Banner Grabbing: Top Tools and Techniques Explained
Reading time: 9 minutesWe shared a few details about banner grabbing in our previous article about cybersecurity fingerprinting. Today, we'll dig a little bit deeper, to define what it is, explore its different types, and examine some real-world examples showing how you can grab banners from different services on the Internet with both command-line tools and web-based interfaces.
What is banner grabbing?
Whenever performing the intel-reconnaissance process during penetration testing or security auditing, we need to pay attention to the current web-server's exposed information.
That's where banner grabbing comes in. Banner grabbing is the act of getting software banner information (name and version), whether it's done manually, or by using any OSINT tools that can do it for you automatically.
FTP servers, web servers, SSH servers and other system daemons often expose critical information about not only the software name, but also about the exact versions and operating systems they're running—the 'banner' data in question..
Running a banner grabbing attack against any protocol can reveal insecure and vulnerable applications which could lead to service exploitation and compromise, in the case of matching a critical CVE.
How can you proceed with a banner grabbing attack? Just choose the service you want to target, launch the request, inspect the response you get, and that's it.
While it isn't exactly rocket science, there is much to consider. Due to the vast amount of services, protocols and types of banners we can get, we need to examine the many different techniques and tools which can, in the end, help us throughout the OSINT discovery process.
Banner grabbing techniques
Let's explore the different types of banner grabbing techniques.
Active banner grabbing
This is the most popular type of banner grabbing, basically the act of sending packets to the remote host and waiting for their response to analyze the data.
Active banner grabbing techniques involve opening a TCP (or similar) connection between an origin host and a remote host. It can be considered active, as your connection will be logged in the remote system. This is the most risky approach to banner grabbing as it's often detected by some IDS.
Passive banner grabbing
On the other hand, passive banner grabbing enables you to get the same information while avoiding a high level of exposure from the origin connection. Different intermediate software and platforms can be used as a gateway to avoid a direct connection and still allow you to obtain the data you need.
Using 3rd party networks tools or services such as search engines, Shodan, or sniffing the traffic to capture and analyze packets, can help you determine software versions.
Top 7 tools to perform banner grabbing
Now let's take a look at the best tools available for performing a banner grabbing attack, including both command-line-based tools and web-based interfaces.
Telnet
Telnet is one of the most classic cross-platform clients available, one that allows you to interact with remote services for banner grabbing.
With telnet, you can query any service simply by typing:
telnet IP PORT
Note that IP is the IP address, and PORT is the port where the remote service is running. If you haven't done it yet, you may want to use a port scanner first, to determine the open ports on the remote server.
Quick example:
[[email protected] ~]# telnet 192.168.0.15 22
Trying 192.168.0.15...
Connected to 192.168.0.15.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.0
Connection closed by foreign host.
[[email protected] ~]#
This will open a connection to 192.168.0.15 IP address and get a response from the remote server. In this case, we targeted the 22 OpenSSH Server port, and the result was the exact version that is running on that server right now:
SSH-2.0-OpenSSH_8.0
Interesting! That's what we've been looking for.
Wget
Wget is another great tool that can lead us to the remote banner of any remote or local server. For this, we'll use the following syntax:
wget 192.168.0.15 -q -S
The -q will suppress the normal output, and the -S parameter will print the headers sent by the HTTP server, which also works for FTP servers.
The result:
[[email protected] ~]# wget 192.168.0.15 -q -S
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 11 Nov 2019 13:29:13 GMT
Content-Type: text/html
Content-Length: 5683
Last-Modified: Thu, 04 Oct 2018 17:44:09 GMT
Connection: keep-alive
ETag: "5bb65169-1633"
Accept-Ranges: bytes
[[email protected] ~]#
In this case, we were able to get the full banner of the remote HTTP server, detecting that it's running Nginx, and its exact version, 1.16.1.
cURL
cURL offers the same features to fetch remote banner information from HTTP servers. Here you can use the following syntax:
curl -s -I 192.168.0.15 | grep -e "Server: "
The -s is used to avoid showing the progress or error messages, in short, it mutes the output; the -I parameter will show the header of all the requested pages, and finally we grep out the output to fetch the software information.
Expected output:
[[email protected] ~]# curl -s -I 192.168.0.15 | grep -e "Server: "
Server: nginx/1.16.1
[[email protected] ~]#
Nmap
Nmap is another great alternative, and here we will show you how to perform classic Nmap banner grab techniques. First, we will try some built-in features by using the following syntax:
nmap -sV --version-intensity 5 godaddy.com -p 80
The -sV option lets us fetch the software versions, and by adding --version-intensity 5, we can get the maximum number of possible details about the remote running software.
Expected output:
[[email protected] ~]# nmap -sV --version-intensity 5 godaddy.com -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-11 11:06 -03
Nmap scan report for godaddy.com (208.109.192.70)
Host is up (0.20s latency).
rDNS record for 208.109.192.70: ip-208-109-192-70.ip.secureserver.net
PORT STATE SERVICE VERSION
80/tcp open http-proxy Apache Traffic Server 7.1.6
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.53 seconds
By using the powerful NSE we can also try other scripts that will help us fetch remote banners easily. One good example is shown below:
nmap -sV --script=banner IP
You can launch this against IPs or hosts, as you prefer.
Expected output:
[[email protected] ~]# nmap -sV --script=banner 192.168.0.15
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-11 11:14 -03
Nmap scan report for 192.168.0.15
Host is up (0.000040s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
|_banner: SSH-2.0-OpenSSH_8.0
80/tcp open http nginx 1.16.1
|_http-server-header: nginx/1.16.1
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.05 seconds
[[email protected] ~]#
As you can see by using these Nmap banner grabbing, we were able to detect both SSH and HTTP servers running on the host, along with the exact software version for each.
Nc
Netcat is one of the oldest and most popular network utilities for Unix and Linux. For banner grabbing purposes, we'll use the following command:
nc -v IP PORT
This is the output example targeting a remote FTP server:
[[email protected] ~]# nc -v 192.168.0.15 21
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.0.15:21.
220 (vsFTPd 3.0.3)
^C
[[email protected] ~]#
In this case, we were able to grab the FTP banner -vsFTPD- and the exact software version -3.0.3-.
DMitry
DMitry isn't a classic command for Unix and Linux systems, but an infosec-based utility known primarily by security researchers. It can help you get all the information possible from a remote host, including DNS enumeration, subdomain mapping, open ports and much more.
In this case, we'll use dmitry -p for port scanning, along with the -b flag to let it perform banner discovery. See the following syntax:
dmitry -bp 127.0.0.1
The result should be something like this:
As you can see, DMitry was able to find the open ports, along with software names and versions, letting us know the operating system the server is running. While this test was against 127.0.0.1, it works the same way for any remote host.
ASI
Attack Surface Intelligence, our latest pilot product, is one of the best tools available for reducing your attack surface area. Ideal for security leaders and IT managers, this web-based utility will help you discover unseen areas of your online assets.
One aspect we've put a lot of work into is the port scanning and software discovery module, which allows you to easily detect open ports and exact software versions, along with OS information and platform, take a look at the following screenshot:
While some ports won't show any information because they've tweaked the headers and default banner variables, when we do find one, it will be displayed by default, as in the previous Ubuntu screenshot, featuring OpenSSH 7.2p2.
In this other case, we've discovered the exact Apache version, along with the exposed OpenSSL (1.1.1b) and PHP version (7.2.17):
A real bonus is that ASI also allows you to fetch the data in raw JSON format, as shown below:
{
"data": {
"state": {
"state": "open"
},
"service": {
"product": "Apache httpd",
"version": "2.4.39",
"method": "probe_matching",
"cpe": [
"cpe:/a:apache:http_server:2.4.39"
],
"extrainfo": "(Unix) OpenSSL/1.1.1b PHP/7.2.17",
"name": "http"
}
}
SecurityTrails SQL
SecurityTrails SQL is our own SQL-like query language used by security teams. It allows you to take your reconnaissance, intelligence gathering and app automation to the next level. It’s mainly integrated in two ways: as a SecurityTrails API™ endpoint, or in the SQL Explorer interface from SurfaceBrowser™.
It helps security teams, SOC managers, and researchers during infrastructure mapping, by detecting exposed applications, finding vulnerable services and OS’s, and by offering SSL data extraction.
Zgrab
Zgrab is another great tool for banner grabbing. Specifically, it can be defined as a stateful application-layer scanner. It’s written in Go language, and supports a diverse range of protocols, including:
- HTTP- HTTPS
- FTP
- IMAP
- POP3
- SMTP
- SSH
- BACNET
- Modbus
- Siemens S7
- Telnet
This tool can be used for banner grabbing as part of any intelligence collection task performed against local and remote systems. Zgrab is often used for vulnerability scanning and assessment, penetration testing, and security research.
Summary
Banner grabbing is one of the most common techniques used in the reconnaissance process, during the initial phases of any penetration testing or real attack scenario.
If you're new to the penetration testing world, you'll find these tools and techniques make for a great start in your red team tasks, and from a blue team point of view, these are valuable tricks to identify exposed critical data about software running on your server. You'll be well-equipped to prevent cybersecurity incidents in the end.
Do you want to prevent cybersecurity issues within your online infrastructure? Or boost your red team intel-gathering tasks? Check out our latest pilot product: Attack Surface Intelligence - ASI, our enterprise-grade OSINT tool that will allow you to detect open ports and outdated software in an instant!
