Banner Grabbing is a reconnaissance technique to discover network services by simply querying the service port. Many services will respond with a simple text
message (known as a service banner) indicating the technology in use. This banner search is a passive information gathering tool, no testing is performed against the IP address directly. The results are drawn from cached Internet Scan data.
Valid Input: IPv4 example.com 8.8.8.8 1.1.1.1/24
Use Cases
Access to this data set of service banners provides a security analyst with an overview of the services running within an Internet facing network block. While banner grabbing is possible using port scanners and other tools, high level reconnaissance of a network has a number of immediate benefits.
- Identify Services Listening on Your Network (Blue Team)
- With a typical response time of 0.9 seconds our banner search is literally the fastest way to identify services on your network. Whether you are looking for banners across a Class C (/24) or even larger Class B (/16) networks. Get results fast. There is zero impact as the results are from cached Internet scan data.
- Incident Response & Threat Hunting
- Know the networks of the adversary. Using the cached data identify services running on adversary systems, C2 servers, compromised systems and other infrastructure without sending packets to the target networks.
- Security Researchers
- Identify types of listening services and devices across a wide range of IP address space. A security researcher can use this tool to identify insecure routers, IOT and other devices within an Internet Provider a region or even a country.
- Bug Bounty Researchers
- Quickly identify services in an organisation's IP address space. Find those unsecured services before your competition do. There are no bounties for second place.
- Penetration Testers (and Red Teams)
- Perform high level fly overs of large amounts of network space. Use the results to focus port scanning and other testing towards areas that appear to be weak. Network intelligence to speed up recon and information gathering.
- General Research
- Identify technology trends across different networks, organisations and countries. Perform technology research against competitors. Identify technologies and high level security practices during due diligence processes.
About the Banner Search
When performing any type of reconnaissance, it is essential to understand your impact and whether the target could be aware of the attention.
In an incident response scenario, care must be taken. Sending packets to the target may alert the adversary they have been discovered. Throwing packets from the company net block is never a good idea!
The initial banner search is entirely passive. No packets are sent to the target network.
On the web results page, there are several quick access tools. Note that these are active tools, meaning they send packets to the live system. Such as the HTTP Headers query. The packets are sent from our servers, so the attribution for an incident responder is minimised.
Data is collected through our Internet scanning research initiative. The frequency of the collection is typically once a month, however, we are working towards a weekly update.
The level of detail in the results is minimised, with banners truncated at 50 characters. Other search engines (such as Shodan) are available that include more detail on the services. The purpose of this search tool is to get a quick overview of a network. App data is gathered from the HTML page displayed on the IP address of the web server (this does not include web applications running on virtual hosts on the server).
Using the API to access the Banner Search
An easy to use simple API for quick access to our backend database. Use curl
, python
or even a browser against the API endpoint below to receive the results in json
format.
https://api.hackertarget.com/bannerlookup/?q=2.2.2.2/24
The API is simple and designed to be used for quick recon tasks; like all our IP Tools there is a limit of 50 queries per day or you can increase the daily quota with a Membership.
Banner Grabbing Tools
Banner grabbing can be performed with simple tools such as ncat
, netcat
or even telnet
. It simply means connecting to a service port and collecting or viewing the response. Usually, with no interaction, some services such as HTTP require a probe to be sent (GET / HTTP/1.1
followed by enter
twice).
In the example, using netcat
against HTTP, the HTTP banner has been minimised in the web server configuration. No version or other information is revealed.
:~$ nc hackertarget.com 80
GET / HTTP/1.1 <- sending probe, followed by enter twice
HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 29 Oct 2019 20:56:03 GMT
Content-Type: text/html
Content-Length: 166
Connection: close
In the following SSH Example it is clear that SSH
is enabled. Additional information is also revealed such as the operating system (Ubuntu), furthermore the Ubuntu release version can be determined through the versions in the banner.
:~$ nc testserver.com 22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
Technically this banner grabbing would be classed as active enumeration as you are sending packets to the target network. The target can see (if they are looking) the connection in network or service logs.