CEH Scanning Methodology - Banner Grabbing

  • Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.
  • Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry out additional attacks.
  • Active Banner Grabbing:
    • Specially crafted packets are sent to remote OS and the responses are noted.
    • The responses are then compared with a database to determine the OS.
    • Response from different OSes varies due to differences in TCP/IP stack implementation.
  • Passive Banner Grabbing:
    • Banner grabbing from error messages: Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system.
    • Sniffing the network traffic: Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system.
    • Banner grabbing from page extensions: Looking for an extension in the URL may assist in determining the application version. Example: .aspx => IIS server and Windows platform.
  • Version:
    • Service/App: nmap -sV 10.0.1.201
    • O.S.: nmap -O 10.0.1.201
  • 掃O.S.送出的封包請參考/usr/share/nmap/nmap-os-db
  • Sniffing the network traffic的工具有p0f
  • ID Serve:
    • ID Serve: ID Serve is used to identify the make, model, and version of any web site's server software.
    • It is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
  • Netcraft:
    • Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site.
  • Netcat:
    • This utility reads and writes data across network connections, using the TCP/IP protocol.
    • # nc -vv www.juggyboy.com 80 - press[Enter]
    • GET / HTTP/1.0 - press[Enter]
  • Telnet:
    • This technique probes HTTP servers to determine the Server field in the HTTP response header.
    • # telnet www.juggyboy.com 80 - press[Enter]
    • GET / HTTP/1.0 - press[Enter]
  • Display false banners to misguide attackers.
  • Turn off unnecessary services on the network host to limit the information disclosure.
  • Use ServerMask tools to disable or change banner information.
  • Apache 2.x with mod_headers module - use a directive in httpd.conf file to change banner information Header set Server "New Server Name".
  • Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file.
  • 關banner
  • iis: 設定URLScan關banner
  • File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks.
  • Hide file extensions to mask the web technology.
  • Change application mappings such as .asp with .htm or .foo, etc. to disguise the identify of the servers.
  • Apache users can use mod_negotiation directives.
  • IIS users use tools such as PageXchanger to manage the file extensions.
  • It is even better if the file extensions are not at all used.
  • iis, apache: URLRewrite
  • 把副檔名拿掉(重寫)

results matching ""

    No results matching ""