nmap banner grabbing, we were able to detect both SSH and HTTP servers running on the host, along with the exact software version for each.


Netcat is one of the oldest and most popular network utilities for Unix and Linux. For banner grabbing purposes, we'll use the following command:

nc -v IP PORT

This is the output example targeting a remote FTP server:

[[email protected] ~]# nc -v 21
Ncat: Version 7.70 ( )
Ncat: Connected to
220 (vsFTPd 3.0.3)
[[email protected] ~]#

In this case, we were able to grab the FTP banner -vsFTPD- and the exact software version -3.0.3-.


DMitry isn't a classic command for Unix and Linux systems, but an infosec-based utility known primarily by security researchers. It can help you get all the information possible from a remote host, including DNS enumeration, subdomain mapping, open ports and much more.

In this case, we'll use dmitry -p for port scanning, along with the -b flag to let it perform banner discovery. See the following syntax:

dmitry -bp

The result should be something like this:

Dmitry banner grabbing attack example

As you can see, DMitry was able to find the open ports, along with software names and versions, letting us know the operating system the server is running. While this test was against, it works the same way for any remote host.


Attack Surface Intelligence, our latest pilot product, is one of the best tools available for reducing your attack surface area. Ideal for security leaders and IT managers, this web-based utility will help you discover unseen areas of your online assets.

One aspect we've put a lot of work into is the port scanning and software discovery module, which allows you to easily detect open ports and exact software versions, along with OS information and platform, take a look at the following screenshot:

Attack Surface Intelligence software discovery feature

While some ports won't show any information because they've tweaked the headers and default banner variables, when we do find one, it will be displayed by default, as in the previous Ubuntu screenshot, featuring OpenSSH 7.2p2.

In this other case, we've discovered the exact Apache version, along with the exposed OpenSSL (1.1.1b) and PHP version (7.2.17):

Attack Surface Intelligence tool, showing Open Port, OS and Software Version

A real bonus is that ASI also allows you to fetch the data in raw JSON format, as shown below:

  "data": {
    "state": {
      "state": "open"
  "service": {
    "product": "Apache httpd",
    "version": "2.4.39",
    "method": "probe_matching",
    "cpe": [
    "extrainfo": "(Unix) OpenSSL/1.1.1b PHP/7.2.17",
    "name": "http"

SecurityTrails SQL

SecurityTrails SQL is our own SQL-like query language used by security teams. It allows you to take your reconnaissance, intelligence gathering and app automation to the next level. It’s mainly integrated in two ways: as a SecurityTrails API™ endpoint, or in the SQL Explorer interface from SurfaceBrowser™.

It helps security teams, SOC managers, and researchers during infrastructure mapping, by detecting exposed applications, finding vulnerable services and OS’s, and by offering SSL data extraction.


Zgrab is another great tool for banner grabbing. Specifically, it can be defined as a stateful application-layer scanner. It’s written in Go language, and supports a diverse range of protocols, including:

  • FTP
  • IMAP
  • POP3
  • SMTP
  • SSH
  • Modbus
  • Siemens S7
  • Telnet

This tool can be used for banner grabbing as part of any intelligence collection task performed against local and remote systems. Zgrab is often used for vulnerability scanning and assessment, penetration testing, and security research.


Banner grabbing is one of the most common techniques used in the reconnaissance process, during the initial phases of any penetration testing or real attack scenario.

If you're new to the penetration testing world, you'll find these tools and techniques make for a great start in your red team tasks, and from a blue team point of view, these are valuable tricks to identify exposed critical data about software running on your server. You'll be well-equipped to prevent cybersecurity incidents in the end.

Do you want to prevent cybersecurity issues within your online infrastructure? Or boost your red team intel-gathering tasks? Check out our latest pilot product: Attack Surface Intelligence - ASI, our enterprise-grade OSINT tool that will allow you to detect open ports and outdated software in an instant!

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders