What is Banner Grabbing?
Banner grabbing is a method used by attackers and security teams to obtain information about network computer systems and services running on open ports. A banner is a text displayed by a host server that contains details such as the type and version of software running on the system or server. The welcome screen divulges the software version numbers on the network server and other system information on network hosts, giving cyberattackers an advantage in cyberattacks. Banner grabbing involves getting software banner information, such as name and version. Hackers can perform banner grabbing manually or automatically using an Open Source Intelligence (OSINT) tool.1
In a banner grabbing attack, cyberattackers identify a company and service they would like to target, and then they launch a request to gather the banner information. After that, they review the returned data to select an attack vector by identifying potentially exploitable vulnerabilities. The two types of banner grabbing attacks are:
Active banner grabbing. Cyberattackers send packets to a remote server and analyze the response data. The attack involves opening a TCP or similar connection between the origin and the remote server. An Intrusion Detection System (IDS) can easily detect an active banner.
Passive banner capture. Cyberattackers deploy software and malware as a gateway to prevent a direct connection when collecting data from the selected target. This technique uses third-party network tools and services to capture and analyze packets to identify the software and version being used on a server.
Common tools for banner grabbing include2:
- Telnet. Telnet relies on a simple query to gather information. Generally, cyberattackers first use a port scanner to identify open ports in order to find a port where the remote service is running. An internet protocol (IP) address is needed for the query.
- Wget. Wget is primarily used on remote servers, as well as local file transfer protocol (FTP) and hypertext transfer protocol (HTTP) servers. Generally, an IP address is required.
- Nmap. Nmap is a leading tool with an active community keeping it updated and maintained, and there are versions for most common operating system environments. Some of the request parameters are slightly more complex, but using Nmap can also return higher degrees of detail than some alternatives.
- cURL. cURL is specific to HTTP servers; it also requires little more than an IP address to initiate the request.
- Netcat. Netcat is focused on Linux and Unix systems and commands require both an IP address and a port number, so using a port scanner first is typically necessary.
- Dmitry. Dmitry is a command-line utility that’s part of Kali Linux, and it’s primarily used by security professionals and researchers. It can provide a high degree of detail from remote hosts.
Prevent banner grabbing by:
- Restricting access to services on the network
- Shutting down unused or unnecessary services running on network hosts
- Overriding your server’s default banner behavior to You can override your server’s default banner to hide version information
- Keeping your server and systems updated
1 CyberExperts, 2023, “What is Banner Grabbing?”
2 Reed, 2023, “Banner Grabbing: What It Is & How It Works”