Banner Grabbing 117
Banner Grabbing
The first method of identifying a network we’ll explore is through a process known as
banner grabbing. Banner grabbing is designed to determine information about the services
running on a system and is extremely useful to ethical hackers during their assessment
process. Typically the technique is undertaken using Telnet to retrieve banner information
about the target that reveals the nature of the service.
A banner is what a service returns to the requesting program to give information about
the service itself. Information that the banner reveals can be varied, but in the case of
HTTP it can include the type of server software, version number, when it was modified
last, and similar information.
In many cases Telnet is the weapon of choice in retrieving this information. Although
there are other tools (a few of which we’ll discuss in a moment), we’ll focus mainly on
Telnet because it is the most common and the simplest. Most operating systems come
with the ability to establish Telnet sessions, so that is one of the primary ways that banner
grabbing is performed. Whether Telnet or another program is used, banners are grabbed
by connecting to a host and then sending a request to a port that is associated with a
particular service, such as port 80 for HTTP.
Telnet used to be included by default with all versions of Microsoft
Windows; however, as of Windows Vista and later, the Telnet client is not
included but is available as a free download. The client was pulled from
Windows—for reasons presumably known to Microsoft—but it hasn’t been
made completely unavailable.So how do you use Telnet to grab a banner from a system? Use the following command
to open a Telnet connection to a remote client to pull the services banner:
telnet
Here’s an example:telnet http://www.someexamplesite.com 80 head/http/1.0
Figure 5.6 shows the results of a banner grab.FIGURE 5.6 Results of a banner grab