Banner grabbing is the process of obtaining a target company’s application names and versions, regardless of manner—manually or automatically by using an open-source tool—in preparation for an attack.
All connected systems and devices often expose confidential information that includes software names and operating systems (OSs), along with their versions, collectively known as “banner data.” Knowing these data points allows threat actors to find exploitable vulnerabilities in target networks.
Think of banner grabbing as sending a spy to work for a competitor so he or she can report the company’s weaknesses to his or her real employer.
Read More about “Banner Grabbing”
Banner grabbing is not always bad. Penetration testers also perform the act when an organization hires them to determine all its weak spots. The process is also useful for IT teams performing security audits to know which systems and applications require stronger cyberdefense.
Watch this video of how the good guys do banner grabbing:
How Does Banner Grabbing Work?
A banner grabbing attack has three necessary steps. First, the attacker chooses the service he or she wants to target. He or she then launches a request to the target application or system. When the software or device responds, he or she inspects the response to determine what exploit to use for the attack.
Two Types of Banner Grabbing Attacks
There are two kinds of banner grabbing—active and passive—described in more detail below.
What Is Active Banner Grabbing?
In this type of banner grabbing, a user sends a packet to a remote host and waits for a response. He or she then analyzes the data.
The process involves opening a Transmission Control Protocol (TCP) or a similar connection between one computer to a remote system. It is active because the link gets logged into the remote computer. As such, an active banner grabbing attack often gets detected by advanced intrusion detection systems (IDSs) or solutions that specifically watch for unauthorized connections.
What Is Passive Banner Grabbing?
Passive banner grabbing allows users to get the same information while avoiding exposure. In attacks that use the technique, different intermediate software and platforms can serve as gateways to avoid connecting directly to the target computer. That way, the connection remains hidden while an attacker gets the data he or she needs.
Third-party networks, tools, or services like search engines or traffic sniffers often figure in passive banner grabbing attacks.
Commonly Used Banner Grabbing Tools
Both good and bad guys use these tools for banner grabbing:
Telnet is a classic cross-platform client that lets users interact with remote services for banner grabbing. Telnet users typically use port scanners first to identify open ports on the target organization’s remote server.
Wget also lets users get banner information from any remote or local HyperText Transfer Protocol (HTTP) or File Transfer Protocol (FTP) server. An HTTP server, also known as a “web server,” answers HTTP requests, as when you type a website link on your browser to open the page you are looking for. An FTP server, meanwhile, facilitates file transfers done over the Internet. Companies typically use FTP servers to upload and download large files that users cannot send via email.
There are lots more, of course, but threat actors and security analysts alike most commonly use these two.
So, when asked “What is banner grabbing?” You can say that it is a common technique used in surveillance. Both good and bad guys use it during the initial phases of any penetration tests or real attacks.