What Is A Banner?
when we try to connect to a port (i.e. the service running on that port) then it responds to our request and the header of the packet sent by the service in response contains some information about the service and this is called Banner.
Banner Grabbing process
Banner Grabbing-The processor of fetching banner of a service is called Banner Grabbing
Most common services that we are likely to grab banner for are Hyper Text Transfer Protocol (HTTP) which runs on port 80, Simple Mail Transfer Protocol (SMTP) which runs on port 25 and File Transfer Protocol (FTP) which runs on port 21
There are two types of banner grabbing
specially crafted packets are sent to remote OS and the response is noted
The responses are then compared with a database to determine the OS
Responses from different OSesvary due to difference in TCP/IP Stack Implementation
Banner Grabbing from error messages:- Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system
Sniffing The Network Traffic:- Capturing and analyzing packets from the target enables an attacker to determine the OS used by the remote system
Banner Grabbing from the Page Extension: Looking for an extension in the URL may assist in determining the application version
Example: aspx => IIS server and Windows platform
Tools for banner grabbing
- ID serve
ID serve can always identify the model and version of any website’s server software
This simple utility reads and writes data across TCP or UDP network connections
It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts
t can also do network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections
SHODAN combines an HTTP port scanner with a search engine index of the HTTP responses, making it trivial to find specific web servers. Shodan collects data mostly on web servers at the moment (HTTP port 80)
It is a protocol to access remote machines over the internet
It is also known as remote access protocol
Protocol for creating a connection with a remote machine our TCP/IP network.
Nmap (Network Mapper) is a security scanner, originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich), used to discover hosts and services on a computer network, thus building a “map” of the network
Superscan is a free Windows-only closed-source TCP/UDP port scanner by Foundstone (now part of McAfee).
It includes a variety of additional networking tools such as ping, traceroute, HTTP HEAD, and whois
Some functionality has been crippled by restrictions imposed by Microsoft in Windows XP SP2 and newer releases