CEH Scanning Methodology - Banner Grabbing
Banner Grabbing
- Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types of banner grabbing: active and passive.
- Identifying the OS used on the target host allows an attacker to figure out the vulnerabilities the system posses and the exploits that might work on a system to further carry out additional attacks.
- Active Banner Grabbing:
- Specially crafted packets are sent to remote OS and the responses are noted.
- The responses are then compared with a database to determine the OS.
- Response from different OSes varies due to differences in TCP/IP stack implementation.
- Passive Banner Grabbing:
- Banner grabbing from error messages: Error messages provide information such as type of server, type of OS, and SSL tool used by the target remote system.
- Sniffing the network traffic: Capturing and analyzing packets from the target enables an attacker to determine OS used by the remote system.
- Banner grabbing from page extensions: Looking for an extension in the URL may assist in determining the application version. Example: .aspx => IIS server and Windows platform.
- Version:
- Service/App: nmap -sV 10.0.1.201
- O.S.: nmap -O 10.0.1.201
- 掃O.S.送出的封包請參考
/usr/share/nmap/nmap-os-db
- Sniffing the network traffic的工具有p0f
- ID Serve:
- ID Serve: ID Serve is used to identify the make, model, and version of any web site's server software.
- It is also used to identify non-HTTP (non-web) Internet servers such as FTP, SMTP, POP, NEWS, etc.
- Netcraft:
- Netcraft reports a site's operating system, web server, and netblock owner together with, if available, a graphical view of the time since last reboot for each of the computers serving the site.
- Netcat:
- This utility reads and writes data across network connections, using the TCP/IP protocol.
- # nc -vv www.juggyboy.com 80 - press[Enter]
- GET / HTTP/1.0 - press[Enter]
- Telnet:
- This technique probes HTTP servers to determine the Server field in the HTTP response header.
- # telnet www.juggyboy.com 80 - press[Enter]
- GET / HTTP/1.0 - press[Enter]
Banner Grabbing Countermeasures: Disabling or Changing Banner
- Display false banners to misguide attackers.
- Turn off unnecessary services on the network host to limit the information disclosure.
- Use ServerMask tools to disable or change banner information.
- Apache 2.x with
mod_headers
module - use a directive in httpd.conf
file to change banner information Header set Server "New Server Name".
- Alternatively, change the ServerSignature line to ServerSignature Off in
httpd.conf
file.
- 關banner
- iis: 設定URLScan關banner
Banner Grabbing Countermeasures: Hiding File Extensions from Web Pages
- File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks.
- Hide file extensions to mask the web technology.
- Change application mappings such as .asp with .htm or .foo, etc. to disguise the identify of the servers.
- Apache users can use mod_negotiation directives.
- IIS users use tools such as PageXchanger to manage the file extensions.
- It is even better if the file extensions are not at all used.
- iis, apache: URLRewrite
- 把副檔名拿掉(重寫)