Log In
Request Demo Start 30-Day Trial
Back
Glossary Glossary

Banner Grabbing




Banner grabbing in cybersecurity is the process of collecting software, service, and version data from network hosts for both cybersecurity and malicious purposes. A banner in this context is the information a host displays that provides details about a service or system. Take a look at an example below.

Source: https://www.sciencedirect.com/science/article/abs/pii/B9781597492577000042

In the sample banner above, you can see that it provides data on a Microsoft Internet Information Services (IIS) server, specifically version 5.0. It gives details, such as when it was last modified, that is 6 June 2000, and more.

As mentioned earlier, the process isn’t good or bad. For network defenders, banner grabbing helps reduce and manage attack surface exposure and secure systems. For instance, by identifying the exact version of services like FTP, HTTP, or mail servers, they can prioritize patching or upgrading outdated and vulnerable software. But for threat actors, the same process helps identify insecure and vulnerable applications they can target.

Table of Contents

Banner Grabbing: A Deep Dive

What Are the Types of Banner Grabbing?

There are two major types of banner grabbing—active and passive.

Active and passive banner grabbing

The first kind, active banner grabbing, requires transmitting specially crafted packets to a target’s remote host. That way, the user can analyze the responses. In attackers’ case, that means establishing a connection to a target host then sending commands to it to determine how it responds. This interaction provides critical information about service and operating system (OS) versions.

Passive banner grabbing, meanwhile, does not require direct interaction with a target system. It instead uses intermediaries like third-party network tools and services to acquire service information.

What Is a Banner Grabbing Attack?

While we’ve established that the process isn’t inherently malicious, threat actors can grab banners for nefarious purposes.

A banner grabbing attack uses the same tools and techniques network defenders employ. During such an attack, threat actors can obtain the OS, service, app, and port data relevant to the target network. In the sample banner earlier, for instance, they would know the target uses Microsoft IIS 5.0. They can then identify vulnerabilities in the server that they can exploit and continue on as in other cyber attacks.

How Can Organizations Protect against Banner Grabbing Attacks?

Such attacks often lead to remote code execution, where threat actors determine vulnerable systems, choose an exploit, and then perform other malicious activities like dropping malware to disrupt a target’s operations, steal information, or other destructive payloads. The good news is that they are preventable.

Here are a few best practices against the attacks.

  • Change default server banners to remove sensitive information, also known as “security through obscurity.” This data includes software and version numbers that when hidden, helps hide potential attack vectors.
  • Ensure all servers and systems are updated  with security patches.
  • Shut down unused or unnecessary running services or open ports. Using an external attack surface management (EASM) platform that automatically scans for technologies that may have vulnerabilities can hasten this process.
  • Implement strict firewall rules to limit public access and consider using network proxies.
  • Employ red and blue teaming to reduce potential attack entry points.
  • Use intrusion detection and prevention systems to monitor for attack attempts. The systems can also be made to display customized warning banners.
  • Use an EASM platform to constantly monitor for assets and vulnerabilities that need patching. Advanced solutions are capable of continuous monitoring by adding assets for vulnerability scanning as soon as they’re connected to the network.
Figure 1: Proxy disclosure detected for a specific webpage that can help attackers determine potential proxy server vulnerabilities

Key Takeaways

  • Banner grabbing allows users to collect software, service, and version data from network hosts for both cybersecurity and malicious purposes.
  • Two types exist—active and passive. While the former requires direct user-to-system interaction, the latter doesn’t.
  • Although banner grabbing as a process isn’t inherently malicious, threat actors have been using it as the first stage of attacks to obtain information on a target organization’s systems.
  • Removing unnecessary information from banners can help prevent attacks, in addition to using intrusion detection and prevention systems and EASM platforms to mitigate the dangers posed by banner grabbing attacks.

Ready to find out how Attaxion can help protect against banner grabbing? Kickstart your 30-day trial now!

Interested to Learn More?