Banner Grabbing

What is banner grabbing?

• Tactic that basically involves sending unsolicited requests to an open port to see what default message (banner) is returned

• Depending on the version of the application is running on the port the returned banner can show potential vulnerabilities

• A common method of performing banner grabbing is to use Telnet

• netcat

  • A command-line networking utility that reads and writes data across network connections using TCP/IP.

  • Also a tunneling protocol, scanner and advanced hacking tool

  Copy

  nc <IPaddress or FQDN> <port number>

What are the different categories of banner grabbing?

• Active banner -

  • sending specially crafted packets to remote systems and comparing responses to determine the OS

  • Responses are compared with a database to determine the OS

  • Responses from different OSes are different because of different TCP/IP stack implementations

• Passive banner -

  • reading error messages provides information such as type of servers, OS, and SSL tool used by the target

  • sniffing network traffic

  • looking at page extensions to determine the application's version

Banner grabbing countermeasures

• Disable or Change banner

  • display false banners to mislead attackers

  • turn off unnecessary services on the network host

  • Use ServerMask tools to disable or change banner information

  • Apache 2.x with mod_headers module - use httpd.conf directive to change banner information

  • Alternatively change the ServerSignature line to ServerSignature Off in httpd.conf

• Hide File extensions from Web Pages

  • File extensions reveal information about the underlying technology

  • Change application mappings

  • Apache users should use mod_negotiation directives

  • IIS users use tools such as PageXchanger to manage file extensions