قالب وردپرس درنا توس
Home / Tips and Tricks / How to use Banner Grabbing to explore «Null Byte :: WonderHowTo

How to use Banner Grabbing to explore «Null Byte :: WonderHowTo



As we have seen with other tools and utilities, certain things that administrators usually use to do their work more efficiently are often misused by exploitation attackers. After all, hacking is just the process by which a computer does things in unexpected ways. Today we will discuss different methods to get hold of banners to find out more about the target system.

Banner grabbing is a technique used to collect information about performing services on a computer system. Banners refer to the messages on the host that usually contain a greeting or version information. An attacker can use banner data to their advantage by obtaining specific version numbers of services that help with exploration and exploitation.

To find out more about grabbing banners, we use Metasploitable 2 as the target and Kali Linux as our local machine. In a terminal window, let's perform a quick Nmap scan on the target to see what is being performed:

  ~ # nmap 1
0.10.0.50 Nmap 7.70 (https://nmap.org) start on 08-08-2019 09:00 CDT Nmap scan report for 10.10.0.50 Host is higher (0.0024s latency). Not shown: 977 closed ports PORT STATE SERVICE 21 / tcp open ftp 22 / TCP open SSH 23 / TCP open telnet 25 / TCP open SMTP 53 / tcp open domain 80 / tcp open http 111 / TCP open rpcbind 139 / TCP open netBIOS-SNN 445 / tcp open microsoft ds 512 / TCP open exec 513 / tcp open login 514 / TCP open scale 1099 / tcp open rmiregistry 1524 / TCP open ingreslock 2049 / TCP Open NFS 2121 / tcp open ccproxy ftp 3306 / tcp open mysql 5432 / tcp open postgresql 5900 / tcp open vnc 6000 / tcp open X11 6667 / tcp open irc 8009 / tcp open ajp13 8180 / tcp open unknown MAC Address: 00: 1D: 09: 55: B1: 3B (Dell) Nmap done: 1 IP address (1 host higher) scanned in 0.32 seconds

Method 1: Telnet

The first tool we use to pick up banners is telnet. This modest little utility may not seem very useful when it comes to penetration testing, but its value lies in the fact that it is present on almost every system.

The syntax is telnet followed by the IP address of the machine to which you want to connect, followed by the port number. We can use telnet to get version information for FTP, which runs on port 21:

  ~ # telnet 10.10.0.50 21

Trying 10.10.0.50 ...
Connected to 10.10.0.50.
Escape character is & # 39; ^] & # 39 ;.
220 (vsFTPd 2.3.4) 

We can do the same for SSH, executed on port 22:

  ~ # telnet 10.10.0.50 22

Trying 10.10.0.50 ...
Connected to 10.10.0.50.
Escape character is & # 39; ^] & # 39 ;.
SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 

We can even use it to retrieve the banner from a web server, which usually runs on port 80. Type a connection and type some information for us. For example. I have & # 39; help & # 39; typed after I was connected:

  ~ # telnet 10.10.0.50 80

Trying 10.10.0.50 ...
Connected to 10.10.0.50.
Escape character is & # 39; ^] & # 39 ;.

help out

  Metasploitable2 - Linux 

                  _ _ _ _ _ _ ____
_ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___ 
| & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) |
| | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ /
| _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ |
| _ |

Warning: never expose this VM to an untrusted network!

Contact: msfdev [at] metasploit.com

Log in with msfadmin / msfadmin to get started


Connection disconnected by foreign host.

We can see that it returns a little bit of HTML, including what looks like folders, plus a welcome banner on the system. We are also lucky with this because it contains both an e-mail and login details.

Method 2: Netcat

Now we will perform banner grading with Netcat, a utility that is common on Linux systems and can be exploited in various ways. We can use it to connect to certain ports and collect information.

Let's first connect to the FTP service on port 21, just like with Telnet:

  ~ # nc 10.10.0.50 21

220 (vsFTPd 2.3.4) 

We can do the same with SSH on port 22:

  ~ # nc 10.10.0.50 22

SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 

And again on port 80:

  ~ # nc 10.10.0.50 80

Hi
  Metasploitable2 - Linux 

                  _ _ _ _ _ _ ____
_ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___ 
| & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) |
| | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ /
| _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ |
| _ |

Warning: never expose this VM to an untrusted network!

Contact: msfdev [at] metasploit.com

Log in with msfadmin / msfadmin to get started


We can also use Netcat to communicate with the web server. For example, we can use the method HEAD to get the header information about the server:

  ~ # nc 10.10.0.50 80

MAIN / HTTP / 1.1

HTTP / 1.1 400 Invalid request
Date added: Wed, 19 Jun 2019 18:28:12 GMT
Server: Apache / 2.2.8 (Ubuntu) DAV / 2
Connection: close
Content type: text / html; charset = iso-8859-1 

Although it was a bad request, we still have the exact version number of Apache.

We can also send a GET request, with which the content of the webpage:

  ~ # nc 10.10.0.50 80

GET / HTTP / 1.1

HTTP / 1.1 400 Invalid request
Date added: Wed, 19 Jun 2019 18:29:19 GMT
Server: Apache / 2.2.8 (Ubuntu) DAV / 2
Content length: 323
Connection: close
Content type: text / html; charset = iso-8859-1



  400 Bad Request 

Bad Request

Your browser has sent a request that this server cannot understand.


Apache / 2.2.8 (Ubuntu) DAV / 2 Server on metasploitable.localdomain Port 80

In this case we still get a bad request, but this method can return HTML and other useful information. Method 3: Curl

Curl, often styled as a cURL (client URL), is a command-line tool used for data transfer. It is usually used for HTTP, but it supports a wide range of other protocols.

We can also use curls to grab the banner from the web server. However, we do not have to provide the port number this time, as with the previous tools:

  ~ # curl 10.10.0.50

  Metasploitable2 - Linux 

                  _ _ _ _ _ _ ____
_ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___ 
| & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) |
| | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ /
| _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ |
| _ |

Warning: never expose this VM to an untrusted network!

Contact: msfdev [at] metasploit.com

Log in with msfadmin / msfadmin to get started


We can also use the flag -I to retrieve the HTTP header:

  ~ # curl -I 10.10.0.50

HTTP / 1.1 200 OK
Date added: Wed, 19 Jun 2019 18:32:06 GMT
Server: Apache / 2.2.8 (Ubuntu) DAV / 2
X-Powered-By: PHP / 5.2.4-2ubuntu5.24
Content-Type: text / html 

This time we get 200 OK, plus some information about the PHP version.

Method 4: Nmap

The next tool that we can use to grab banners is nmap. When you use service detection, Nmap returns information about the active service, such as a version number, but Nmap also has an NSE script that can perform banner scratching for us.

Use the option – script followed by the name of the script, in this case banner :

  ~ # nmap --script banner 10.10.0.50

Nmap 7.70 (https://nmap.org) starts on 2019-08-08 09:15 CDT
Nmap scan report for 10.10.0.50
Host is up (0.0026s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21 / tcp open ftp
| _banner: 220 (vsFTPd 2.3.4)
22 / TCP open SSH
| _banner: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
23 / TCP open telnet
| _banner:  xFF  xFD  x18  xFF  xFD  xFF  xFD #  xFF  xFD & # 39;
25 / TCP open SMTP
53 / tcp open domain
80 / tcp open http
111 / TCP open rpcbind
139 / TCP open netBIOS-SNN
445 / tcp open microsoft ds
512 / TCP open exec
513 / tcp open login
514 / TCP open scale
1099 / tcp open rmiregistry
1524 / TCP open ingreslock
| _banner: root @ metasploitable: / #
2049 / TCP Open NFS
2121 / tcp open ccproxy ftp
| _banner: 220 ProFTPD 1.3.1 Server (Debian) [::ffff:10.10.0.50]
3306 / tcp open mysql
| banner:>  x00  x00  x00  x0A5.0.51a-3ubuntu5  x00-  x00  x00  x00 $ & 0_n-0L  x00,
| _  XAA  x08  x02  x00  x00  x00  x00  x00  x00  x00  x00  x00  x00  x00  x00  x00  x00 ...
5432 / tcp open postgresql
5900 / tcp open vnc
| Banner: RFB 003.003
6000 / tcp open X11
6667 / tcp open irc
| banner :: irc.Metasploitable.LAN NOTE AUTH: *** Look up your hostna
| _Me ...
8009 / tcp open ajp13
8180 / tcp open unknown
MAC Address: 00: 1D: 09: 55: B1: 3B (Dell)

Nmap done: 1 IP address (1 host higher) scanned in 15.90 seconds 

That gave us banners for different services, some easier to read than others.

We can also limit our focus to a specific port using the -p flag:

  ~ # nmap -sV - script banner 10.10.0.50 -p 80

Nmap 7.70 (https://nmap.org) starts on 08-08-2019 09:25 CDT
Nmap scan report for 10.10.0.50
Host is up (0.00065s latency).

PORT STATE SERVICE VERSION
80 / tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV / 2)
| _http-server header: Apache / 2.2.8 (Ubuntu) DAV / 2
MAC Address: 00: 1D: 09: 55: B1: 3B (Dell)

Service detection performed. Report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 21.76 seconds 

For example, running this on port 80 gives us some information about the Apache web server.

Method 5: Metasploit

The last banner grabbing method that we will investigate is Metasploit. Metasploit has modules that collect information about telnet, web servers, SMTP, etc.

First start Metasploit by typing msfconsole in the terminal. Next, we can use the command search at the msf5 prompt to find banner-related modules:

  msf5> search banner

Matching modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 help / scanner / http / f5_bigip_virtual_server normal Yes F5 BigIP HTTP Virtual Server Scanner
1 help / scanner / imap / imap_version normal Yes IMAP4 Banner Grabber
2 help / scanner / pop3 / pop3_version normal Yes POP3 Banner Grabber
3 help / scanner / smtp / smtp_version normal Yes SMTP Banner Grabber
4 help / scanner / telnet / lantronix_telnet_version normal Yes Lantronix Telnet Service Banner Detection
5 aux / scanner / telnet / telnet_version normal Yes Telnet Service Banner Detection
6 exploit / multi / http / auxilium_upload_exec 2012-09-14 excellent Yes Auxilium RateMyPet Vulnerability Upload Random File
7 exploit / unix / webapp / openx_banner_edit 2009-11-24 excellent Yes OpenX banner-edit.php File Upload PHP Code Execution
8 exploit / unix / webapp / wp_easycart_unrestricted_file_upload 2015-01-08 excellent None WordPress WP EasyCart Unlimited file upload
9 exploit / windows / ftp / proftp_banner 25-08-2009 normal None ProFTP 2.9 Banner Remote buffer overflow 

The first module that we will use gives us some information about telnet – load it with use command :

  msf5> use help / scanner / telnet / telnet_version 

And we can view the options :

  msf5 help (scanner / telnet / telnet_version)> options

Module options (help / scanner / telnet / telnet_version):

Name Current setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS yes The target address range or CIDR ID
RPORT 23 yes The target port (TCP)
THREAD 1 Yes The number of simultaneous threads
TIMEOUT 30 yes Time out for the Telnet probe
USER NAME no The user name to be verified as 

The only thing that we need to set now is the option rhosts . Set it to the IP address of our target, and since it remains the same for the following modules, we can use the command setg to set it globally:

  msf5 auxiliary (scanner / telnet) / telnet_version)> set of rhosts 10.10.0.50

rhosts => 10.10.0.50 

Now we only have to execute it:

  msf5 auxiliary (scanner / telnet / telnet_version)> execute

[+] 10.10.0.50:23 - 10.10.0.50:23 TELNET _ _ _ _ _ _ ____  x0a _ __ ___ ___ | | _ __ _ ___ _ __ | | ___ (_) | _ __ _ | | __ | | ___ | ___   x0a | & # 39; _ `_  / _  __ / _` / __ | & # 39; _  | | / _  | | __ / _` | & # 39; _  | | / _  __) |  x0a | | | | | | __ / || (_ |  __  | _) | | (_) | | || (_ | | | _) | | __ // __ /  x0a | _ | | _ | | _ |  ___ |  __  __, _ | ___ / .__ / | _ |  ___ / | _ |  __  __, _ | _.__ / | _ |  ___ | _____ |  x0a | _ |  x0a  x0a  x0a Warning: Never expose this VM to an untrusted network!  x0a  x0aContact: msfdev [at] metasploit.com  x0a  x0aLogin with msfadmin / msfadmin to start  x0a  x0a  x0ametasploitable login:
[*] 10.10.0.50:23 - Scanned 1 of 1 hosts (100% complete)
[*] Implementation of auxiliary module completed 

We can see that it gave us a kind of jumbled banner, but again, we got some data from it.

Then we can use the module http_version to get some information about the web server. Load it:

  msf5 help (scanner / telnet / telnet_version)> use help / scanner / http / http_version 

And view the options:

  msf5 help (scanner / http / http_version)> options

Module options (extra / scanner / http / http_version):

Name Current setting Required Description
---- --------------- -------- -----------
Proxy & # 39; s no A format type proxy chain: host: port [,type:host:port][...]
     RHOSTS 10.10.0.50 yes The target address range or CIDR ID
RPORT 80 yes The target port (TCP)
SSL false no Negotiating SSL / TLS for outgoing connections
THREAD 1 Yes The number of simultaneous threads
VHOST no HTTP server virtual host 

Everything seems fine, so let's start:

  msf5 help (scanner / http / http_version)> run

[+] 10.10.0.50:80 Apache / 2.2.8 (Ubuntu) DAV / 2 (powered by PHP / 5.2.4-2ubuntu5.24)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Implementation of auxiliary module completed 

That gave us the Apache version number and its PHP version information.

We can also scan to the active SMTP version. SMTP (Simple Mail Transfer Protocol) is a protocol that is used for e-mail communication. Load the module with:

  msf5 help (scanner / http / http_version)> use help / scanner / smtp / smtp_version 

And view the options:

  msf5 help (scanner / smtp / smtp_version)> options

Module options (help / scanner / smtp / smtp_version):

Name Current setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.0.50 yes The target address range or CIDR ID
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of simultaneous threads 

Again, it seems to go well, so we can run the module:

  msf5 auxiliary (scanner / smtp / smtp_version)> run

[+] 10.10.0.50:25 - 10.10.0.50:25 SMTP 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)  x0d  x0a
[*] 10.10.0.50:25 - Scanned 1 of 1 hosts (100% complete)
[*] Implementation of auxiliary module completed 

That returns some information about the SMTP service on the system.

Metasploit also has a few other handy scanners for the IMAP and POP3 protocols. These are not set for our purpose, but they work very much the same way as the other modules that we have discussed.

How to prevent banner grabbing

Due to the nature of how these services work, banner grabbing is difficult, but not impossible, to prevent. The obvious way to stop this type of attack is to limit the information that the service broadcasts, but for many services it breaks their functionality. Simply disabling banners can provide the best defense against attackers looking for low-hanging fruit.

Another method that can be used for web servers is to place a proxy between the server and the internet, which will strip some information or reformat headers to make detection more difficult. There are also programs available to hide this information from attackers, such as ServerMask and IIS Lockdown.

Completion

Today we learned about the use of banners and how an attacker can gather information about the services that are running on a system. We have investigated a number of methods for obtaining banners, including the use of telnet, Netcat, curl, Nmap and Metasploit. All this information can be used for exploration and ultimately for better exploitation.

Cover image by Ildefonso Polo / Unsplash; Screenshots of drd_ / Null Byte

Source link