Then, we can use the search command on the msf5 prompt to find any modules relating to banner grabbing: msf5 > search banner Metasploit has modules that will gather information about telnet, web servers, SMTP, and more.įirst, launch Metasploit by typing msfconsole in the terminal. The final banner-grabbing method we will explore is Metasploit. Nmap done: 1 IP address (1 host up) scanned in 21.76 secondsįor example, running this against port 80 gives us some information about the Apache web server. |_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2 We can also narrow our focus to a specific port using the -p flag: ~# nmap -sV -script banner 10.10.0.50 -p 80Ĩ0/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) That gave us banners for several services, some easier to read than others. Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds | banner: : NOTICE AUTH :*** Looking up your hostna |_banner: 220 ProFTPD 1.3.1 Server (Debian) Use the -script option followed by the name of the script, in this case, banner: ~# nmap -script banner 10.10.0.50 When using service detection, Nmap will return information about the running service, such as a version number, but Nmap also has an NSE script that can perform banner grabbing for us. The next tool we can use to grab banners is Nmap. This time we get a 200 OK, plus some information pertaining to the PHP version. We can also use the -I flag to fetch the HTTP header: ~# curl -I 10.10.0.50 However, we don't need to specify the port number this time as we did with the previous tools: ~# curl 10.10.0.50 We can also use curl to grab the banner of the web server. It is most commonly used for HTTP, but it supports a wide variety of other protocols. Method 3: CurlĬurl, often stylized as cURL (Client URL), is a command-line tool used for transferring data. In this case, we still get a bad request, but this method can return HTML and other useful information. Your browser sent a request that this server could not understand.Īpache/2.2.8 (Ubuntu) DAV/2 Server at metasploitable.localdomain Port 80 We can send a GET request as well, which will return the contents of the webpage: ~# nc 10.10.0.50 80 For example, we can use the HEAD method to get the header information about the server: ~# nc 10.10.0.50 80Ĭontent-Type: text/html charset=iso-8859-1Įven though it was a bad request, we still got the exact version number of Apache. We can also utilize Netcat to communicate with the web server. We can use it to connect to certain ports and gather information.įirst, let's connect to the FTP service on port 21, just like we did with telnet: ~# nc 10.10.0.50 21 Now, we will perform banner grabbing with Netcat, a utility that is very common on Linux systems and can be abused in all sorts of ways. We also get lucky with this one since it contains both an email and login credentials. We can see it returns a tiny bit of HTML, including what appear to be directories, plus a welcome banner on the system. Login with msfadmin/msfadmin to get started Warning: Never expose this VM to an untrusted network! I typed "help" once connected: ~# telnet 10.10.0.50 80 Once connected, type something, and it will display some information for us. We can even use it to grab the banner of a web server, which usually runs on port 80. We can do the same for SSH, running on port 22: ~# telnet 10.10.0.50 22 We can use telnet to get version information for FTP, which runs on port 21: ~# telnet 10.10.0.50 21 The syntax is telnet, followed by the IP address of the machine you wish to connect to, followed by the port number. This unassuming little utility might not seem very useful when it comes to penetration testing, but its value lies in the fact that it's present on virtually any system. The first tool we'll use to do some banner grabbing is telnet. Nmap done: 1 IP address (1 host up) scanned in 0.32 seconds Method 1: Telnet In a terminal window, let's do a quick Nmap scan on the target to see what's running: ~# nmap 10.10.0.50 To learn about banner grabbing, we will be using Metasploitable 2 as the target and Kali Linux as our local machine.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |