Banner grabbing
- Banner information = name + version
- 📝 Used to gain banner information about
- a computer (e.g. OS information)
- the services running on its open ports (e.g. nginx server)
- Allows attackers to exploit known vulnerabilities and form an attack plan.
- Can be prevented by disabling banners and by hiding web page extensions.
Passive banner grabbing
- Uses sniffing to determine the operating system.
- E.g. analyzing error messages, sniffing the traffic on the network, and examining page extensions.
Active banner grabbing
- Sending a packet to the OS and then analyzing the responses.
- E.g. each OS have different TCP/IP stack implementations.
- Values of TTL (time to live) and TCP window size in the IP header of the first packet are different in each OS.
- HTTP (80), FTP (21), SMTP (25) are common ports.
- Tools include
telnet
,nmap
,zgrap
andnetcat
.
Banner grabbing tools
nmap -O
for OS automatic fingerprinting, see also-O
: OS fingerprinting | Scanning tools
Netcat
- Networking utility for reading from and writing to network connections using TCP or UDP
- 🤗 Also known as TCP/IP swiss army knife
- FTP
nc 178.128.203.1 21
: Checks FTP port 21- 💡 You can use
nmap 178.128.203.1
to find out open ports.
- 💡 You can use
- Usual for FTP servers to return something like
Welcome to XXX FTP Server
- gives you insights about the owner and that it's a FTP server
- HTTP
- E.g.
nc 178.128.203.1 80
- Type e.g.
GET /index.html HTTP 1.0
orHEAD / HTTP/1.1
- Press
[ENTER]
- And also usually useful headers such as
Server: Apache/2.4.6 (CentOS)
- E.g.
- CryptCat is the encrypted version of netcat
Telnet
- Application protocol for bidirectional interactive text-oriented communication using a virtual terminal connection
- Historically used to access to a command-line interface on a remote host but now replaced with SSH as it's unsecure.
- Built into many operative systems as default
- Runs on port 23 so
telnet <target>
sends TCP to targets port 23.- You can send to different ports using
telnet
- You can send to different ports using
- If port is open a banner response received looking like:
Server: Microsoft-IIS/5.0 Date: Fri, 14 Aug 2009 1:14:42 GMT Content-Length:340 Content-Type: text/html