Banner grabbing can be used to gain information about a system, this is easy to do in Nmap. But how does this work?
Introduction
I used Nmaps banner grabbing for a while, but I got curious… How does this actually work?
What is banner grabbing
Banner grabbing is a technique that reveals information about a contained within the ‘banner’ of a target system, which typically includes the system’s name and version. This can be helpful in security assesments, providing useful information (name and version).
Telnet example
DuxSec@hi$ telnet scanme.nmap.org 22
Trying 45.33.32.156...
Connected to scanme.nmap.org.
Escape character is '^]'.
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
|
The banner here is OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
Nmap example
The same information is gathered via Nmap by providing the -sV
command (Attempts to determine the version of the service running on port).
DuxSec@hi$ nmap -sV -p 22 scanme.nmap.org -v
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 128 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
|
The banner here is (same as Telnet) OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
Making my own banner grabbing script
To understand the banner grabbing better, I will write my own banner grabbing script using Python3. This script will not focus on performance with multithreading etc, since it is about understanding the underlaying concepts.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
import socket
def grab_banner(ip, port):
try:
s = socket.socket()
s.settimeout(5) # to avoid blocks (so it doesn't hang)
s.connect((ip, port))
s.send(b'GET HTTP/1.1 \r\n\r\n')
respone = s.recv(1024).decode() # recieve response and decode the bytes to utf-8
print(f'Banner for ip {ip}:{port} - {respone}')
s.close() # close the socket connection
except socket.error as e:
print(f'Error for {ip}:{port} - {e} ')
for port in range (1, 1043): # well known ports - could also be all ports
grab_banner('scanme.nmap.org', port)
|
Running the script
The script runs exactly how I expected, since it shows the same SSH banner as before on port 22.
DuxSec@hi$ python3 banner_grabber.py
Error for scanme.nmap.org:1 - [Errno 61] Connection refused
Error for scanme.nmap.org:2 - [Errno 61] Connection refused
Error for scanme.nmap.org:3 - [Errno 61] Connection refused
Error for scanme.nmap.org:4 - [Errno 61] Connection refused
Error for scanme.nmap.org:5 - [Errno 61] Connection refused
Error for scanme.nmap.org:6 - [Errno 61] Connection refused
Error for scanme.nmap.org:7 - [Errno 61] Connection refused
Error for scanme.nmap.org:8 - [Errno 61] Connection refused
Error for scanme.nmap.org:9 - [Errno 61] Connection refused
Error for scanme.nmap.org:10 - [Errno 61] Connection refused
Error for scanme.nmap.org:11 - [Errno 61] Connection refused
Error for scanme.nmap.org:12 - [Errno 61] Connection refused
Error for scanme.nmap.org:13 - [Errno 61] Connection refused
Error for scanme.nmap.org:14 - [Errno 61] Connection refused
Error for scanme.nmap.org:15 - [Errno 61] Connection refused
Error for scanme.nmap.org:16 - [Errno 61] Connection refused
Error for scanme.nmap.org:17 - [Errno 61] Connection refused
Error for scanme.nmap.org:18 - [Errno 61] Connection refused
Error for scanme.nmap.org:19 - [Errno 61] Connection refused
Error for scanme.nmap.org:20 - [Errno 61] Connection refused
Error for scanme.nmap.org:21 - [Errno 61] Connection refused
Banner for ip scanme.nmap.org:22 - SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.13
Error for scanme.nmap.org:23 - [Errno 61] Connection refused
Error for scanme.nmap.org:24 - [Errno 61] Connection refused
Error for scanme.nmap.org:25 - timed out
Error for scanme.nmap.org:26 - [Errno 61] Connection refused
Error for scanme.nmap.org:27 - [Errno 61] Connection refused
Error for scanme.nmap.org:28 - [Errno 61] Connection refused
|
Conclusion
Banner grabbing is an important tool to gain information about a service running on a port. This can help in finding vulnerabilties.