If you’re preparing for the Security+ exam, you might be interested in knowing about Banner Grabbing
Banner Grabbing is a technique used to gain information about a remote server and is often used as part of a fingerprinting attack. Additionally, penetration testers sometimes use this as a technique to get information about remote servers. Both testers and attackers often use Telnet because it’s relatively simple to use. The command looks like this:
telnet somehost 80
For example, the following command attempts to connect to the gcgapremium.com server using the HTTP protocol on port 80:
telnet getcertifiedgetahead.com 80
If successful, the server returns a Hypertext Markup Language (HTML) banner providing information on the server. The banner might look something like the following:
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head><title>501 Method Not Implemented</title>
<h1>Method Not Implemented</h1>
<p>GET to /index.html not supported.<br /></p>
<p>Additionally, a 404 Not Found error was encountered.</p><hr>
<address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/126.96.36.19935 Server at 188.8.131.52 Port 80</address>
The HTML code is returning several errors which can be ignored. The real information is at the end in the <address> section. You can see the following information:
- Apache/2.2.25 (Unix) – This is an Apache web server version 2.25 running on a Unix system.
- mod_ssl/2.2.25 – This is an Apache module that provides SSL and TLS support.
- OpenSSL/1.0.0-fips – This is an open source implementation of SSL and TLS protocols using Federal Information Processing Standard (fips)
- mod_auth_passthrough/2.1 – An Apache module that supports other programs to use their own authentication methods.
- mod_bwlimited/1.4 – this identifies a CPanel modules used for monitoring bandwidth.
- FrontPage/184.108.40.20635 – It has a FrontPage extension enabled.
- Server at 220.127.116.11 Port 80 – This shows the IP and port number.
Sample Security+ Banner Grabbing Question
1. A penetration tester is tasked with gaining information on one of your internal servers and he enters the following command: telnet server1 80. What is the purpose of this command?
A. Identify if server1 is running a service using port 80 and is reachable
B. Launch an attack on server1 sending 80 separate packets in a short period of time
C. Using telnet to remotely administer server1
D. Using telnet to start an RDP session
1. A. This command will send a query to server over port 80 and if the server is running a service on port 80, it will connect. This is a common beginning command for a banner grabbing attempt. It does not send 80 separate packets. If 80 was omitted, telnet would attempt to connect using its default port of 23 and attempt to create telnet session. Remote Desktop Protocol (RDP) uses port 3389 and is not relevant in this scenario.