.

Banner grabbing with netcat

<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Aug 16, 2010 8:55 am

Banner grabbing with netcat

Hey,

I am currently using netcat (but it could be telnet, sbd, etc) to do some banner grabbing. So far, I only find example for HTTP and FTP servers... But what about other services? I poked around and found some more ways of getting information with netcat:

HTTP
  Code:
nc -v 192.168.1.10 80
    HEAD / HTTP/1.0
    [ENTER]
    [ENTER]

    - or -

    GET HTTP



FTP
  Code:
nc -v 192.168.1.59 21


SSH
  Code:
nc -v 192.168.1.59 22



MS-SQLServer
  Code:
nc -v 192.168.1.59 1433


MySQL
  Code:
nc -v 192.168.1.59 3306


And etc!

So my questions really is: Yes, you can use netcat to connect to every single port and get the banner of well known services. But what about other TCP ports with no obvious response without the proper prompt (like a web server)? We need to provide the service with some precise query parameters. So do you guys know about other data that could be send to a TCP port that doesn't an obvious reply?

I hope you guys understand my question...  ;D
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Mon Aug 16, 2010 9:37 am

Re: Banner grabbing with netcat

Sort of, I think :)

The banner grabbing for versioning can, as you know, be done with an Nmap version scan.

A more 'manual' approach, but still fast enough, might be to use an Nmap script, like:
http://nmap.org/nsedoc/scripts/banner.html
http://pauldotcom.com/2008/12/banner-gr ... -relo.html

I suppose you can adapt the script to fuzz everything you can think off towards the ports in question, and see what comes back.

This is all just an educated guess though, don't have a lot of experience with all that personally :)
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Aug 16, 2010 11:53 am

Re: Banner grabbing with netcat

Don't forget SMTP, IMAP, and POP with netcat. You can also use Nmap's ncat with the --ssl option to connect to ssl-based services (or use sslproxy with one of the netcat variants that don't support ssl).

Your best bet would be to perform a packet capture while establishing an legitimate connection to see what information is normally transmitted and then adjust that as necessary.

You could then use a packet crafting utilities, such as HPing, Scapy, PackEth, etc. (or hexedit and file2cable if you are feeling particularly l33t) to generate your custom packets.

Disclaimer: I don't have much hands-on experience with this, but I think that looks right in theory ;)
The day you stop learning is the day you start becoming obsolete.
<<

sachitre

Newbie
Newbie

Posts: 22

Joined: Sat Jan 09, 2010 7:55 am

Post Tue Aug 17, 2010 5:15 am

Re: Banner grabbing with netcat

Hi,

You can use the triggers in the AMAP tool that can be found in the file appdefs.trig (I cant remember exactly but I think thats the one). Are you using netcat manually to rule out false positives?

cheers
CISSP, GPEN, CCNA
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Aug 17, 2010 5:32 am

Re: Banner grabbing with netcat

Thanks for the hints. I heard about AMAP but I never used it. Last release is January 2006, so is it too old to detect recent services?!?

My goal wasn't so much about ruling out false positive. I was more looking at an easy way to look at one or to ports on a machine. My question really was "what to do" when you see a strange port open. The answer seems to be:

1) Start a network sniffer
2) Connect to the service with telnet/netcat and see what happen
3) Launch some tools like nmap scripts or AMAP

There is not much else we can do.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Tue Aug 17, 2010 8:10 am

Re: Banner grabbing with netcat

Idd, I don't think there is.
Basicly poke at it with whatever you can and see what happens! :)
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software