Banner Grabbing

Posted by in Security+ | 3 comments

If you’re preparing for the Security+ exam, you might be interested in knowing about Banner GrabbingFingerprinting

Banner Grabbing is a technique used to gain information about a remote server and is often used as part of a fingerprinting attack. Additionally, penetration testers sometimes use this as a technique to get information about remote servers. Both testers and attackers often use Telnet because it’s relatively simple to use. The command looks like this:

telnet somehost 80

For example, the following command attempts to connect to the gcgapremium.com server using the HTTP protocol on port 80:

telnet getcertifiedgetahead.com 80

Get Certified Get Ahead

If successful, the server returns a Hypertext Markup Language (HTML) banner providing information on the server. The banner might look something like the following:

<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>

<html><head><title>501 Method Not Implemented</title>

</head><body>

<h1>Method Not Implemented</h1>

<p>GET to /index.html not supported.<br /></p>

<p>Additionally, a 404 Not Found error was encountered.</p><hr>

<address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at 72.52.230.233 Port 80</address>

</body></html>

The HTML code is returning several errors which can be ignored. The real information is at the end in the <address> section. You can see the following information:

  • Apache/2.2.25 (Unix) – This is an Apache web server version 2.25 running on a Unix system.
  • mod_ssl/2.2.25 – This is an Apache module that provides SSL and TLS support.
  • OpenSSL/1.0.0-fips – This is an open source implementation of SSL and TLS protocols using Federal Information Processing Standard (fips)
  • mod_auth_passthrough/2.1 – An Apache module that supports other programs to use their own authentication methods.
  • mod_bwlimited/1.4 – this identifies a CPanel modules used for monitoring bandwidth.
  • FrontPage/5.0.2.2635 – It has a FrontPage extension enabled.
  • Server at 72.52.230.233 Port 80 – This shows the IP and port number.

Security+ Study Packages

Sample Security+ Banner Grabbing Question

1. A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command?

A. Identify if server1 is running a service using port 80 and is reachable

B. Launch an attack on server1 sending 80 separate packets in a short period of time

C. Using telnet to remotely administer server1

D. Using telnet to start an RDP session

1. A. This command will send a query to server over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt. It does not send 80 separate packets. If 80 was omitted, telnet would attempt to connect using its default port of 23 and attempt to create telnet session. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario.

3 Comments

  1. Noticed this page only has the question at the bottom!

  2. Would this question most likely appear on the SYO-301 exam or on the new 401?

    • Both. However, it is only in the objectives for the 401 exam so if you see it in the 301 exam, it is likely a beta question.

Leave a Comment

CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!

Get Certified Get Ahead is a participant in the Amazon Services LLC Associates Program,
an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

Copyright © 2015 Get Certified Get Ahead. All Rights Reserved.