What is Banner Grabbing : Guide for Beginners

Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. An Attacker can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (port 80), File Transfer Protocol (port 21), and Simple Mail Transfer Protocol (port 25).

Banners can be accessed through client-side softwares like netcat, telnet in the command prompt on the target system’s IP address. Other tools for banner grabbing include Nmap, SuperScan etc. For example, to grab a banner, we can establish a connection to a target web server using Netcat, then send an HTTP request. The response will typically contain information about the service running on the host.

First we need to connect to the target host. For this we are using nc or netcat for short

nc <host_name_or_address> <port_number>

Where host_name_or_address is ip address or name of host machine (target machine) and port_number is port number where service is running. There are various methods to grab banner of the target service.

Banner Grabbing using netcat :

HTTP Web Server banner grabbing

First we have to connect to web server on port 80 then send the HEAD / HTTP/1.0 command

$ nc google.com 80

HEAD / HTTP/1.0

HTTP/1.0 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Thu, 16 Sep 2021 06:14:11 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Expires: Thu, 16 Sep 2021 06:14:11 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2021-09-16-06; expires=Sat, 16-Oct-2021 06:14:11 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=223=cSQbDsEeDG8dE88WRAWDGSJ14L25k9Dd9XsypTqrmHo8Mcnws4qYicmxVONjdTGYpkdK9nAt5FrXE_tWTqafvYB33BaxkLL3vE7gCXRaN3ttSrVESamkJi9iMXM1Nff0NY26DKrwgLJezYEZph0dDo1JoTVW3JCRAzO2TUNixHM; expires=Fri, 18-Mar-2022 06:14:11 GMT; path=/; domain=.google.com; HttpOnly

Connection: close

we can also give Connection: close command to end the http connection. We can also pipe HEAD / HTTP/1.0 command to nc

$ printf "HEAD / HTTP/1.0\n\n" | nc google.com 80

HTTP/1.0 200 OK
Content-Type: text/html; charset=ISO-8859-1
P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
Date: Thu, 16 Sep 2021 06:16:26 GMT
Server: gws
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
Expires: Thu, 16 Sep 2021 06:16:26 GMT
Cache-Control: private
Set-Cookie: 1P_JAR=2021-09-16-06; expires=Sat, 16-Oct-2021 06:16:26 GMT; path=/; domain=.google.com; Secure
Set-Cookie: NID=223=Kz6BdWoDvhHoGnkdsVff1MJQe2pdwoHTkRr3U_-ks7hM4E-80vXPfYc3rq5j6F5MxZVOPS5SUdBBKXewlmTaDuK35QNSAggLAW7aQdmFyNV4gBKlKKFZ4_dU5XS_8dVKcbGpN3Poe2mB6m55Vo8waKj___p1UbMaRGC_D550EVc; expires=Fri, 18-Mar-2022 06:16:26 GMT; path=/; domain=.google.com; HttpOnly

Similarly with FTP Server

$ nc -v 195.144.107.198 21
Connection to 195.144.107.198 21 port [tcp/ftp] succeeded!
220 Microsoft FTP Service
^C

With SSH Server

$ nc -v 192.168.1.6 22
Connection to 192.168.1.6 22 port [tcp/ssh] succeeded!
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.3
^C

Banner grabbing with nmap :

For HTTP Service

nmap --script=banner 192.168.0.120 -p80

where –script=banner is for using the banner NSE script and -p flag is used for consider the service port, in this case which is port 80 for HTTP service. The output will be

$ nmap --script=banner 192.168.0.120 -p80

Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-02-20 10:07 EST
Nmap scan report for 192.168.0.120
Host is up (0.00055s latency).

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds

Lets see another example by scanning SSH port (22)

$ nmap --script=banner 192.168.0.120 -p22

Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-02-20 10:07 EST
Nmap scan report for 192.168.0.120
Host is up (0.00056s latency).

PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Conclusion :

Banner Grabbing can provide us some useful information about the target system, although, sometimes it may be not totally accurate, but it is very useful technique to gather information about your target.