Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. An Attacker can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (port 80), File Transfer Protocol (port 21), and Simple Mail Transfer Protocol (port 25).
Banners can be accessed through client-side softwares like netcat, telnet in the command prompt on the target system’s IP address. Other tools for banner grabbing include Nmap, SuperScan etc. For example, to grab a banner, we can establish a connection to a target web server using Netcat, then send an HTTP request. The response will typically contain information about the service running on the host.
First we need to connect to the target host. For this we are using nc or netcat for short
nc <host_name_or_address> <port_number>
Where host_name_or_address is ip address or name of host machine (target machine) and port_number is port number where service is running. There are various methods to grab banner of the target service.
Banner Grabbing using netcat :
HTTP Web Server banner grabbing
First we have to connect to web server on port 80 then send the HEAD / HTTP/1.0 command
$ nc google.com 80 HEAD / HTTP/1.0 HTTP/1.0 200 OK Content-Type: text/html; charset=ISO-8859-1 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 16 Sep 2021 06:14:11 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Expires: Thu, 16 Sep 2021 06:14:11 GMT Cache-Control: private Set-Cookie: 1P_JAR=2021-09-16-06; expires=Sat, 16-Oct-2021 06:14:11 GMT; path=/; domain=.google.com; Secure Set-Cookie: NID=223=cSQbDsEeDG8dE88WRAWDGSJ14L25k9Dd9XsypTqrmHo8Mcnws4qYicmxVONjdTGYpkdK9nAt5FrXE_tWTqafvYB33BaxkLL3vE7gCXRaN3ttSrVESamkJi9iMXM1Nff0NY26DKrwgLJezYEZph0dDo1JoTVW3JCRAzO2TUNixHM; expires=Fri, 18-Mar-2022 06:14:11 GMT; path=/; domain=.google.com; HttpOnly Connection: close
we can also give Connection: close command to end the http connection. We can also pipe HEAD / HTTP/1.0 command to nc
$ printf "HEAD / HTTP/1.0\n\n" | nc google.com 80 HTTP/1.0 200 OK Content-Type: text/html; charset=ISO-8859-1 P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 16 Sep 2021 06:16:26 GMT Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Expires: Thu, 16 Sep 2021 06:16:26 GMT Cache-Control: private Set-Cookie: 1P_JAR=2021-09-16-06; expires=Sat, 16-Oct-2021 06:16:26 GMT; path=/; domain=.google.com; Secure Set-Cookie: NID=223=Kz6BdWoDvhHoGnkdsVff1MJQe2pdwoHTkRr3U_-ks7hM4E-80vXPfYc3rq5j6F5MxZVOPS5SUdBBKXewlmTaDuK35QNSAggLAW7aQdmFyNV4gBKlKKFZ4_dU5XS_8dVKcbGpN3Poe2mB6m55Vo8waKj___p1UbMaRGC_D550EVc; expires=Fri, 18-Mar-2022 06:16:26 GMT; path=/; domain=.google.com; HttpOnly
Similarly with FTP Server
$ nc -v 18.104.22.168 21 Connection to 22.214.171.124 21 port [tcp/ftp] succeeded! 220 Microsoft FTP Service ^C
With SSH Server
$ nc -v 192.168.1.6 22 Connection to 192.168.1.6 22 port [tcp/ssh] succeeded! SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3 ^C
Banner grabbing with nmap :
For HTTP Service
nmap --script=banner 192.168.0.120 -p80
where –script=banner is for using the banner NSE script and -p flag is used for consider the service port, in this case which is port 80 for HTTP service. The output will be
$ nmap --script=banner 192.168.0.120 -p80 Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-02-20 10:07 EST Nmap scan report for 192.168.0.120 Host is up (0.00055s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds
Lets see another example by scanning SSH port (22)
$ nmap --script=banner 192.168.0.120 -p22 Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-02-20 10:07 EST Nmap scan report for 192.168.0.120 Host is up (0.00056s latency). PORT STATE SERVICE 22/tcp open ssh |_banner: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3 Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
Banner Grabbing can provide us some useful information about the target system, although, sometimes it may be not totally accurate, but it is very useful technique to gather information about your target.