Banner Grabbing

Banner Grabbing is a reconnaissance technique that collects information from service banners - the identification strings that servers send when connections are established. Banners reveal software names, versions, and configuration details.

Banner Sources

• HTTP Server headers
• SSH welcome messages
• FTP banners
• SMTP greeting messages
• Database connection responses

HTTP Banner Grabbing

$ curl -I https://example.com

HTTP/2 200
server: nginx/1.18.0
x-powered-by: PHP/7.4.3
x-aspnet-version: 4.0.30319

Service Banner Examples

# SSH
$ nc example.com 22
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

# SMTP
$ nc example.com 25
220 mail.example.com ESMTP Postfix

# FTP
$ nc example.com 21
220 ProFTPD 1.3.5 Server

# MySQL
$ nc example.com 3306
5.7.31-0ubuntu0.18.04.1

Tools

# Nmap service detection
nmap -sV -p 22,80,443 example.com

# Netcat
nc -v example.com 80

# whatweb (web-specific)
whatweb example.com

Security Implications

• Version information enables targeted exploits
• Technology stack identification
• Configuration and patch level hints
• Operating system fingerprinting

Mitigation

• Configure services to minimize banner information
• Remove version numbers from headers
• Use generic or misleading banners

See Also

• Fingerprinting
• Subdomain Enumeration