1

I am preparing for a security exam and a question I failed in a practice has the following:

A command line tool that can be used for banner grabbing is called:
A) tcpdump
B) netcat
C) nmap
D) Wireshark

I chose nmap, but the correct solution is apparently netcat. I am aware that netcat is used for banner grabbing, but so is nmap: https://www.hackingarticles.in/multiple-ways-to-banner-grabbing/

What did I miss? Is the question incorrect?

Nimrod Sadeh
  • 13
  • 3
  • I would say all but Wireshark, and then only because Wireshark is more a graphical environment than a command line tool. Wireshark and tcpdump can be used for passive banner grabbing, the other two are active. Questions like this often test more whether you have read the chapter than what is actually possible. – Ljm Dullaart Nov 13 '20 at 09:31
  • That's dumb af tho, because there are multiple books and ways to study for this stupid exam. They have no way to know how I found out that info. Just put only one option down that is correct. I agree Wireshark is wrong because it's not a command line but have def used both nmap and netcat for this before. – Nimrod Sadeh Nov 13 '20 at 16:04
  • The test question's "correct" answer is silly, as nmap is the tool you would use to identify a service in reality. But if you were on some stripped down machine with only netcat, you could use netcat if you wanted to revert back to 1990s tactics. Just know, as it applies to real life activities, you gave the correct answer. – john doe Nov 13 '20 at 21:16

1 Answers1

1

tcpdump & wireshark

You can quickly rule out tcpdump and wireshark since both are used for packet captures. While banners could be grabbed by obtaining full packet captures, an encrypted stream circumvents it. Having access to the private key could decrypt the encrypted stream but not feasible for this question. It's overthinking and unlikely.

That leaves nmap and netcat.

nmap

Perhaps, for this material, nmap was placed in the network port scanner category. Its good you recognize there's much more functionality for I too see it as the "practical" answer.

netcat / nc

netcat is best known for establishing network connections which allows file transfers, sending custom requests to services (e.g. SMTP, HTTP, etc), and tunneling; just to name a few. So with nc handling the lower OSI layers of the connection, the user can manipulate the upper layers as needed. With banners being at the Application layer, nc can be used and likely why it's the desired answer.

Alternative

Another way to look at it is to consider pivoting. Of all the listed utilities, tcpdump and netcat are natively available on Linux/Unix systems. Thus making netcat the answer.

Context Matters

As mentioned in the comments, tests often look to evaluate your knowledge of the material. So it's best to approach questions using that lens.

phbits
  • 1,002
  • 2
  • 5
  • 12