1 00:00:06,605 --> 00:00:08,260 - Our goal with Banner Grabbing, 2 00:00:08,260 --> 00:00:11,200 is to deduce information about two things. 3 00:00:11,200 --> 00:00:13,675 One is the service that's running. 4 00:00:13,675 --> 00:00:16,310 And secondly, the operating system that, 5 00:00:16,310 --> 00:00:18,366 that service is running on. 6 00:00:18,366 --> 00:00:19,590 Why do I say that? 7 00:00:19,590 --> 00:00:24,590 So if we can deduce that it is OpenSSH version 3.2, 8 00:00:25,409 --> 00:00:30,369 running on Red Hat enterprise Linux from 10 years ago, 9 00:00:30,369 --> 00:00:33,357 what are the chances a vulnerability exists, 10 00:00:33,357 --> 00:00:37,470 in either that old version of OpenSSH 11 00:00:37,470 --> 00:00:40,680 or the operating system that it's running on? 12 00:00:40,680 --> 00:00:42,920 Then we consult vulnerability databases, 13 00:00:42,920 --> 00:00:45,680 we find something matching OpenSSH, 14 00:00:45,680 --> 00:00:47,369 version three dot whatever, 15 00:00:47,369 --> 00:00:52,310 and or Red Hat enterprise Linux version, long time ago 16 00:00:52,310 --> 00:00:55,860 and maybe we get access based on that information. 17 00:00:55,860 --> 00:00:59,790 So there's two different ways to grab this information, 18 00:00:59,790 --> 00:01:02,775 that is the Banner, so we have active and passive. 19 00:01:02,775 --> 00:01:04,490 With Active Banner Grabbing, 20 00:01:04,490 --> 00:01:07,210 what we're going to do is actually connect to the service 21 00:01:07,210 --> 00:01:09,790 and try to extract that information, 22 00:01:09,790 --> 00:01:13,870 by querying it or maybe just upon connection it tells you, 23 00:01:13,870 --> 00:01:16,490 as is the case with OpenSSH. 24 00:01:16,490 --> 00:01:18,600 And then secondly, we have Passive Banner Grabbing. 25 00:01:18,600 --> 00:01:19,770 With Passive Banner Grabbing, 26 00:01:19,770 --> 00:01:22,520 we're going to sniff the network, capture the packets 27 00:01:22,520 --> 00:01:26,250 and see if we can find when that session was established, 28 00:01:26,250 --> 00:01:27,610 that banner information. 29 00:01:27,610 --> 00:01:29,570 So let's take a look at this. 30 00:01:29,570 --> 00:01:32,730 With active banner grabbing, we see an example right here. 31 00:01:32,730 --> 00:01:37,730 We ran the command, telnet to 10.1.1.10 on port 22. 32 00:01:37,970 --> 00:01:41,303 So telnet is primarily used TCP port 23 33 00:01:41,303 --> 00:01:43,940 and it's just for remote administration. 34 00:01:43,940 --> 00:01:45,790 It's rarely used these days, 35 00:01:45,790 --> 00:01:49,940 because of its unencrypted method of communicating. 36 00:01:49,940 --> 00:01:52,100 If you were to capture a telnet session, 37 00:01:52,100 --> 00:01:54,530 you could see every character that was typed, 38 00:01:54,530 --> 00:01:56,340 every username and password that was typed, 39 00:01:56,340 --> 00:01:59,330 so a lot of good information in telnet sessions. 40 00:01:59,330 --> 00:02:00,930 So with Active Banner Grabbing, 41 00:02:00,930 --> 00:02:02,810 we're using the telnet command, 42 00:02:02,810 --> 00:02:04,930 which simply takes bytes from the keyboard 43 00:02:04,930 --> 00:02:07,351 and spits them out across a network socket, 44 00:02:07,351 --> 00:02:09,519 to something on the other end 45 00:02:09,519 --> 00:02:12,710 and we can use that to grab this information. 46 00:02:12,710 --> 00:02:16,735 So we're connecting to port 22 and OpenSSH by default, 47 00:02:16,735 --> 00:02:21,390 will output the version of OpenSSH that's running. 48 00:02:21,390 --> 00:02:25,160 So I run it on Ubuntu, OpenSSH 7.2P2. 49 00:02:25,160 --> 00:02:28,700 What vulnerabilities exist in open SSH 7.2P2, 50 00:02:28,700 --> 00:02:31,460 running on a Ubuntu, that's where we go, 51 00:02:31,460 --> 00:02:33,170 take a look at those vulnerability databases 52 00:02:33,170 --> 00:02:34,960 and see what we can find out. 53 00:02:34,960 --> 00:02:35,950 Here's another example. 54 00:02:35,950 --> 00:02:39,130 In this case, we're going to use telnet, to figure out, 55 00:02:39,130 --> 00:02:42,330 the version web server software that's running. 56 00:02:42,330 --> 00:02:45,890 So we're going to telnet to example.com on port 80 57 00:02:46,750 --> 00:02:51,130 and the HTTP protocol has different verbs, 58 00:02:51,130 --> 00:02:51,970 that are available too. 59 00:02:51,970 --> 00:02:55,610 You have GET, PUT, POST, DELETE, things like that. 60 00:02:55,610 --> 00:02:57,390 In this case, we're going to execute, 61 00:02:57,390 --> 00:03:02,390 GET/HTTP/1.1, host, example.com, hit the inner key twice 62 00:03:04,580 --> 00:03:06,880 and that empty line delimiter, 63 00:03:06,880 --> 00:03:09,230 tells the HTTP server that we're done, 64 00:03:09,230 --> 00:03:10,800 with what we've wanted to type 65 00:03:10,800 --> 00:03:13,930 and it will return a response as HTTP should. 66 00:03:13,930 --> 00:03:16,433 It is operating as it's expected to. 67 00:03:17,810 --> 00:03:21,930 It returns HTP 1.1, 200, okay, you made a valid request, 68 00:03:21,930 --> 00:03:24,568 HTTP response 200 is a valid request. 69 00:03:24,568 --> 00:03:26,270 We have a whole bunch of information, 70 00:03:26,270 --> 00:03:27,650 that comes from the server. 71 00:03:27,650 --> 00:03:28,880 One piece of information, 72 00:03:28,880 --> 00:03:31,460 that's particularly important is the server header. 73 00:03:31,460 --> 00:03:34,850 In this case, we see it is running on AWS ECS, 74 00:03:34,850 --> 00:03:37,840 that's Amazon Web Services Elastic Container Store, 75 00:03:37,840 --> 00:03:38,830 in San Jose. 76 00:03:38,830 --> 00:03:40,777 So we even know the physical locality, 77 00:03:40,777 --> 00:03:45,777 of this particular container running on AWS ECS. 78 00:03:46,590 --> 00:03:48,600 You can do this with Netcat as well. 79 00:03:48,600 --> 00:03:51,190 So Netcat is similar to telnet, 80 00:03:51,190 --> 00:03:53,400 in that it will take what you do on the keyboard 81 00:03:53,400 --> 00:03:55,177 and send it across the network. 82 00:03:55,177 --> 00:03:59,306 The net is network cat, like the cat command, 83 00:03:59,306 --> 00:04:03,431 in various Unix systems out there, concatenate. 84 00:04:03,431 --> 00:04:06,830 So with Netcat what you type, goes across the network, 85 00:04:06,830 --> 00:04:08,810 provided you have an established session. 86 00:04:08,810 --> 00:04:12,510 So here we're running Netcat to web.com on port 80, 87 00:04:12,510 --> 00:04:16,900 we send that same GET verb, with the path that we want 88 00:04:16,900 --> 00:04:20,220 and HTTP version, host, web.com. 89 00:04:20,220 --> 00:04:23,527 And we can see here that it is running on CloudFlare. 90 00:04:23,527 --> 00:04:25,982 We can do this with Nmap as well. 91 00:04:25,982 --> 00:04:29,976 So Nmap has a plugin script called Banner. 92 00:04:29,976 --> 00:04:34,976 So we have a scan version, port 80 to doohickey.com. 93 00:04:35,560 --> 00:04:38,790 And it deduces that the version of web that's run 94 00:04:38,790 --> 00:04:39,920 or web server software, 95 00:04:39,920 --> 00:04:42,593 that's running on the system, is Apache. 96 00:04:44,880 --> 00:04:46,580 We can also look at file extensions. 97 00:04:46,580 --> 00:04:49,314 So in this screenshot right here, I'm running Chrome 98 00:04:49,314 --> 00:04:53,383 and with Chrome developer tools on that network tab, 99 00:04:53,383 --> 00:04:56,410 I can actually see the files that are being requested. 100 00:04:56,410 --> 00:04:59,190 So right over here, we see default.aspx, 101 00:04:59,190 --> 00:05:00,830 that's an active server page, 102 00:05:00,830 --> 00:05:03,990 so we know it's IIS in this case. 103 00:05:03,990 --> 00:05:07,300 What can we do to protect ourselves from our services 104 00:05:07,300 --> 00:05:10,020 and particularly web servers in the case of this slide, 105 00:05:10,020 --> 00:05:11,850 how can we protect our web servers, 106 00:05:11,850 --> 00:05:13,670 from divulging this information? 107 00:05:13,670 --> 00:05:15,610 Apache, if you're running Apache, 108 00:05:15,610 --> 00:05:17,800 gives you options to protect against it. 109 00:05:17,800 --> 00:05:21,511 We have Server Signature Off, Server Tokens Production, 110 00:05:21,511 --> 00:05:23,655 we can see the explanations over here, 111 00:05:23,655 --> 00:05:26,670 it'll only return Apache in the server header. 112 00:05:26,670 --> 00:05:29,363 You can also manually change what is returned, 113 00:05:29,363 --> 00:05:33,347 in the server header set Server CheetOS version 1.2. 114 00:05:33,347 --> 00:05:35,730 When that GET command is run, 115 00:05:35,730 --> 00:05:38,420 that's where we're going to see, CheetOS 1.2. 116 00:05:38,420 --> 00:05:40,830 For internet information server from Microsoft, 117 00:05:40,830 --> 00:05:42,520 there is a lockdown wizard, 118 00:05:42,520 --> 00:05:45,693 you can search on microsoft.com to get access to that.