What is Banner Grabbing?
Banner grabbing is a reconnaissance technique used to gather information about computer systems on a network and the services running on open ports. When a client connects to a service, many services respond with a "banner" — a text message that typically includes the software name, version, and sometimes the operating system.
Types of Banner Grabbing
Active Banner Grabbing
Directly connecting to a service and reading its response. Tools like Netcat, Telnet, or Nmap can be used:
$ nc example.com 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Server: nginx/1.24.0
Passive Banner Grabbing
Collecting banner information without directly interacting with the target, typically by analyzing traffic or using search engines like Zondex.
Common Banners
| Protocol | Example Banner | What It Reveals |
|---|---|---|
| HTTP | Server: nginx/1.24.0 |
Web server software and version |
| SSH | SSH-2.0-OpenSSH_8.9p1 |
SSH daemon and version |
| FTP | 220 ProFTPD 1.3.8 Server |
FTP server software |
| SMTP | 220 mail.example.com ESMTP Postfix |
Mail server software |
| MySQL | 5.7.42-0ubuntu0.18.04.1 |
Database version |
Security Implications
Banner information can reveal:
- Software versions with known vulnerabilities (CVEs)
- Operating system details
- Configuration information and internal hostnames
Organizations should consider banner hardening — modifying or removing version information from service banners to reduce information exposure.
Search on Zondex
Use the banner: filter to search within service banners:
banner:nginx— find servers with "nginx" in their bannerbanner:Apache— find Apache web serversbanner:OpenSSH— find SSH servers revealing OpenSSH version