What is Banner Grabbing?- Hackers and security teams employ banner grabbing to obtain information about a computer system on a network and the services running on its open ports. A banner is a piece of text shown by a host server that contains information such as the kind and version of software running on a system or server. The welcome displays reveal software version numbers and other system information about network hosts, giving attackers an advantage in network attacks.
Getting software banner information, such as the name and version, is known as banner grabbing. Banner grabbing can be done manually or automatically with the help of an OSINT tool. In both offensive and defensive penetration testing settings, grabbing a banner is an important step.
Important Points to Remember
- Intruders utilise banner grabbing to locate network hosts running known exploited apps and operating systems.
- Banner snatching is done via tools like Nmap, Netcat, and Telnet.
- Active and passive banner capturing techniques can be used by hackers and security experts.
- To avoid banner snatching, restrict access to services on your network and shut down any unwanted or superfluous services operating on hosts.
Why Use Banner Grabbing?
FTP servers, web servers, SSH servers, and other system daemons all reveal sensitive information regarding software names, versions, and operating systems. As a result, hackers can use a banner grabbing attack against several protocols to find unsecure and susceptible programmes that can be exploited.
Using a banner grabbing technique, you can collect a variety of services, protocols, and banner types of information. For the discovery process, you can design a variety of methods and tools. Overall, banner grabbing allows an attacker to discover network hosts, running services, and operating systems, as well as their versions on exposed ports. A hacker or pen-tester can easily seek for known and exploitable vulnerabilities in that version using the programme type and version.
Enumeration of a Microsoft Windows 7 host exploitable by Eternal Blue is an example of banner grabbing (CVE-107-0143). The attacker can take a service banner that shows whether or not a vulnerable version of the SMB service is running over it. If the Eternal Blue attack is active, the hacker can easily exploit the Microsoft server directly.
Service Ports used During Banner Grabbing
The following are some of the most commonly used service ports for banner:
- The HyperText Transfer Protocol (HTTP) service is running on port 80.
- File Transfer Protocol (FTP) service is operating on port 21.
- The Simple Mail Transfer Protocol (SMTP) service is running on port 25.
- Tools & Techniques for Grabbing Banners
Hackers employ a variety of techniques to capture banners. They use these tools to connect to a target web server and then send HTTP requests to it. The attacker receives a response providing information about the service operating on the host as a result of this operation.
The following are some examples of banner grabber software:
- Telnet is a classic cross-platform client that allows hackers and pen-testers to communicate with remote services in order to capture banners. Pen-testers and attackers can uncover useful information by telneting to hosts on the default telnet port (TCP port 23). Other regularly used ports, such as SMTP, HTTP, and POP3, can be telneted by attackers. Telnet sessions can be established on most operating systems, allowing users to grab banners.
- Whatweb: the tool recognises websites, assisting hackers and security analysts in grabbing the web-apps banner by revealing server information such as the IP address, version, webpage title, and OS system in use.
- cURL: the tool offers a command that allows you to retrieve banner information from HTTP servers.
- Wget is a banner grabbing programme that may take users to the banners of remote or local servers. Wget employs a simple script to hide anticipated output and print the HTTP server’s headers.
- Netcat is one of the most well-known and widely used network utilities for Unix and Linux.
- DMitry: The Deepmagic Information Gathering Tool is capable of collecting as much host data as possible. DMitry gives attackers access to any data on a remote site, including DNS enumeration, subdomain mapping, open ports, and more.
- Nmap: a basic banner grabber that connects to an open TCP port and writes out information received by the listening service in a matter of seconds.
At the same time, hackers and security teams might deploy a variety of banner snatching strategies.
- Active Banner Grabbing: Attackers use Active Banner Grabbing to send packets to a remote host and evaluate the response data. The attack entails establishing a TCP or equivalent connection between a remote host and an origin. Active banner snatching can be easily detected by intrusion detection systems (IDS).
- Passive Banner Grabbing: this technique allows hackers and security researchers to obtain the same data without exposing themselves to the origin connection. In passive banner grabbing, attackers use intermediary applications and platforms as a gateway to avoid establishing a direct connection with the target while collecting data. This method captures and analyses packets using third-party network tools and services such as search engines, Shodan, or sniffing the traffic to detect the software and versions operating on the host.
Preventing Banner Grabbing
To avoid banner grabbing, follow these guidelines:
- Access to network services should be restricted.
- Shut down any network hosts that are running unneeded or superfluous services.
- To hide version information, you can change your server’s default banner behaviour. System administrators can change the default banners, disable the banners in the network host’s application or operating system, or remove information from the banners that might give an attacker an advantage.
- To protect your applications from known server attacks, keep your server and systems up to date.