Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

3337/tcp open SimpleHTTPServer

--snip--

Using this script, you should be able to identify four IP addresses

on the network with open ports: 172.16.10.10 (p-web-01) running

8081/TCP, 172.16.10.11 (p-ftp-01) running both 21/TCP and

80/TCP, 172.16.10.12 (p-web-02) running 80/TCP, and 172.16.10.13

(p-jumpbox-01) running 22/TCP.

Banner Grabbing

Learning about the software running on a remote server is a

crucial step in a penetration test. In the remainder of this chapter,

we’ll take a look at how to identify what’s behind a port and a

service. For example, what web server is running on port 8081, and

what technologies does it use to serve content to clients?

Banner grabbing is the process of extracting the information

published by remote network services when a connection is

established between two parties. Services often transmit these

banners to “greet” clients, which can use the information they

provide in various ways, such as to ensure they’re connecting to the

right target. Banners could also include a system admin message of

the day (MOTD) or the service’s specific running version.

Passive banner grabbing involves looking up banner information

using third-party websites. For example, websites such as Shodan

(https://shodan.io), ZoomEye (https://zoomeye.org), and Censys

(https://censys.io) perform internet-wide scans to map the internet,

grabbing banners, versions, website pages, and ports, then create an

inventory using this data. We can use such websites to look up

banner information without ever interacting with the target server

ourselves.

Active banner grabbing is the opposite; it involves establishing a

connection to a server and interacting with it directly to receive its

banner information. The following network services tend to advertise

themselves using banners: web servers, SSH servers, FTP servers,

telnet servers, network printers, Internet of Things (IoT) devices, and

message queues.

Keep in mind that banners are generally free-form text fields, and

they can be changed to mislead clients. For example, an Apache web

server could present itself as another type of web server, such as