BannerGrab
BannerGrab is a tool that performs connection, trigger-based and basic information collection from network services. The program has two modes of operation; simple connection banner grabbing and the default mode, which attempts to collect additional information using triggers and simple service queries.
Unlike a number of other banner grabbing tools, BannerGrab supports SSL and can perform banner grabbing on SSL-based services.
Contents
Requirements
BannerGrab requires the GNU C compiler and the OpenSSL library. Both of these are usually installed by default on a number of Linux distributions. Although this program has not been tested on other platforms it should work if the requirements have been met.
Building
To build BannerGrab, first extract the archive and change into the source directory. Then execute the following command:
gcc -lssl -o bannergrab bannergrab.c
On Mac OS-X you can use the following command:
gcc -lssl -lcrypto -o bannergrab bannergrab.c
If for some reason you need to compile it without SSL support, it can be done with the following command:
gcc -DNOSSL -o bannergrab bannergrab.c
Running
BannerGrab can be run, in its simplist form, by specifying the host and port as parameters. The following screenshot shows BannerGrab running against an SSH service.
The command line arguements for BannerGrab are:
Command:
bannergrab [Options] host port
Options:
--udp Connect to a port using UDP. The
default is to use TCP.
--no-triggers Collect only the connection banner,
no triggers and no SSL.
--trigger=<trigger> Specify the trigger to use. Specify
DEFAULT to use the default trigger.
--no-ssl Prevent SSL connection creation.
--no-hex Output containing non-printable
characters are converted to hex. This
option prevents the conversion.
--conn-time=<secs> Connection timeout (default is 5s).
--read-time=<secs> Read timeout (default is 3s).
--verbose Show additional program details
such as any errors.
--show-triggers Show the supported triggers.
--version Show the program version.
--help Display the help text you are
reading now.
Triggers
I like software that is open, you can read my source to discover exactly how bannergrab sends triggers to services. However, for those of you that do not want to go through the code here is a brief description.
This is of course dependant on the user not simply disabling triggers.
Bannergrab will look at the port number that has been specified and try to match it to a trigger/set of triggers. It does NOT probe the service to determine this. If a trigger is found for that port then it will use that, otherwise it will use the default one.
The triggers will be sent one after another and the response captured. It is as simple as that.
The triggers do the following:
FTP
* Asks for help.
* Attempts to login anonymously.
* Quits.
SMTP
* Says Hello.
* Asks for help.
* Attempts to VRFY postmaster.
* Attempts to VRFY bannergrab123.
* Attempts to EXPN postmaster.
* Quits.
Telnet
* Sends two carridge returns.
Finger
* Attempts to enumerate a few users.
HTTP(S)
* Asks for OPTIONS.
POP2/3
* Quits.
NNTP
* Asks for HELP.
* Lists the newsgroups.
* Quits.
FW1 Admin
* Attempts to list IPs.
FW1 Auth
* Sends two carridge returns.
LDAP(S)
* Performs an Anonymous bind.
* Gets a list of base Distinguished
Names (DN).
MSSQL
* Attempts a login using BannerGrab
user.
MySQL
* Waits longer for a MySQL response.
Discard/Echo
* Send echo.
Chargen/Daytime/QOTD/SSH/VMWare/Printer
* Send nothing.
NTP
* Queries time
* Queries read list
* Queries peers
SNMP
* Sends "public" community string
* Sends "private" community string
NetBIOS Name Service
* Name query
ALL OTHERS (Default)
* Send OPTIONS and ask for HELP.
Downloads
The latest versions of BannerGrab can be obtained from the Source Forge project download page.
Legacy Downloads
Changes
Version: 3.5
Date : 18/04/2008
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added FW1 Client Authentication trigger
> Added ISA-KMP trigger
> Improved FTP trigger
> Improved Default trigger
> Improved mixed hex and ascii output
Version: 3.4
Date : 31/03/2008
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added Telnet trigger
Version: 3.3
Date : 01/01/2008
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Revised the license to make a
binary compatability exception with
OpenSSL.
> Added a Makefile
> Added a manual page
Version: 3.2
Date : 29/10/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added a further SSL read timeout
for SSL services that do not want
to play fair.
Version: 3.1
Date : 25/09/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> An exception added to the license
to make it BINARY compatible with
OpenSSL. Makes it easier for
packagers.
Version: 3.0
Date : 20/09/2007
Author : Ian Ventura-Whiting (Fizz)
Notes : This version adds support for UDP
services
Changes: The following are a list of changes
since the previous version:
> Added UDP support.
> Added NTP trigger.
> Added SNMP trigger.
> Added NetBIOS-NS trigger.
> Removed new line at program end.
> General tidyup.
Version: 2.0
Date : 03/09/2007
Author : Ian Ventura-Whiting (Fizz)
Notes : This version identifies SSL services and
provides SSL service information. Use an
SSLScanner to determine the supported
ciphers, that is not the purpose of this
tool. Try http://sslscan.sf.net
Changes: The following are a list of changes
since the previous version:
> Added SSL service information
feedback.
> Added current SSL cipher.
> Added SSL service certificate.
> Added a show triggers option.
> Added User can specify a trigger.
> Fixed a minor command parameter
parsing issue.
Version: 1.0
Date : 29/08/2007
Author : Ian Ventura-Whiting (Fizz)
Notes : First Source Forge release.
Changes: The following are a list of changes
since the previous version:
> Fixed bug with HEX output.
> Added MS-SQL trigger.
> Added LDAP trigger.
> Added increased read timeout for MySQL
> Added alternative behavior for QOTD,
Daytime and Discard.
> Added trigger for Echo.
> General trigger enhancements.
> Added NOSSL compile option.
Version: 0.5
Date : 07/08/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added function to catch signals.
> Added read timeout and set default
to 3 seconds.
Version: 0.4
Date : 06/08/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added timeout to SSL connection.
> Added web site URL to banner.
> Improved help text.
Version: 0.3
Date : 16/07/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Improved triggers.
> Improved performance.
> Fixed silly alarm bug.
> Added upper limit to fix services
such as chargen.
> Added support for SSL.
> Prints non-printing output as a
HEX dump. This option can also be
disabled.
Version: 0.2
Date : 15/07/2007
Author : Ian Ventura-Whiting (Fizz)
Changes: The following are a list of changes
since the previous version:
> Added triggers
> Improved read /write to socket
Version: 0.1
Date : 14/07/2007
Author : Ian Ventura-Whiting (Fizz)
Notes : Initial version of bannergrab-ng
License
SSLScan is covered by GPL version 3 with the following exclusion:
In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here.
You can get a copy of the GPLv3 license from here.