What is Banner Grabbing?
Banner grabbing is a technique used by hackers and security teams to gain information about a computer system on a network and services running on its open ports. A banner is a text displayed by a host server containing details like software type and version running in a system or server. The welcome screens divulge software version numbers and other system information on network hosts, giving cybercriminals a leg up on attacking the network.
Banner grabbing involves getting software banner information, such as name and version. Hackers can perform banner grabbing manually or automatically using an OSINT tool. Grabbing a banner is one of the essential phases in both offensive and defensive penetration testing environments.
- Intruders use banner grabbing to find network hosts that are running applications and OS with known exploits
- Tools like Nmap, Netcat, and Telnet perform banner grabbing
- Hackers and security analysts can perform active or passive banner grabbing techniques
- Restrict access to services on your network and shutdown unused or unnecessary services running on hosts to prevent banner grabbing
Why Use Banner Grabbing?
Popular services like FTP servers, web servers, SSH servers, and other system daemons expose confidential information about software names, versions, and operating systems. As a result, hackers can run a banner grabbing attack against different protocols to discover insecure and vulnerable applications for compromise and exploitation.
There are many services, protocols, and banner types of information you can collect using a banner grabbing technique. You can develop various tactics and tools for the discovery process. Overall, banner grabbing allows an attacker to discover network hosts and running services with their versions on open ports, as well as operating systems. With the application type and version, a hacker or pen-tester can quickly look for known and exploitable vulnerabilities in that version.
An example of banner grabbing is the enumeration of a Microsoft Windows 7 host exploitable by Eternal Blue (CVE-107-0143). The attacker can grab a service banner that displays whether the SMB service with a vulnerable version is running over it or not. If running, then the hacker can easily exploit the Microsoft server directly with the Eternal Blue attack.
Service Ports used During Banner Grabbing
Popular service ports used for banner include:
- Port 80 running HyperText Transfer Protocol (HTTP) service
- Port 21 running File Transfer Protocol (FTP) service
- Port 25 running the Simple Mail Transfer Protocol (SMTP) service
Banner Grabbing Tools and Techniques
Hackers use different tools to perform banner grabbing. They leverage these tools to establish a connection to a target web server then send HTTP requests. In the process, the attacker gets a response containing information about the service running on the host.
Examples of banner grabbing tools include:
- Telnet: this classic cross-platform client allows hackers and pen-testers to interact with remote services for banner grabbing. Pen-testers and attackers can telnet to hosts on the default telnet port (TCP port 23) to discover relevant information. Attacks can telnet other commonly used ports like SMTP, HTTP, and POP3. Most operating systems can establish Telnet sessions, allowing users to perform banner grabbing
- Whatweb: the tool recognizes websites, helping hackers and security analysts to grab the web-applications banner by disclosing the server information such as the IP address, version, webpage title, and running operating system
- cURL: the tool has a command that includes the functionality for retrieving banner details form HTTP servers
- Wget: the banner grabbing tool can lead users to remote or local servers’ banner. Wget uses a simple script to suppress the expected output and print the headers sent by the HTTP server
- Netcat: the tool is one of the oldest and popular network utilities for Unix and Linux.
- DMitry: The Deepmagic Information Gathering Tool can gather as much host information as possible. DMitry allows attackers to get all the data from a remote host, including DNS enumeration, subdomain mapping, open ports, and much more.
- Nmap: this simple banner grabber connects to an open TCP port and prints out details sent by the listening service within a few seconds
At the same time, there are different banner grabbing techniques that hackers and security teams can use.
- Active Banner Grabbing: in this technique, attackers send packets to a remote host and analyze the response data. The attack involves opening a TCP or similar connection between an origin and a remote host. Intrusion detection systems (IDS) can easily detect active banner grabbing
- Passive Banner Grabbing: the technique allows hackers and security analysts to get the same information while avoiding exposure from the origin connection. In passive banner grabbing, attackers deploy intermediate software and platforms as a gateway to prevent a direct connection while collecting data from the target. This technique uses third-party network tools and services such as search engines, Shodan, or sniffing the traffic to capture and analyze packets to determine software and versions running on the host
Preventing Banner Grabbing
You can follow these tips to prevent banner grabbing:
- Restrict access to services on the network
- Shut down unused or unnecessary services running on network hosts
- You can override your server’s default banner behavior to hide version information. System administrators can customize default banners, configure the network host’s application or operating system to disable the banners, or remove information from the banners that could give an attacker a leg up.
- Keep your server and systems up to date to secure your applications against known server exploits