Banner Grabbing

What is banner grabbing?

  • Tactic that basically involves sending unsolicited requests to an open port to see what default message (banner) is returned

  • Depending on the version of the application is running on the port the returned banner can show potential vulnerabilities

  • A common method of performing banner grabbing is to use Telnet

  • netcat

    • A command-line networking utility that reads and writes data across network connections using TCP/IP.

    • Also a tunneling protocol, scanner and advanced hacking tool

    nc <IPaddress or FQDN> <port number>
BannerGrab
BannerGrab2

What are the different categories of banner grabbing?

  • Active banner -

    • sending specially crafted packets to remote systems and comparing responses to determine the OS

    • Responses are compared with a database to determine the OS

    • Responses from different OSes are different because of different TCP/IP stack implementations

  • Passive banner -

    • reading error messages provides information such as type of servers, OS, and SSL tool used by the target

    • sniffing network traffic

    • looking at page extensions to determine the application's version

  • Disable or Change banner

    • display false banners to mislead attackers

    • turn off unnecessary services on the network host

    • Use ServerMask tools to disable or change banner information

    • Apache 2.x with mod_headers module - use httpd.conf directive to change banner information

    • Alternatively change the ServerSignature line to ServerSignature Off in httpd.conf

  • Hide File extensions from Web Pages

    • File extensions reveal information about the underlying technology

    • Change application mappings

    • Apache users should use mod_negotiation directives

    • IIS users use tools such as PageXchanger to manage file extensions

Last updated