Banner grabbing

included in category Learning

19 Jun 2023 03 Nov 2024 558 words 3 minutes

Contents

Banner grabbing can be used to gain information about a system, this is easy to do in Nmap. But how does this work?

Introduction

I used Nmaps banner grabbing for a while, but I got curious… How does this actually work?

Banner grabbing is a technique that reveals information about a contained within the ‘banner’ of a target system, which typically includes the system’s name and version. This can be helpful in security assesments, providing useful information (name and version).

Telnet example

DuxSec@hi$ telnet scanme.nmap.org 22 Trying 45.33.32.156... Connected to scanme.nmap.org. Escape character is '^]'. SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13

The banner here is OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

Nmap example

The same information is gathered via Nmap by providing the -sV command (Attempts to determine the version of the service running on port).

DuxSec@hi$ nmap -sV -p 22 scanme.nmap.org -v PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 128 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

The banner here is (same as Telnet) OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

To understand the banner grabbing better, I will write my own banner grabbing script using Python3. This script will not focus on performance with multithreading etc, since it is about understanding the underlaying concepts.

import socket

def grab_banner(ip, port):
    try:
        s = socket.socket()
        s.settimeout(5) # to avoid blocks (so it doesn't hang)
        s.connect((ip, port))
        s.send(b'GET HTTP/1.1 \r\n\r\n')
        respone = s.recv(1024).decode() # recieve response and decode the bytes to utf-8
        print(f'Banner for ip {ip}:{port} -  {respone}')
        s.close() # close the socket connection
    except socket.error as e:
        print(f'Error for {ip}:{port} -  {e} ')

for port in range (1, 1043): # well known ports - could also be all ports
    grab_banner('scanme.nmap.org', port)

Running the script

The script runs exactly how I expected, since it shows the same SSH banner as before on port 22.

DuxSec@hi$ python3 banner_grabber.py Error for scanme.nmap.org:1 - [Errno 61] Connection refused Error for scanme.nmap.org:2 - [Errno 61] Connection refused Error for scanme.nmap.org:3 - [Errno 61] Connection refused Error for scanme.nmap.org:4 - [Errno 61] Connection refused Error for scanme.nmap.org:5 - [Errno 61] Connection refused Error for scanme.nmap.org:6 - [Errno 61] Connection refused Error for scanme.nmap.org:7 - [Errno 61] Connection refused Error for scanme.nmap.org:8 - [Errno 61] Connection refused Error for scanme.nmap.org:9 - [Errno 61] Connection refused Error for scanme.nmap.org:10 - [Errno 61] Connection refused Error for scanme.nmap.org:11 - [Errno 61] Connection refused Error for scanme.nmap.org:12 - [Errno 61] Connection refused Error for scanme.nmap.org:13 - [Errno 61] Connection refused Error for scanme.nmap.org:14 - [Errno 61] Connection refused Error for scanme.nmap.org:15 - [Errno 61] Connection refused Error for scanme.nmap.org:16 - [Errno 61] Connection refused Error for scanme.nmap.org:17 - [Errno 61] Connection refused Error for scanme.nmap.org:18 - [Errno 61] Connection refused Error for scanme.nmap.org:19 - [Errno 61] Connection refused Error for scanme.nmap.org:20 - [Errno 61] Connection refused Error for scanme.nmap.org:21 - [Errno 61] Connection refused Banner for ip scanme.nmap.org:22 - SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13 Error for scanme.nmap.org:23 - [Errno 61] Connection refused Error for scanme.nmap.org:24 - [Errno 61] Connection refused Error for scanme.nmap.org:25 - timed out Error for scanme.nmap.org:26 - [Errno 61] Connection refused Error for scanme.nmap.org:27 - [Errno 61] Connection refused Error for scanme.nmap.org:28 - [Errno 61] Connection refused

Conclusion

Banner grabbing is an important tool to gain information about a service running on a port. This can help in finding vulnerabilties.