How To: Use Banner Grabbing to Aid in Reconnaissance & See What Services Are Running on the System

As we've seen with other tools and utilities, administrators typically use certain things to do their job more efficiently, and those things are often abused by attackers for exploitation. After all, hacking is just the process of getting a computer to do things in unexpected ways. Today, we will be covering various methods to perform banner grabbing to learn more about the target system.

Banner grabbing is a technique used to gather information about running services on a computer system. Banners refer to the messages on the host that usually provide a greeting or version information. An attacker can use banner data to their advantage by obtaining specific version numbers of services to aid in reconnaissance and exploitation.

• Don't Miss: Conduct Recon on a Web Target with Python Tools

To learn about banner grabbing, we will be using Metasploitable 2 as the target and Kali Linux as our local machine. In a terminal window, let's do a quick Nmap scan on the target to see what's running:

~# nmap 10.10.0.50

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-08 09:00 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0024s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:1D:09:55:B1:3B (Dell)

Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds

Method 1: Telnet

The first tool we'll use to do some banner grabbing is telnet. This unassuming little utility might not seem very useful when it comes to penetration testing, but its value lies in the fact that it's present on virtually any system.

The syntax is telnet, followed by the IP address of the machine you wish to connect to, followed by the port number. We can use telnet to get version information for FTP, which runs on port 21:

~# telnet 10.10.0.50 21

Trying 10.10.0.50...
Connected to 10.10.0.50.
Escape character is '^]'.
220 (vsFTPd 2.3.4)

We can do the same for SSH, running on port 22:

~# telnet 10.10.0.50 22

Trying 10.10.0.50...
Connected to 10.10.0.50.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

We can even use it to grab the banner of a web server, which usually runs on port 80. Once connected, type something, and it will display some information for us. For instance. I typed "help" once connected:

~# telnet 10.10.0.50 80

Trying 10.10.0.50...
Connected to 10.10.0.50.
Escape character is '^]'.

help

<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>

                _                  _       _ _        _     _      ____
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>

Connection closed by foreign host.

We can see it returns a tiny bit of HTML, including what appear to be directories, plus a welcome banner on the system. We also get lucky with this one since it contains both an email and login credentials.

Method 2: Netcat

Now, we will perform banner grabbing with Netcat, a utility that is very common on Linux systems and can be abused in all sorts of ways. We can use it to connect to certain ports and gather information.

First, let's connect to the FTP service on port 21, just like we did with telnet:

~# nc 10.10.0.50 21

220 (vsFTPd 2.3.4)

We can do the same with SSH on port 22:

~# nc 10.10.0.50 22

SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

And again on port 80:

~# nc 10.10.0.50 80

hi
<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>

                _                  _       _ _        _     _      ____
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>

We can also utilize Netcat to communicate with the web server. For example, we can use the HEAD method to get the header information about the server:

~# nc 10.10.0.50 80

HEAD / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Wed, 19 Jun 2019 18:28:12 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Connection: close
Content-Type: text/html; charset=iso-8859-1

Even though it was a bad request, we still got the exact version number of Apache.

We can send a GET request as well, which will return the contents of the webpage:

~# nc 10.10.0.50 80

GET / HTTP/1.1

HTTP/1.1 400 Bad Request
Date: Wed, 19 Jun 2019 18:29:19 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
Content-Length: 323
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80</address>
</body></html>

In this case, we still get a bad request, but this method can return HTML and other useful information.

Method 3: Curl

Curl, often stylized as cURL (Client URL), is a command-line tool used for transferring data. It is most commonly used for HTTP, but it supports a wide variety of other protocols.

We can also use curl to grab the banner of the web server. However, we don't need to specify the port number this time as we did with the previous tools:

~# curl 10.10.0.50

<html><head><title>Metasploitable2 - Linux</title></head><body>
<pre>

                _                  _       _ _        _     _      ____
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|
                            |_|

Warning: Never expose this VM to an untrusted network!

Contact: msfdev[at]metasploit.com

Login with msfadmin/msfadmin to get started

</pre>
<ul>
<li><a href="/twiki/">TWiki</a></li>
<li><a href="/phpMyAdmin/">phpMyAdmin</a></li>
<li><a href="/mutillidae/">Mutillidae</a></li>
<li><a href="/dvwa/">DVWA</a></li>
<li><a href="/dav/">WebDAV</a></li>
</ul>
</body>
</html>

We can also use the -I flag to fetch the HTTP header:

~# curl -I 10.10.0.50

HTTP/1.1 200 OK
Date: Wed, 19 Jun 2019 18:32:06 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
X-Powered-By: PHP/5.2.4-2ubuntu5.24
Content-Type: text/html

This time we get a 200 OK, plus some information pertaining to the PHP version.

Method 4: Nmap

The next tool we can use to grab banners is Nmap. When using service detection, Nmap will return information about the running service, such as a version number, but Nmap also has an NSE script that can perform banner grabbing for us.

Use the --script option followed by the name of the script, in this case, banner:

~# nmap --script banner 10.10.0.50

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-08 09:15 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0026s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
|_banner: 220 (vsFTPd 2.3.4)
22/tcp   open  ssh
|_banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23/tcp   open  telnet
|_banner: \xFF\xFD\x18\xFF\xFD \xFF\xFD#\xFF\xFD'
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
|_banner: root@metasploitable:/#
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
|_banner: 220 ProFTPD 1.3.1 Server (Debian) [::ffff:10.10.0.50]
3306/tcp open  mysql
| banner: >\x00\x00\x00\x0A5.0.51a-3ubuntu5\x00-\x00\x00\x00$&0_n-0L\x00,
|_\xAA\x08\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...
5432/tcp open  postgresql
5900/tcp open  vnc
|_banner: RFB 003.003
6000/tcp open  X11
6667/tcp open  irc
| banner: :irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostna
|_me...
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 00:1D:09:55:B1:3B (Dell)

Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds

That gave us banners for several services, some easier to read than others.

We can also narrow our focus to a specific port using the -p flag:

~# nmap -sV --script banner 10.10.0.50 -p 80

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-08 09:25 CDT
Nmap scan report for 10.10.0.50
Host is up (0.00065s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
MAC Address: 00:1D:09:55:B1:3B (Dell)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.76 seconds

For example, running this against port 80 gives us some information about the Apache web server.

Method 5: Metasploit

The final banner-grabbing method we will explore is Metasploit. Metasploit has modules that will gather information about telnet, web servers, SMTP, and more.

First, launch Metasploit by typing msfconsole in the terminal. Then, we can use the search command on the msf5 prompt to find any modules relating to banner grabbing:

msf5 > search banner

Matching Modules
================

   #  Name                                                      Disclosure Date  Rank       Check  Description
   -  ----                                                      ---------------  ----       -----  -----------
   0  auxiliary/scanner/http/f5_bigip_virtual_server                             normal     Yes    F5 BigIP HTTP Virtual Server Scanner
   1  auxiliary/scanner/imap/imap_version                                        normal     Yes    IMAP4 Banner Grabber
   2  auxiliary/scanner/pop3/pop3_version                                        normal     Yes    POP3 Banner Grabber
   3  auxiliary/scanner/smtp/smtp_version                                        normal     Yes    SMTP Banner Grabber
   4  auxiliary/scanner/telnet/lantronix_telnet_version                          normal     Yes    Lantronix Telnet Service Banner Detection
   5  auxiliary/scanner/telnet/telnet_version                                    normal     Yes    Telnet Service Banner Detection
   6  exploit/multi/http/auxilium_upload_exec                   2012-09-14       excellent  Yes    Auxilium RateMyPet Arbitrary File Upload Vulnerability
   7  exploit/unix/webapp/openx_banner_edit                     2009-11-24       excellent  Yes    OpenX banner-edit.php File Upload PHP Code Execution
   8  exploit/unix/webapp/wp_easycart_unrestricted_file_upload  2015-01-08       excellent  No     WordPress WP EasyCart Unrestricted File Upload
   9  exploit/windows/ftp/proftp_banner                         2009-08-25       normal     No     ProFTP 2.9 Banner Remote Buffer Overflow

The first module we'll use will give us some information about telnet — load it with the use command:

msf5 > use auxiliary/scanner/telnet/telnet_version

And we can take a look at the options:

msf5 auxiliary(scanner/telnet/telnet_version) > options

Module options (auxiliary/scanner/telnet/telnet_version):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     23               yes       The target port (TCP)
   THREADS   1                yes       The number of concurrent threads
   TIMEOUT   30               yes       Timeout for the Telnet probe
   USERNAME                   no        The username to authenticate as

The only thing we need to set for now is the rhosts option. Set it to the IP address of our target, and since this will remain the same for the next few modules, we can use the setg command to set it globally:

msf5 auxiliary(scanner/telnet/telnet_version) > setg rhosts 10.10.0.50

rhosts => 10.10.0.50

Now, all we have to do is run it:

msf5 auxiliary(scanner/telnet/telnet_version) > run

[+] 10.10.0.50:23         - 10.10.0.50:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] 10.10.0.50:23         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

We can see it gave us a sort of jumbled banner, but again, we did get some credentials from it.

Next, we can use the http_version module to get some information about the web server. Load it up:

msf5 auxiliary(scanner/telnet/telnet_version) > use auxiliary/scanner/http/http_version

And take a look at the options:

msf5 auxiliary(scanner/http/http_version) > options

Module options (auxiliary/scanner/http/http_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   10.10.0.50       yes       The target address range or CIDR identifier
   RPORT    80               yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   THREADS  1                yes       The number of concurrent threads
   VHOST                     no        HTTP server virtual host

Everything seems good, so let's kick it off:

msf5 auxiliary(scanner/http/http_version) > run

[+] 10.10.0.50:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.24 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

That gave us the Apache version number as well as the PHP version information from it.

We can also scan for the SMTP version that's running. SMTP (Simple Mail Transfer Protocol) is a protocol used for email communication. Load the module with:

msf5 auxiliary(scanner/http/http_version) > use auxiliary/scanner/smtp/smtp_version

And check out the options:

msf5 auxiliary(scanner/smtp/smtp_version) > options

Module options (auxiliary/scanner/smtp/smtp_version):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   10.10.0.50       yes       The target address range or CIDR identifier
   RPORT    25               yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads

Again, it seems good to go, so we can run the module:

msf5 auxiliary(scanner/smtp/smtp_version) > run

[+] 10.10.0.50:25         - 10.10.0.50:25 SMTP 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)\x0d\x0a
[*] 10.10.0.50:25         - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

That returns some information on the SMTP service on the system.

Metasploit also has a couple of other useful scanners for the IMAP and POP3 protocols. These aren't set up on our target, but they work very similarly to the other modules we covered.

How to Prevent Banner Grabbing

Because of the nature of how these services work, banner grabbing is difficult, but not impossible, to prevent. The obvious way to stop this type of attack is to limit the information the service broadcasts, but for a lot of services, it breaks their functionality. Simply disabling banners may provide the best defense against attackers searching for low-hanging fruit.

Another method, which can be utilized for web servers, is to put a proxy in between the server and the internet, which will strip certain information or reformat headers to make detection more difficult. There are also programs available to hide this information from attackers, such as ServerMask and IIS Lockdown.

Wrapping Up

Today, we learned about banner grabbing and how it can be used by an attacker to gather information about the services running on a system. We explored a number of banner-grabbing methods, including using telnet, Netcat, curl, Nmap, and Metasploit. All of this information can be used for reconnaissance, and ultimately, better exploitation.