Thursday, March 23, 2017

Banner Grabbing/OUI


Banners are messages that are configured on some devices (routers, switches, servers) and appear under certain conditions, such as when someone is presented with a login screen or upon making a connection or when an error is encountered. These messages can impart information that can be used during the discovery phase of the hacking process. It may reveal the operating system or the version of firmware.
Banner grabbing is the process of connecting to the device using protocols such as Telnet, SMTP or HTTP and then generating an error displaying the banner. Once the hacker discovers this information, they can research weaknesses in the system. For this reason, any service not in use should be disabled to eliminate it as a source of connection.
Domain/Local Group Configurations
In cases where computers are part of a domain, the domain member computers will have both domain accounts and local accounts. Local accounts are thus only effective on the local machine and cannot be used to access the domain.
However, there are default local accounts that exist on these computers that can be used to log on locally to the computer, thereby circumventing the domain login process. It’s dangerous to leave some of these enabled, such as the local administrator account. While they cannot be deleted, it is possible to rename them and/or disable them. 
Jamming
Jamming is the process of sending out radio waves on the frequency used by a wireless network. It will have the effect of disassociating (disconnecting) all of the stations from the  AP, at least while the jam signal is still there. When used for that purpose, jamming could be considered a DoS attack.
However, it is usually part of an evil twin attack, when the hacker is attempting to get your wireless stations to connect to their access point. They will set their AP to the same  SSID as your wireless network but on a different channel (frequency). When they jam the real frequency, it causes the stations to seek another frequency with the same SSID, and they will find the hacker’s AP all too willing to allow their association.
Telnet is an application you can use to conduct banner grabbing. If Telnet is operational on the target system, even though port 23 may be closed, it is possible to learn what type of server is being used to host by using port 80 if you are probing a web server.
The thought process behind this is a lot like banner grabbing or any of a hundred different forced error situations in hacking: lots of information can be gleaned from responses to an error situation. A bogus internal address has the potential to provide more information about the internal servers used in the organization, including IP addresses and other pertinent details. Attempt banner grabbing.
Of the options presented, banner grabbing is probably your best bet. In fact, it’s a good start for
operating system fingerprinting. You can telnet to any of these active ports or run a nmap banner grab.
Either way, the returning banner may help in identifying the OS.


Which of the following methods correctly performs banner grabbing with Telnet on a Windows system?
A. telnet <IPAddress> 80
B. telnet 80 <IPAddress>
C. telnet <IPAddress> 80 -u
D. telnet 80 <IPAddress> -u
A. Telnetting to port 80 will generally pull a banner from a web server. You can telnet to any port you want to check, for that matter, and ideally pull a port; however, port 80 just seems to be the one used on the exam the most.   B, C, and D are incorrect. These are all bad syntax for Telnet.

APIs - REST API