Category: Footprinting

Posted on by

Banner grabbing for beginners

Hello, aspiring ethical hackers. In this blogpost, you will learn about banner grabbing. Banner grabbing plays a very important role in ethical hacking for penetration testers and hackers alike. To understand what is banner grabbing, you need to understand what is a banner first.

What is a Banner?

A banner is the information displayed by software or service running on a specific port. This information involves the type of software running, version of the software running etc. This information is displayed by default by every software running for marketing purposes.

What is Banner grabbing?

Banner grabbing as its name implies, is grabbing this banner. A banner when displayed to a common user may provide information to the user. In the same way, by grabbing this banner, hackers and penetration testers can get information about the software running on it and the version of the software running. This allows them to search or research for any vulnerabilities in the software.

Types of Banner grabbing

Banner grabbing can be performed in two ways: Active & passive.

  1. Active banner grabbing: In active banner grabbing, a hacker or penetration tester interacts with the software & target services to grab the banner.
  2. Passive banner grabbing: In passive banner grabbing, a hacker or penetration tester doesn’t interact with the target service while grabbing the banner. This can be done by packet sniffing on the network traffic of the network.

Although banner grabbing can be performed on almost all services running on all ports, the most common services that are used for banner grabbing are,

FTP-Port 21
SSH-Port 23
SMTP-Port 22
HTTP-Port 80

Tools used for Banner grabbing:

  1. Telnet, wget, curl etc

Apache:

Imagine I have set up a website named www.shunya.com on an Apache server. A hacker can easily find Information about the web server in different ways. For example, a hacker can visit the website and and try to open a webpage which is not existent on my server, like below.

banner grabbing

In the above example, hacker tried to open page named “admin.php” which was not available on my server and in turn the server responded with a type of web server, the target OS and the scripting language. This is giving out too much information.

The traditional and popular way of fingerprinting is through telnet. A hacker opens command line or terminal. and types the command “telnetwww.shunya.com 80″. When the screen goes black, type “HEAD / HTTP/1.0″and this will give the server information.

Wbc2

There are also many fingerprinting tools available. I am gonna show you only one, Id serve. Let’s see how to banner grab using Id serve.

Wbc3

Now what are the preventive measures we can take in Apache server to disable or atleast prevent fingerprinting to some extent. Apache web server has a configuration file called “httpd.conf” where we can make changes to fight fingerprinting. Go to httpd.conf and change the value of the option “Server Signaturetooff”.This will not display any information about server when an nonexistent page has been accessed.

Wbc4

In the httpd.conf file, changing the value of “Server Tokens”from “Full” to “Prod” will only show the minimum server information as shown below.

Wbc5
Wbc6

This still discloses that our web server is Apache but it doesn’t show the version. In Kautilya’s words this is delaying the march of enemy. Here are the options we set.

Wbc7

IIS 8:

Now imagine we changed our www.shunya.com website from Apache server to the latest version of Microsoft web server, IIS 8. To prevent error pages form revealing any information in IIS server, we can set custom error pages. Now let’s use IDserve tool to fingerprint the IIS 8 server.

Wbc8

It shows the server version. Now how can we prevent this. Microsoft provides a tool named UrlScan freely available for download which can be used easily to process HTTP requests. Download this tool and install it. ( See how to configure Urlscan for IIS 7.5 and IIS 8 ). Then go to the configuration file of UrlScan, “UrlScan.ini” located at “C:WindowsSystem32inetservUrlscan”by default and change the value of “RemoveServerHeader’ from “0″ to “1″.

Wbc9

This will not reveal the server version information as shown below.

Wbc10

We can further mislead the attacker by setting our server name to some other value different than our original one. This can be done by setting the value of “RemoveServerHeader” to “0 “and changing the value of “AlternateServerName” to the value we want to specify ( in our example Nginx ).

Wbc11

So when the attacker tries to fingerprint our website, he will be misleaded.

Wbc12

Note: Taking this preventive measures will not stop a determined hacker to find out our server information.

That’s all in webserver banner grabbing and countermeasures.

Posted on by

Understanding port scanning results of Nmap

Hello aspiring Ethical Hackers. In this blogpost you will learn how to analyze port scanning results of Nmap. Scanning plays a very important role in hacking a system. Scanning is a phase in which we find out the ports which are open and the services listening on those ports. NMap is the most popular port scanner being used security guys nowadays. Read complete guide to Nmap. It is very important to understand results of Nmap port scan. Nmap classifies ports into six states. They are, open, closed, filtered, unfiltered, open | filtered and closed | filtered.

Port Scanning Results 0

Let us find out when Nmap classifies ports into specific states. To demonstrate the results of port scanning performed my Nmap, I use two virtual machines,

1. Kali Linux as attacker system.

2. Windows 10 as target system.

On the target system, I enable or install a SSH server. You can learn how to install a SSH server here. For this tutorial, I will be scanning this SSH port with Nmap.

1. Closed:

Nmap classifies a port as closed when the port is accessible but there is no application listening on it. When I perform a default Nmap scan from the Kali system of port 22 of the target machine, I get a “closed” result as shown below.

nmap -sT –p22 <target ip>

Port Scanning Results 1

Note that on our target machine, we have installed the SSH server but not yet started it.

2. Filtered:

Nmap classifies a port as filtered when it can’t determine whether the port is open or closed because packet filtering prevents its probes from reaching the port. Let’s now start the SSH server and scan again. This time when we scan the same port again, we get a “filtered” result as shown below.

nmap -sT -Pn –p22 <target ip>

Port Scanning Results 2

This is because although we have started the SSH service on the target system, Windows Defender Firewall, which is turned ON by default, is blocking our connection to the target port. When Nmap classifies a port as filtered, it is most likely that a firewall is blocking our probes.

3. Open:

Nmap classifies a port as open when the port is accessible and if an application is actively accepting TCP connections, UDP datagrams or SCTP associations on this port. On our target system, let’s change the Windows Defender Firewall settings to allow the SSH service through the Firewall as shown below and scan the service again.

Port Scanning Results 3
Port Scanning Results 4

The result I get is “open”. This is because the SSH server is actively accepting connections.

4. Unfiltered:

Nmap classifies a port as unfiltered when a port is accessible but it can’t determine whether it is open or closed. A port is classified as unfiltered only with the ACK scan. Learn about different scans that can be performed with Nmap.

nmap -sA –p22 <target ip>

Port Scanning Results 5

This scan cannot determine if the port is open or closed and is generally used to find out rules of the firewall.

5. Closed | filtered:

Nmap gives this result when it can’t find out whether a port is closed or filtered. A port is classified this way by Nmap only when we perform IDLE scan. Now what is IDLE scan? Idle scan is a scan in which we use a zombie host to scan the victim. In our example, we use another host with IP 192.168.40.1 as a zombie to perform IDLE scan on our victim.

nmap -sI <zombie_host> -p22 <target ip>

Port Scanning Results 6

6. Open | filtered:

A port is classified as open | filtered when Nmap is unable to determine whether a port is open or filtered. This happens for scan types in which open ports give no response. The UDP, IP protocol, FIN, NULL and XMAS scans classify ports this way.

Port Scanning Results 8
XMAS scan
Port Scanning Results 9
FIN scan
Port Scanning Results 10
NULL scan

The port is classified as “open | filtered” in above cases because Nmap can’t determine whether the port is open or filtered.