What is Banner Grabbing : Banner Grabbing for Beginners

Banner grabbing is a technique used to gain information about a computer system on a network and the services running on its open ports. An Attacker can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Some examples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (port 80), File Transfer Protocol (port 21), and Simple Mail Transfer Protocol (port 25). Banners can be accessed through Client softwares like netcat, telnet in the command prompt on the target system’s IP address. Other tools for banner grabbing include Nmap, SuperScan etc. For example, to grab a banner, we can establish a connection to a target web server using Netcat, then send an HTTP request. The response will typically contain information about the service running on the host.
First we need to connect to the target host. For this we are using nc or netcat for short.

 nc <host_name_or_address> <port_number>

Where host_name_or_address is ip address or name of host machine (target machine) and port_number is port number where service is running. There are various methods to grab banner of the target service.

Method 1:

This is vary simple method to grab banner, first we need to connect to the target machine with service port number. At here we are try to connect to gnu.org with port 80 which is for HTTP service.

 nc gnu.org 80

and press enter. After that hit enter two times again.

 ajay@Test:~$ nc gnu.org 80

 HTTP/1.1 400 Bad Request
 Date: Tue, 20 Feb 2018 14:46:04 GMT
 Server: Apache/2.4.7
 Content-Length: 296
 Connection: close
 Content-Type: text/html; charset=iso-8859-1

 <!DOCTYPE HTML PUBLIC "-IETFDTD HTML 2.0//EN">
 <html><head>
 <title>400 Bad Request</title>
 </head><body>
 <h1>Bad Request</h1>
 <p>Your browser sent a request that this server could not understand.<br />
 </p>
 <hr>
 <address>Apache/2.4.7 Server at www.nongnu.org Port 80</address>
 </body></html>

we can also do this without having twice pressing the enter by below command

 printf '\n\n' | nc gnu.org 80

Now lets try this with SSH service

 ajay@Test:~$ printf '\n\n' | nc 192.168.0.120 22
 SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3

Method 2 :

We can also grab banner by sending http requests to the target host. we can to this by

 printf "GET / HTTP/1.1\r\nHost: youtube.com\r\n\r\n" | nc youtube.com 80

At above example we are sending GET request. The output will be :

 ajay@Test:~$ printf "GET / HTTP/1.1\r\nHost: youtube.com\r\n\r\n" | nc youtube.com 80
 HTTP/1.1 301 Moved Permanently
 Content-Length: 0
 Location: https://youtube.com/
 Date: Tue, 20 Feb 2018 15:02:50 GMT
 Content-Type: text/html
 Server: YouTube Frontend Proxy
 X-XSS-Protection: 1; mode=block

Method 3:

Banner grabbing with nmap:
For HTTP Service

 nmap --script=banner 192.168.0.120 -p80

where --script=banner is for using the banner NSE scrit and -p flag is used for consider the service port, in this case which is port 80 for HTTP service. The output will be

 ajay@Test:~$ nmap --script=banner 192.168.0.120 -p80

 Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-02-20 10:07 EST
 Nmap scan report for 192.168.0.120
 Host is up (0.00055s latency).

 PORT   STATE SERVICE
 80/tcp open  http

 Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds

Lets see another example by scanning SSH port (22)

 ajay@Test:~$ ajay@Test:~$ nmap --script=banner 192.168.0.120 -p22

 Starting Nmap 7.60SVN ( https://nmap.org ) at 2018-02-20 10:07 EST
 Nmap scan report for 192.168.0.120
 Host is up (0.00056s latency).

 PORT   STATE SERVICE
 22/tcp open  ssh
 |_banner: SSH-2.0-OpenSSH_6.7p1 Raspbian-5+deb8u3

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Conclusion : 

Banner Grabbing can provide us some useful information about the target system, although, sometimes its not 100 percent accurate. But it is very useful technique to gather information about your target.