The information obtained via banner grabbing can include details such as the type and version of operating system, as well as specific service and application names and versions. While banner grabbing can be used for legitimate purposes such as network inventory or verification, it is also a preliminary step for attackers to identify potential vulnerabilities in network services that can be exploited.
Protecting against malicious banner grabbing often involves configuring services to limit the information disclosed in banner messages, keeping software up to date to mitigate known vulnerabilities, and deploying intrusion detection and prevention systems to monitor and block suspicious network traffic.
What does banner grabbing look like?
Here is an example of banner grabbing for a HTTP service using the curl command.
curl --head -k http://notarealwebsite-justatest.com
Example HTTP response showing the “Server” banner, which would constitute as banner grabbing
HTTP/1.1 200 OK Date: Fri, 24 Nov 2023 16:13:32 GMT Server: Apache/2.2.3 (Red Hat) < --- This is the banner Accept-Ranges: bytes Cache-Control: max-age=7200 Expires: Fri, 24 Nov 2023 18:13:32 GMT Content-Type: text/html; charset=UTF-8
What about a different service? Like SSH?
nmap -sV -p 22 redacted
Example showing the SSH banner, which also constitutes as an example of banner grabbing.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- Information Gathering: A method used to collect detailed information on systems and services.
- Passive or Active Technique: Can be conducted through direct connection attempts or passive monitoring of network traffic.
- Use in Reconnaissance: Often used by attackers as part of the reconnaissance phase of a cyber attack.
- Security Hardening: Systems can often be hardened by minimizing the amount of useful information displayed in banners.
- Real-World Example: Network administrators using tools like Nmap or Telnet to document the server software and versions running on their network for compliance purposes.
- Hypothetical Scenario: An attacker employs banner grabbing to determine the version of a web server software that a company is using (as we have shown above), subsequently identifying a known exploitable vulnerability based on that version information.
- Reconnaissance: In the context of cybersecurity, this refers to the preparatory phase where attackers gather information about their target before launching an attack, which may involve banner grabbing.
- Port Scanning: The act of systematically scanning a computer’s ports to identify active ports and their associated services, often preceding banner grabbing.
- Vulnerability Scanning: A security technique used to identify security weaknesses in a computer system, which can use information obtained from banner grabbing.
Learn better by watching a video? Here is a YouTube video from Hackersploit explaining the concept of banner grabbing using NMAP.