How Hackers Grab Banners to Penetrate Your Network

By Kevin Beaver

Banners are the welcome screens that divulge software version numbers and other system information on network hosts. This banner information might give a hacker the leg up because it may identify the operating system, the version number, and the specific service packs to give the bad guys a leg up on attacking the network. You can grab banners by using good old telnet or tools such as Nmap and SuperScan.

telnet

You can telnet to hosts on the default telnet port (TCP port 23) to see whether you’re presented with a login prompt or any other information. Just enter the following line at the command prompt in Windows or UNIX:

telnet ip_address

You can telnet to other commonly used ports with these commands:

  • SMTP: telnet ip_address 25

  • HTTP: telnet ip_address 80

  • POP3: telnet ip_address 110

    image0.jpg

Countermeasures against banner-grabbing attacks

The following steps can reduce the chance of banner-grabbing attacks:

  • If there isn’t a business need for services that offer banner information, disable those unused services on the network host.

  • If there isn’t a business need for the default banners, or if you can customize the banners, configure the network host’s application or operating system to either disable the banners or remove information from the banners that could give an attacker a leg up. Check with your specific vendor for information on how to do this.

If you can customize your banners, check with your lawyer about adding a warning banner. It won’t stop banner grabbing but will show would-be intruders that the system is private and monitored (assuming it truly is). A warning banner may also help reduce your business liability in the event of a security breach. Here’s an example:

Warning! This is a private system. All use is monitored and recorded. Any unauthorized use of this system may result in civil and/or criminal prosecution to the fullest extent of the law.