Banner grabbing is an activity that is used to determine information about services that are being run on a remote computer. This technique can be useful to administrators in cataloging their systems, and ethical hackers can also use it during penetration tests. Malicious hackers also use banner grabbing, since the technique can reveal compromising information about the services that are running on a system. The technique works by using Telnet, or a proprietary program, to establish a connection with a remote machine, after which a bad request is sent. That will cause a vulnerable host to respond with a banner message, which may contain information that a hacker could use to further compromise a system.
In a computer networking context, the term banner typically refers to a message that a service transmits when another program connects to it. Default banners often consist of information about a service, such as the version number. The banner for a hypertext transfer protocol (HTTP) service will typically show the type of server software, version number, when it was modified last, and other similar information. When a program such as Telnet is used to intentionally gather this information, it is usually referred to as banner grabbing.
A few different types of software, including Telnet and various proprietary programs, can be used to perform banner grabbing. Telnet is a type of network protocol that is used to establish a virtual terminal connection with a remote host. Most operating systems (OSes) come with the ability to establish Telnet sessions, so that is one of the primary ways that banner grabbing is performed. Whether Telnet or another program is used, banners are grabbed by connecting to a host, and then sending a request to a port that is associated with a particular service, such as port 80 for HTTP.
One of the purposes of banner grabbing is system administration, in which case it can be useful for HTTP fingerprinting and other activities. An administrator can also use the technique to perform an inventory on all of the different services and systems operating on the host for which he is responsible. He will typically establish a Telnet connection with the host, and then query each port and catalog the results. White hat hackers can also use the technique during the planning phase of a penetration test.
Malicious hackers often use banner grabbing as well when looking for vulnerable hosts. They typically establish a connection with a host, and then query ports looking for vulnerable services. Since the default banners often include the type of server software and version, it is possible to identify services with known exploits. The hacker can then use those exploits to carry out additional attacks.
