What is Banner Grabbing?
A Banner is like a text message received from the host. It contains information about the services running on the host along with information about the ports.
As per Wikipedia, Banner Grabbing is a technique used to glean information about a computer system on a network and the services running on its open ports. This technique is generally used by the System administrators to scan the network to check what all services are running etc.
As we have already explored how to scan for the open ports in a system (last 2 tutorials) it is now time to have a close look on what services are running on those ports. Some of the well known ports are:
- 20/21: FTP
- 22: SSH(Secure Shell)
- 23: Telnet
- 25: SMTP
- 80: HTTP
- 156: SQL Server
- 443: HTTPS
Do you know, if unnecessary ports of a system are open, it reflects a system vulnerability which can be compromised by any hacker. But for that, just knowing about the available ports and services running is not enough. You must know about the specifics of the service running like version of the server that the host is running, version of MySQL etc.
How Banner Grabbing works?
Let's say you want to communicate to a person who speaks English. So in order to have a fluent conversation you will have to speak in english or the other person should speak the language you speak. But, since you are the one who wants to initiate the conversation, so you must know english.
Speaking of which, you are the client and in order to communicate with the server you must speak it's language rather than plane simple english. In our daily life of browsing internet, our web browser does this work for us. We simply query in our language and our browser translates this query in a form understandable to the server. This is technically known as HTTP Request and Response.
So to perform Banner Grabbing, we will have talk with the server in the form it understands. Therefore, below we have written a program using socket to initiate the communication with the server.
Banner Grabbing using Socket programming
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) #TCP
t_host = str(raw_input("Enter the host name: "))
t_port = int(raw_input("Enter Port: "))
sock.send('GET HTTP/1.1 \r\n')
ret = sock.recv(1024)
print '[+]' + str(ret)
Note: There are many open source tools available which do same work more efficiently. But thats not the point of this tutorial series. Such tools are like black box i.e. you give an input and expect an output. The internal mechanism is not known to you. The point of this series is to make you aware of all the stuff that is generally behind the scene.
After you will enter a host name(www.example.com) and port as
80. You will receive a reply from the server which will have the version of server running along with a lot more informations like this:
HTTP/1.1 200 OK
Date: Sat, 1 May 2010 21:10:40 EST
Server: Apache/2.0.46 (Unix) (Red Hat/Linux)
Last-Modified: Wed, 16 Mar 2010 11:20:14 PST
Now as the version of server is known you can go online and find if the server version is vulnerable to attack or not.
Banner Grabbing using Nmap
We have already learnt how to use Nmap for port scanning, here is a simple command which can be used for Banner Grabbing using Nmap.
The command below will scan all the open ports on the host.
nmap -sV –script=banner 127.0.0.1
In the above command, replace 127.0.0.1 with the IP address of the host you want to scan.
In case you want to grab banner(information) related to a particular port only, then run the following command:
nmap -Pn -p 80 -sV –script=banner 127.0.0.1
As we know, that http service runs on the port
80, hence the above command will grab information related to the http service and version.