Banner grabbing is a technique used by hackers to gather information about computers and services operating on a network that is running open ports. Software banners include information such as application names, software versions, and operating system details. Through banner grabbing, an attacker collects this information.
After grabbing banner data, hackers can use the collected information to prepare for attacks. For example, they can identify a vulnerable program and take advantage of known exploits or viable attack vectors to gain entry into a network. Penetration testers and other cybersecurity professionals also use banner grabbing, so as to identify vulnerabilities in a network.
How Banner Grabbing Works
Banner grabbing is pretty straightforward in practice. Attackers identify a company and service they’d like to target. Then they launch a request to gather the banner information. Finally, they review the returned data to select an attack vector by identifying potentially exploitable vulnerabilities.
Banner grabbing usually occurs one of two ways. First, there’s active banner grabbing, which requires direct involvement from a hacker throughout. The attacker sends a packet to a remote host, functionally requesting the desired data. Then, they wait for a response and, if one occurs, review what’s received.
Active banner grabbing entails opening a specific direct connection, such as a transmission control protocol (TCP) connection. This approach is usually detectable by intrusion detection systems (IDSs), which can spot the connection once it has been made.
Passive banner grabbing collects the same information, but doesn’t require as much direct involvement. Instead, the hacker relies on malware or similar software to serve as a gateway, eliminating the need for a direct connection when gathering the desired data. Generally, it involves third-party network tools and services to analyze packets and determine the applications and software versions in use on a server.
Why Use Banner Grabbing?
Banner grabbing is functionally a technique to identify server, system, and service vulnerabilities that are potentially exploitable. Why banner grabbing is used varies depending on whether the involved accessor is a hacker or a security professional, as their goals differ. Here’s a look at why hackers and cybersecurity professionals use banner grabbing.
Why Hackers Use Banner Grabbing
As mentioned above, banner grabbing returns a significant amount of information on the targeted system or service. Often, attackers aim to use the data to identify system vulnerabilities, allowing them to select attack vectors that take advantage of exploits.
Essentially, hackers take the banner information to plan malicious attacks, often with the goal of accessing sensitive information. Once entry is gained, the attacker can use the access to steal data or compromise systems by destroying data, deploying malware, and more.
Why Cybersecurity Professionals Use Banner Grabbing
Security professionals use banner grabbing as a means of identifying vulnerabilities. Once found, IT teams can take steps to mitigate any associated risks, limiting the odds that attackers can locate exploitable vulnerabilities that result in unauthorized access to systems or services.
Generally, banner grabbing is part of penetration testing. It’s also useful for security audits, as it allows professionals to determine whether risks that weren’t previously known as present.
Common Tools Used for Banner Grabbing
Multiple tools are commonly used for banner grabbing, by hackers and penetration testers alike. Here is an overview of some of the most widely used banner-grabbing tools.
Telnet
Telnet is a straightforward option for banner grabbing, relying on a simple query to gather the information. Generally, finding a port where the remote service is running must be handled first, so using a port scanner to identify open ports is typically essential. Additionally, an internet protocol (IP) address is needed for the query.
Wget
Wget is another simple tool for banner grabbing, and it’s primarily used on remote servers, as well as local file transfer protocol (FTP) and hypertext transfer protocol (HTTP) servers. Generally, an IP address is required, but little else is needed to make the request.
Nmap
Nmap is a leading tool with an active community that strives to keep it updated and properly maintained, and there are versions for most common operating system environments. Some of the request parameters that attackers or cybersecurity professionals can use are slightly more complex in composition, but using Nmap in that manner can also return higher degrees of detail than some alternatives. However, there are also simpler scripts that require little more than an IP address.
cURL
cURL is specific to HTTP servers, so it’s a bit more limited than some alternative tools. However, it also requires little more than an IP address to initiate the request.
Netcat
Netcat is focused on Linux and Unix systems. Like Telnet, the commands require both an IP address and a port number, so using a port scanner first is typically necessary.
Dmitry
Dmitry is a command-line utility that’s part of Kali Linux, and it’s primarily used by security professionals and researchers. It can provide a high degree of detail from remote hosts, including open ports, subdomain mapping, and more. As a result, available commands can perform port scans and return banner information simultaneously.
Banner Grabbing vs Fingerprinting
Both banner grabbing and fingerprinting are strategies for gathering information about a particular system. Overall, fingerprinting is a more complex technique that can potentially reveal more comprehensive configuration information about the targeted system. For example, it can provide software, network architecture and topology, database version, and operating system platform details.
Banner grabbing doesn’t return the same level of detail. Instead, it focuses on banners that network hosts display, primarily for the purpose of learning about potential application, server, or service vulnerabilities instead of in-depth details about configurations.
Legality of Banner Grabbing
Banner grabbing in and of itself isn’t illegal, regardless of who deploys the available techniques. While hackers may use banner grabbing to identify vulnerabilities, it’s also used by white hat hackers to alert organizations of vulnerabilities they may otherwise overlook. None of those actions are explicitly against the law.
However, if the gathered information is used to initiate an attack, the hack itself often veers quickly into illegal territory. Generally, the Computer Fraud and Abuse Act (CFAA) prohibits the unauthorized access into systems and servers owned by another party. Banner grabbing isn’t considered a form of unauthorized access, while any resulting attacks commonly do qualify.
How to Prevent Banner Grabbing
There are several techniques that can help prevent banner grabbing, limiting hackers’ access to potentially sensitive or exploitable information. Here are some steps organizations can take to protect themselves from banner attacks.
Disable Unused Services
Shutting down unused services running on network hosts that could be sources of banner information limits the avenues in which attackers can gather information. In turn, it’s harder for them to find a potential vulnerability they can exploit to gain entry.
Disable Banners
In some cases, it’s possible to fully disable banners on servers. When that option is available, turning banners off ensures that no information is provided if it’s requested, limiting attackers to data they could potentially use to plan an attack.
Remove Information from Banners
In many cases, it’s possible to override the default banner process to hide potentially sensitive information, such as software versions. Most default banners are customizable, so it’s possible to limit what’s displayed to reduce risk.
Perform System and Software Updates
While system and software updates don’t eliminate any information that’s potentially gatherable through banner grabbing, they can reduce security risks. In many cases, updates are issued to correct known vulnerabilities. By not keeping systems and software current, hackers that learn the targeted service is out-of-date can take advantage of the exploits present in the older version. With updating, the known vulnerabilities associated with older versions are often addressed, making it harder for hackers to gain unauthorized entry.
Add a Custom Message
With customizable banner options, it’s often possible to display a custom message to those who banner grab. Within the message, it’s possible to issue a warning to those who gather the information. Essentially, that warning shows attackers that the system is monitored and that the target is meticulous about cybersecurity.
Technically, the custom message won’t automatically prevent all hacks after banner grabbing occurs. However, it can function as a deterrent by making moving forward with an attack seem riskier. As a result, it’s a step worth considering, as it could lead some would-be attackers to reconsider.