Banner Grabbing

Banner Grabbing is process in which an attacker tries to find out application version installed in victims PC. In this following tutorial I ‘ll try to elaborate in short how we can grab banners. Note that errors are best friends as well as worst enemies of programmers as well as hackers since they reveal enough information that can be used against victim for exploitation. After we cover banner grabbing we will have our look on how we can prevent from banner being grabbed.

Banner Grabbing Using Telnet:
Telnet(previously known as Telephone Port) is one of the robust inbuilt tool that every OS has can be used to grab banner. In fact banner is grabbed using this technique is successful just because when we send wrong information to wrong port the victim returns with error message which also has banner information. Type the following in command prompt but before that be sure that telnet port number 23 is open by scanning via nmap.
C:/>telnet victim’s_IP 80
HEAD/HTTP/1.1  (now press enter twice)
HTTP/1.1 200 OK
Date: Mon, 11 May 2010 22:10:40 EST
Server: Apache/2.6.01 (Unix) (Red Hat/Linux)
Last-Modified: Thu, 16 Apr 2009 11:20:14 PST
ETag: “1986-69b-123a4bc6”
Accept-Ranges: bytes
Content-Length: 1110
Connection: close
Content-Type: text/html
As you can see if the victim has not configured his/her system properly, we can get information like this which reveals our victim is using Apache server along with its version. Same  also applies to any other server.
Banner Grabbing From Error Pages:
Every server is configured to return some specific type of error message for known types of problems this can be used to grab exact type of server the victim is running. Please have a look on following error page,
Now lets see what information it reveals,
Server: Apache 2.0.63
OS: Red Hat Enterprise Linux 5
SSL Tool: OpenSSL 0.9.8
Above page is displayed by Apache when you type URL that does not exist on victim’s server.
If you find any button with input, leave input blank and press button it’ll reveal you programming language used for web development. Following error page is got when I pressed submit button leaving input fields blank.
The above error page shows victim is using external web mail program “Squirrel Mail v1.4.6-1” and also used PHP as development language now as per our knowledge is concerned Squirrel Mail needs PHP v5 as a intelligent guess “Squirrel Mail + PHP v5” we can conclude the victim must be running MySQL as its database server. But its just a guess but while port scanning you have found 3036 port open that means we can be 100% sure yes its MySQL server.
In All:
Development Tools: HTML + PHP v5 + MySQL
Mail Agent: Squirrel Mail v1.4.6-1
Grabbing Banner From Page Extensions:
This only means just have a look on URL to find out what application our victim might be using. Here you might need some good knowledge of programming to identify application version. To gain application version you have to save page on your hard disk and view page source then use your experience in programming to deduce version of application, once application is known. I am really sorry this type of version detection is not possible to be taught, it needs programming experience so for this kinda detection you need to be good in web development.
.asp/.aspx: This sure-shot means victim is running Microsoft Active Server Pages technology.
.jsp:                 Java Based web technology. Most of the time database used is MySQL with JSP, this can be used as guess
.PHP:              PHP + HTML
.cfm:                Macromedia Cold Fusion
.asmx              .Net/J2EE
.jws                  Java web services
.wsdl                Web Service Definition Language (WSDL)
Note that extension may appear anywhere in URL so you must have keen look on it, next when extension doesn’t seem familiar, Google with extension and you will surely get what kinda web development tools the victim has used.
Banner Grabbing Using Net Craft:
Net Craft is anti-phishing toolbar which also allows OS detection and banner grabbing. Browse to www.netcraft.com and type name of website you want information after “What’s that site running”.

In next section we will discuss some more methods of grabbing banners and prevention against them. Please don’t just read, try whatever you learned from this post. Don’t forget to tell how was the post and is there anything you need more explanation

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s