Wednesday, March 9, 2016

Banner Grabbing Using Telnet Command

Hello Guys,
           Here I am again with new article. Today I well known you about the Banner Grabbing Techniques which attacker used to gather information about the target Web servers.

There is tried & true manual technique is available for enumerating the banners and application information.

Banner grabbing is a technique used to glean information about a computer system on a network and the services running on its open ports

e.g.


[root@prober] nc www.targethost.com 80
HEAD / HTTP/1.1

HTTP/1.1 200 OK
Date: Mon, 11 May 2009 22:10:40 EST
Server: Apache/2.0.46 (Unix)  (Red Hat/Linux)
Last-Modified: Thu, 16 Apr 2009 11:20:14 PST
ETag: "1986-69b-123a4bc6"
Accept-Ranges: bytes
Content-Length: 1110
Connection: close
Content-Type: text/html

In this exercise we will make a use of "Telnet" connection to various TCP ports on target system & record banner information that is presented.

Demo 1: Banner Grabbing Using Telnet.

1. from your Kali Linux, open a shell & type following commands

root@kali:~ telnet Target_IP 80 (hit enter few times)

2. what web server application running on the target.
3. Repeat the step 1 again for known port numbers to check the services running.
4. record your result.




HTTP Commands for banner grabbing

1. Connect using telnet and type: HEAD / HTTP/1.0

telnet www.test.com 80

Trying 100.100.100.100...
Connected to www.test.com.
Escape character is '^]'.
HEAD / HTTP/1.1


  HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1768
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBATBQQ=MJOLBPPDBKPCDFREKDMLCEOHF; path=/
X-Powered-By: ASP.NET
Date: Tue, 06 Aug 2015 03:42:18 GMT
Connection: close
Connection closed by foreign host.


 2. Let's try the option command, I like this: OPTIONS / HTTP/1.0


Trying 100.100.100.100...
Connected to www.test.com.
Escape character is '^]'.
OPTIONS / HTTP/1.1

HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.5
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Tue, 26 Aug 2015 05:47:39 GMT
Connection: close
Content-Length: 0
Connection closed by foreign host.


Error if  I type wrong commands(lower case letters):

Trying 100.100.100.100...
Connected to www.test.com.
Escape character is '^]'.

options / http/1.1      ---- I typed lower case

HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 26 Aug 2015 05:50:08 GMT
Connection: close
Content-Length: 311
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request</h2>
<hr><p>HTTP Error 400. The request is badly formed.</p>
</BODY></HTML>
Connection closed by foreign host.


It is basic level of Banner Grabbing without using 3rd Party Tools like netcat, nikto, ssh etc.

More To refer:

Banner Grabbing using Netcat
Active Stack Fingerprinting Using Nmap
Passive Stack Fingerprinting Using Ettercap
FTP Enumeration 
SSH Enumeration
SMTP Enumeration Using Telnet
HTTP Enumeration Using Nikto