• Subscribe to the low volume list for updates.

Banner Grabbing (Search)

Banner Grabbing is a reconnaissance technique to discover network services by simply querying the service port. Many services will respond with a simple text message (known as a service banner) indicating the technology in use.

This banner search is a passive information gathering tool, no testing is performed against the IP address directly. The results are drawn from cached Internet Scan data.


Use Cases

Access to this data set of service banners provides a security analyst with an overview of the services running within an Internet facing network block. While banner grabbing is possible using port scanners and other tools, high level reconnaissance of a network has a number of immediate benefits.

Identify Services Listening on Your Network (Blue Team)
With a typical response time of 0.9 seconds our banner search is literally the fastest way to identify services on your network. Whether you are looking for banners across a Class C (/24) or even larger Class B (/16) networks. Get results fast. There is zero impact as the results are from cached Internet scan data.
Incident Response & Threat Hunting
Know the networks of the adversary. Using the cached data identify services running on adversary systems, C2 servers, compromised systems and other infrastructure without sending packets to the target networks.
Security Researchers
Identify types of listening services and devices across a wide range of IP address space. A security researcher can use this tool to identify insecure routers, IOT and other devices within an Internet Provider a region or even a country.
Bug Bounty Researchers
Quickly identify services in an organisation's IP address space. Find those unsecured services before your competition do. There are no bounties for second place.
Penetration Testers (and Red Teams)
Perform high level fly overs of large amounts of network space. Use the results to focus port scanning and other testing towards areas that appear to be weak. Network intelligence to speed up recon and information gathering.
General Research
Identify technology trends across different networks, organisations and countries. Perform technology research against competitors. Identify technologies and high level security practices during due diligence processes.

About the Banner Search

When performing any type of reconnaissance it is essential to understand your impact and whether the target could be aware of the attention.

In an incident response scenario care must be taken; sending packets to the target may alert the adversary to the fact that they have been discovered. Throwing packets from the company net block is never a good idea!

The initial banner search is entirely passive, no packets are sent to the target network.

On the web results page there are a number of quick access tools. Note that these are active tools, meaning they send packets to the live system. Such as the HTTP Headers query. The packets are sent from our servers, so the attribution for an incident responder is minimised.

Data is collected through our Internet scanning research initiative. The frequency of the collection is typically once a month, however we are working towards a weekly update.

The level of detail in the results is minimised, with banners truncated at 50 characters. Other search engines (such as Shodan) are available that include more detail on the services. The purpose of this search tool is to get a quick overview of a network. App data is gathered from the HTML page displayed on the IP address of the web server (this does not include web applications running on virtual hosts on the server).

Accuracy Note
No guarantee is made to the accuracy of this data. As the data is collected periodically, the results may not match the state of the live system or network. Always confirm the results when using third party searches for security related data, this is especially important if you are to be conducting additional testing or including the results in a report.

Using the API to access the Banner Search

An easy to use simple API for quick access to our backend database. Use curl, python or even a browser against the API endpoint below to receive the results in json format.

https://api.hackertarget.com/bannerlookup/?q=2.2.2.2/24

The API is simple and designed to be used for quick recon tasks; like all our IP Tools there is a limit of 50 queries per day or you can increase the daily quota with a Membership.

Banner Grab Search Limits

Queries / day Max # of Results
FREE USER 50 32
Membership # based on Plan 65'535

With a membership get up to 65'535 results from a single query. Allows analysis of banners from Class B networks.

Banner Grabbing Tools

Banner grabbing can be performed with simple tools such as ncat, netcat or even telnet. It simple means connecting to a service port and collecting or viewing the response. Usually with no interaction, though some services such as HTTP require a probe to be sent (GET / HTTP/1.1 followed by enter twice).

In the example using netcat against HTTP, the HTTP banner has been minimised in the web server configuration. No version or other information is revealed.

:~$ nc hackertarget.com 80
GET / HTTP/1.1      <- sending probe, followed by enter twice

HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 29 Oct 2019 20:56:03 GMT
Content-Type: text/html
Content-Length: 166
Connection: close

In the following SSH Example it is clear that SSH is enabled. Additional information is also revealed such as the operating system (Ubuntu), furthermore the Ubuntu release version can be determined through the versions in the banner.

:~$ nc testserver.com 22
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8

Technically this banner grabbing would be classed as active enumeration as you are sending packets to the target network. The target can see (if they are looking) the connection in network or service logs.

Have you seen our other Free IP and Network Testing tools.
Discover. Explore. Learn.

Next level testing with advanced Security Vulnerability Scanners.
Trusted tools. Hosted for easy access.