What is banner grabbing?
Hackers and security personnel use banner grabbing to obtain information about computer systems and services that are running on open ports. A banner is a text that is displayed by a host server and contains information such as the software type and version. Cybercriminals have an advantage over cybercriminals by revealing software versions and other information about network hosts on the welcome screens.
Banner grabbing is the act of obtaining software banner information such as version and name. Banner grabbing can be done manually by hackers or automatically with an OSINT tool. In both defensive and offensive penetration testing environments, grabbing a banner is an essential phase.
- Banner grabbing is used by intruders to locate network hosts running known exploits and applications.
- Banner grabbing tools like Nmap and Netcat are available with tools such as Telnet, Netcat, or Nmap
- Security analysts and hackers can use passive or active banner grabbing to their advantage
- To prevent banner grabbing, restrict access to your network services and shut down unused or incontinent services running on hosts.
Why Use Banner Grabbing?
FTP servers and web servers, as well as SSH servers and other system daemons, can expose sensitive information about operating systems, software versions, and names. Hackers can use a banner-grabbing attack to expose vulnerable and insecure applications that could be exploited or compromised.
You can gather many types of information using banner grabbing techniques, including protocols and services. Some many tools and tactics can be used to facilitate the discovery process. Banner grabbing is a method that allows an attacker to find network hosts and run services using their versions on open ports. It also allows them to identify operating systems. Hackers and pen-testers can quickly identify known exploitable vulnerabilities by simply identifying the version and application type.
Banner grabbing can be illustrated by the enumeration of a Microsoft Windows 7 host that is exploitable by Eternal blue (CVE-107-0143). An attacker can grab a banner that indicates whether an SMB service is vulnerable or not. If the SMB service is running, the attacker can exploit the Microsoft server with the Eternal Blue attack.
Service ports are used during Banner Grabbing
These are some of the most popular service ports for banners:
- Port 80 runs HyperText Transfer Protocol service (HTTP).
- Port 21 is running File Transfer Protocol(FTP) service
- Port 25 runs the Simple Mail Transfer Protocol service (SMTP).
Useful Tools and Techniques for Banner Grabbing
Hackers can use different tools for banner grabbing. These tools are used to establish a connection with a target web server and then send HTTP requests. The attacker receives a response that contains information about the service on the host.
These are some examples of banner-grabbing tools:
- Telnet This classic cross-platform client allows hackers to interact with remote services to grab banners. To find relevant information, attackers and pen-testers can telnet to hosts using the default telnet port 23 (TCP port 23). Telnet attacks can also be made to other ports, such as HTTP, SMTP, and POP3. Many operating systems allow users to set up Telnet sessions. This allows them to do banner grabbing.
- What web -the tool recognizes websites and allows hackers and security experts to seize the banner of web applications by disclosing information about the server such as IP address, version, and webpage title.
- cURL The tool includes the ability to retrieve banner details from HTTP servers.
- Wget This banner-grabbing tool allows users to locate banners from local or remote servers. Wget uses a simple script that suppresses the expected output and prints the headers sent to it by the HTTP server.
- Netcat is a popular Unix/Linux network utility.
- Dmitry The Deepmagic Information Gathering Tool can gather as much information about a host as possible. Dmitry allows attackers access to all data on remote hosts, including DNS enumeration and subdomain mapping.
- Nmap This simple banner Graber connects to an Open TCP port and prints details sent by the listening services within a matter of seconds
There are also different banner-grabbing techniques that hackers can use to get access to sensitive information.
- Active banner grabbing: in using this technique, attackers send packets and then analyze the response data. This attack involves opening a TCP connection or another type of connection between an origin host and a remote host. Active banner grabbing can be easily detected by intrusion detection systems (IDS).
- Passive banner grabbing: this technique allows security analysts and hackers to obtain the same information without exposing the origin connection. Passive banner grabbing is when attackers use intermediate software and platforms to intercept a target’s connection. This technique makes use of third-party network tools, such as Shodan or search engines. It also sniffs traffic to capture and analyze packets to determine the software and versions on the target.
Preventing Banner Grabbing
These tips can help you avoid banner grabbing
- Restriction of network access
- Network hosts should be able to shut down any unneeded or unused services
- To hide version information, you can modify the default banner behavior of your server. Administrators can modify the default banners and configure the operating system or application of the network host to disable them. They can also remove any information that could be used by attackers.
- To protect your applications from known server exploits, keep your server and system up-to-date