Best Ways To Banner Grabbing In Penetration Testing

In Penetration Testing the first step we do is reconnaissance and banner grabbing is a technique that retrieves running service information. The banner includes service information such as the version and name of the service. Such as FTP, SSH and etc often expose vital information that can be utilized by Penetration Testers to be exploited.

Once the information is gathered it can be used to find vulnerabilities a CVE search on certain services or software can give pentester information that they need to compromise the service.

Tools Used for Banner Grabbing

  • Netcat
  • Nmap
  • Telnet
  • Dmitry
  • CURL
  • Metasploit

Netcat

Let’s do banner grabbing using Netcat, A very common tool which is pre-installed in Linux.

nc -v 10.10.132.81 22

 

nc

Result “SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.7”

Nmap

Let’s do a quick banner grabbing using Nmap.

nmap -sV --script=banner 10.10.132.81

 

nmap

Let’s do it for a specific port.

nmap -p 3333 -sV --script=banner 10.10.132.81

 

nmap

Result “Apache httpd 2.4.18 ((Ubuntu))”

Telnet

telnet 10.10.132.81 22

 

telnet

Dmitry

Dmitry is a Linux command-line tool coded in C. Dmitry can gather as much information about the services and host. Information about subdomains, uptime information, port scanning, email addresses, whois lookups and more.

dmitry -b 10.10.132.81

 

dmitry

CURL

Curl is a command-line tool used for transferring data. We can use Curl to grab banner of web services.

curl -s -I 10.10.132.81:3333

 

curl

We can use -I to grab HTTP header.

Metasploit

The last banner grabbing method is metasploit. It has several modules for information gathering.

msf5 > search banner

 

msf

msf5 > search banner

Matching Modules
================

   #  Name                                                      Disclosure Date  Rank       Check  Description
   -  ----                                                      ---------------  ----       -----  -----------
   0  auxiliary/scanner/http/f5_bigip_virtual_server                             normal     No     F5 BigIP HTTP Virtual Server Scanner
   1  auxiliary/scanner/imap/imap_version                                        normal     No     IMAP4 Banner Grabber
   2  auxiliary/scanner/pop3/pop3_version                                        normal     No     POP3 Banner Grabber
   3  auxiliary/scanner/smtp/smtp_version                                        normal     No     SMTP Banner Grabber
   4  auxiliary/scanner/telnet/lantronix_telnet_version                          normal     No     Lantronix Telnet Service Banner Detection
   5  auxiliary/scanner/telnet/telnet_version                                    normal     No     Telnet Service Banner Detection
   6  exploit/multi/http/auxilium_upload_exec                   2012-09-14       excellent  Yes    Auxilium RateMyPet Arbitrary File Upload Vulnerability
   7  exploit/unix/webapp/openx_banner_edit                     2009-11-24       excellent  Yes    OpenX banner-edit.php File Upload PHP Code Execution
   8  exploit/unix/webapp/wp_easycart_unrestricted_file_upload  2015-01-08       excellent  No     WordPress WP EasyCart Unrestricted File Upload
   9  exploit/windows/ftp/proftp_banner                         2009-08-25       normal     No     ProFTP 2.9 Banner Remote Buffer Overflow

 

Back to top button
Close