BANNER GRABBING

PRESENTED BY:LAETY M.

WHAT IS A BANNER?

A banner is simply the text that is embedded with a message that is received from a host.

Usually this text includes signatures of applications that issue the message. So, they reveal themselves to us.

Banner Grabbing is a technique usedby hackers to extract informationabout a host. If successful, it canidentify the operating system, webserver and other applications runningon the target host.

What is a Banner Grabbing?

Banner grabbing and operating system identification—which can also be defined as fingerprinting the TCP/IPstack—is the fourth step in the CEH scanningmethodology.

The process of fingerprinting allows the hacker to identifyparticularly vulnerable or high-value targets on thenetwork. Hackers are looking for the easiest way to gainaccess to a system or network.

Banner grabbing is the process of opening a connectionand reading the banner or response sent by theapplication.

Many email, FTP, and web serverswill respond to a telnet connectionwith the name and version of thesoftware.

This aids a hacker in fingerprintingthe OS and application software.For example, a Microsoft Exchangeemail server would only beinstalled on a Windows OS.

There are two types of OSfingerprinting:1. Active2. Passive

1. ACTIVE STACK FINGERPRINTING

Is the mostcommon formoffingerprinting.

It involvessending data to asystem to seehow the systemresponds.

It’s based on the fact that variousoperating system vendors implementthe TCP stack differently, and responseswill differ based on the operatingsystem. The responses are thencompared to a database to determinethe operating system.

Active stack fingerprinting is detectable because itrepeatedly attempts to connect with the same targetsystem.

Is stealthier and involves examining network todetermine the operating system.

2.PASSIVE STACK FINGERPRINTING

Passive stack fingerprinting usually goes undetected byan IDS or other security system but is less accuratethan active fingerprinting.

It uses sniffing techniques instead of scanningtechniques.

It can be done using tools like:

Telnet NmapID ServeGet RequestsNetCraft…and many more tools can be used to pull this off.For OS and Web server detection, we can grab a banner of http.

HOW IT'S DONE?

Hackers grab banners all thetime. Although IPs can belogged, hackers usually hidetheir real IP before grabbing.

If they are successful ingrabbing a few banners theycan then use this informationto find applications that areweak or have a security flaw.

IMPACT

Attackers then focus onexploits that are targeted tothe services that you arerunning.There are hundreds ofservices that can be queriedfor banners and more thanoften, a few have flaws orare simply old versions.

IMPACT (cnt..)

REMEDY

This techniquereveals criticalinformation thatcan be devastating.To get rid of this,first you need tothoroughly analyzewhat information isleaked.

• Set up your services properly.Default settings are alwaysinsecure.•Read the documentation and turnoff all the features that areunnecessary

•Turn off services that you don'tneed such as telnet.•Hiding File Extensions fromWebPages•Disabling or changing thebanner1

REMEDY (cnt..)