As we all know, whenever it comes to penetration testing, the first thing which comes to mind is reconnaissance. Banner grabbing is used in the initial phase of reconnaissance to get an idea about the target system or application.
Banner grabbing is a fundamental enumeration technique used in reconnaissance for gathering information about the target application running on a network. The term “Banner grabbing” comprises two terms – banner and grabbing.
Banner is the information displayed, including version and operating systems about the services running on the different ports of a host server or system. Banner grabbing, hence, refers to gathering all the information about the services running or simply collecting banner data.
What is the banner grabbing technique?
Banner grabbing means the act to collect software banner details from the target service port. After taking hold of the banner, the attacker can further exploit the weakness since all the details like the software version, the operating system used, and the viability of the service lay wide open.
In short, banner grabbing techniques set the base for further stages of penetration testing or a red teaming exercise. Banners can easily give away information about the system. Beware, banners can be set to trap the visitor also! For instance, server banner grabbing can show a Microsoft IIS server in use, whereas the banner displays the information as ‘Apache’. This doesn’t mean it is running an Apache web server. Therefore, it is not a 100% accurate method to verify the software in use but a technique to help with the initial information analysis and attack layout preparation phase.
Banner grabbing is not an attack per se but a technique used to collect information for analysis to determine the services in use.
Is banner grabbing active or passive?
Banner grabbing is performed in two ways, active and passive. Active banner grabbing relates to a real attempt by connecting to a service and making a valid TCP/UDP connection to capture the response from the target system. Passive banner grabbing relates to information gained from logs, collection of responses available already, a database or online information resource where this is readily available.
Types Of Banner Grabbing Techniques
The two basic types of banner grabbing techniques are explained further:
Active Banner Grabbing
One of the most common and popular types of banner grabbing is active banner grabbing. This attack is widely used in security for gaining application or software banner information.
An attacker sends the crafted packets to the victim’s remote host and then waits for the response in the active banner grabbing technique. A crafted packet means the specific format (protocol or format as per the target service) that the target service can understand. Once a response is received, the attacker analyses the response and extracts all the required information like software versions of the running services, operating systems and much more of the target web server or host.
This technique of banner grabbing requires a Transmission Control Protocol (TCP) connection to be established between the original host and the remote host, and this connection is also logged on the remote host. Insecure and vulnerable applications often give away information about obsolete or easy to exploit software, leading the way for threat actors.
An example of this technique is an enumeration of Microsoft hosts to identify any exploitation opportunities. For instance, finding hosts vulnerable to an Eternal Blue attack running Microsoft Windows helps the attacker analyse and move to further stages of the cyber kill chain.
Some Intrusion Detection Systems (IDS) can easily detect active banner grabbing. This technique is risky because all the connections are logged into the remote host.
Passive Banner Grabbing
Another alternative type of banner grabbing is passive banner grabbing. This approach of grabbing banner is termed passive because, unlike the active method, it does not need any direct connection between the original host and the remote host.
Passive banner grabbing relies on search engines, discovered banner data already available for use, remote service detection based on scans by online portals or internet mass scanners such as Grey Noise Intelligence.
Grabbing banner data or service banner using this technique avoids high exposure to the connection, thus, making it less risky than the active banner grabbing technique.
Different intermediate software and systems are used to establish connections in this technique. Shodan or other third-party network tools can be used to get the banner details.
Since we are using third party network tools and intermediated software between the remote and original host, it is more secure and less risky than the active approach of banner grabbing.
Common ports to perform Banner Grabbing attack
The first and foremost condition to grab banner is an open TCP port. There must be a listening service to perform a banner grabbing attack, find operating system information, or collect the service banner.
Hackers or security persons perform banner grabbing attacks to get information about services running on a remote or local server. Some of the common service ports used to perform banner grabbing are:
- Web servers running Hyper Text Transfer Protocol (HTTP) – Port 80 or HTTPS on port 443
- Email servers using Simple Mail Transfer Protocol (SMTP) – Port 25 or other associated ports
- FTP servers using File Transfer Protocol (FTP) – Port 21
- SSH servers running Secure Shell (SSH) – 22/TCP
- Microsoft server directly running SMB, Netbios and associated ports such as 139, 443.
Similarly, various other services use different ports that can be connected for banner grabbing exercises.
What are the commands for banner grabbing?
Telnet is an insecure communication protocol used for the connection of remote terminals. Since this is insecure, it has been replaced by SSH. Using Telnet, we can communicate with the different services running as FTP servers, HTTP servers or other remote services and grab their banner.
Banner grabbing SSH service
We can grab the banner of an SSH server (it could be HTTP, SMTP or FTP server also) of a remote server or host by using this simple command line.
[amit~whisper ~]$ nc -v 10.0.0.5 22 Ncat: Version 7.80 (https://nmap.org/ncat) Ncat: Connected to 10.0.0.5:22. SSH-2.0-OpenSSH_7.4
Similarly, Telnet can be used for banner grabbing purposes because it is a cross-platform client that can connect to any system irrespective of the operating system.
Banner grabbing HTTP servers
Here, we are sending a request to a remote system on port 80 (HTTP server) using netcat.
[[email protected] ~]$ ncat -v 10.0.0.2 80 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Connected to 10.0.0.2:80. HTTP/1.1 400 Bad Request Date: Tue, 02 Feb 2022 11:20:57 GMT Server: Apache/2.4.y (Ubuntu)
Common Banner Grabbing Tools
We have already seen the ports commonly used for banner grabbing in the previous section. This section will shed light on some of the most common and popular banner grabbing tools that hackers and security persons use.
Banner grabbing tools are part of the larger program with multiple tasks, such as discovering network hosts, using banner grabbing techniques to collect information, analysing the collected information, and performing fingerprinting.
An individual can also script a simple banner grabber for their use. If you are intrigued with cyber security or trying to improve scripting skills, this is one of the best things you can learn today.
Nmap stands for network mapper. It scans for the different open ports on a system and gives all the demanded details, including operating systems and determining software versions. We can scan for SSH service running on port 22 using this simple command line:-
nmap -sV -p22 192.168.0.1
Banner Grabbing With Netcat
Netcat is also known as nc. It is one of the oldest command line tools and one of the more popular network utilities used in Unix/ Linux. For banner grabbing, we can use this command line:-
nc -v IP Port
What are the differences between ncat, nc and netcat?
nc and ncat belong to the same program, i.e. Nmap project. A similar tool, socat is also used by Unix/Linux users.
netcat is a utility useful to almost any IT team, including developers, administrators, security teams. It can help connect for banner grabbing and receiving alerts of unusual activities, sharing and capturing data, and launching and gaining shells and reverse shells.
Wget is a banner grabbing tool used in active banner grabbing. This tool is used to connect with the remote host, or we can also download files from a server using this tool. For banner grabbing using this tool, we can use this command line:-
wget IP -q -s
Here q is used to suppress the normal output, and s parameter is used to print out the headers sent by the HTTP server.
cURL stands for client URL. The cURL command is similar to wget. It is also used to transfer data among different servers. Using this command, we can retrieve the banner data from the HTTP server. We can use the cURL command-line tool for banner grabbing using this syntax:-
curl -s -I IP
Here s is used to avoid the error messages, and ‘I’ is used for seeing the headers of all the requested pages.
Wappalyzer is primarily a free extension used in web applications banner grabbing. It grabs all the details of the web application technologies running on a server and displays the technologies, services, and their versions. This extension is available for both, Firefox and Google Chrome.
Banner Grabbing Using Python
You can also write your own banner-grabbing scripts in various languages. Banner grabbing scripts in PowerShell, Python, VB, C/C++, Java are very common. Here’s an example:
Other tools include Deepmagic Information Gathering Tool (Dmitry), available here:
How to prevent banner grabbing?
Although banner grabbing doesn’t directly point to cyberattacks, it does imply how you are maintaining your infrastructure to a certain degree. Remember, as mentioned above, banners can be obfuscated to give you a false impression, but there are lots of other ways attackers or security professionals utilise to be certain of a running service.
Preventing banner grabbing techniques to stop enumerating information is not very high on security teams’ agenda, although they are considered part of your secure hardening process for Internet-facing services. Here are some of the common ways to prevent banner grabbing attacks or enumeration attempts:
- Override the default banner provided. System administrators are allowed to edit or configure the default banner. They can also customise that banner to fool the attackers or remove the banner to protect themselves from banner grabbing.
- Keep all the servers and systems updated because if any system or server is outdated, it runs a high risk of being exploited. Attackers can easily exploit outdated servers, which is considered a low hanging fruit.
- Close or shut down the unused or unnecessary services running or ports that are not in use.
- Only allow necessary services running on the network hosts to keep a small attack surface.
It is imperative to take steps to prevent banner grabbing to protect your infrastructure and data. Using the tips provided, you can make it more difficult for attackers or security professionals to gain information about your systems and servers. Remember that even though banner grabbing doesn’t directly link to any cyber attacks, it reflects how well you maintain your infrastructure.
Engage your organisation in continuous security validation exercises based on the assets architecture and security roadmap. These checks include periodic penetration testing and vulnerability assessment exercises to help you stay on top of your attack surface.
If you need professional help or counsel to secure your organisation’s system, we are happy to help. Head to our site to learn more.