Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: httpd wwwserver wear a disguise?

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Posts
    282

    httpd wwwserver wear a disguise?

    The delete post button is not working for me, can one of the moderators please delete this post for me. Thank you.

    I desided not to ask the question afterall because it could provide scipt kiddies reading this post with information on how they can gather information which could be used in bad ways. Sory.

  2. #2
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    Aww hell, just post it Homey! That's why the top banner says "Hackers know the weaknesses..." Go ahead and post it. Just look at it this way, you may be helping someone that has no idea that a certain weakness/vulnerability exists. Share the knowledge...don't be stingy...
    Opinions are like holes - everybody\'s got\'em.

    Smile

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    Its past 1440 minutes, the limit to edit my origional post so, ok..

    Well Ive been trying to hide the information my server gives away, Server tokens and Error 404 messages mainly.

    Ive been learning how error 404 and HTTP GET requests can be used to gather information from a server, and since im not entirely compatent of my security I am trying to disguise myself as a Apache server running on Red Hat.

    I have customised my Server Tokens to Identify myself as Apache on red Hat linux. And I learned how to make a custom error 404 page for my server, removeing the information from the bottom.

    I also disabled HEAD requests, Im second guessing my dessision to do so.

    Noticed that netcraft.com can still detect what server and operating system I am running and I guess my questions are:

    1) is it nessisary to hide or fake this information, and is this common or rare?

    2) Was reading the FAQ at netcraft and they say they get the information from HTTP respince headers. I checked mine and it says apache/2.0.0 (Red Hat Linux) are there other ways of interpting the headers, can you speculate on how they might have goten around my faked info?

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    I am not sure that you can change all of the signature responses from an IIS server. Try running a sniffer to follow the connection establishment and data transferred between the web browser and server. You can use something like Snort or TCPDump/Windump. There are many others, but I know that you can view it with these two. If I am right, then you will actually see your webserver identify itself as an IIS version whatever server.

    Hope that helps.
    Opinions are like holes - everybody\'s got\'em.

    Smile

  5. #5
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    Not quite IIS but simular, Im running KeyFocus Web Server on Windows/98

    I never thought of useing a sniffer and hapen to have one I downloaded the other day for testing a web app I was makeing. thank you for the sugestion

  6. #6
    Senior Member
    Join Date
    Aug 2002
    Posts
    651
    No problem, here to help. Post your results... I'm curious to see what you find.


    t2k2


    [edit]If you have the chance, try an NMAP fingerprint of the server as well. You can get it from Insecure. Maybe that will shed some light as well.[/edit]
    Opinions are like holes - everybody\'s got\'em.

    Smile

  7. #7
    Senior Member
    Join Date
    Feb 2003
    Posts
    282
    Still trying to figure out how my sniffer works, never used one befor. But by mourning I should have figured it out and have some usefull output. Im learning alot already, it was a good sugestion. Also took note of NMAP fingerprint however im not sure if it was NMAP or another tool but once before when I had it gave me an error about scanning localhost. I will try it again.

    Will post my results when avaialbe, im very interested because netcraft.com corectly identified my server dispite all atempts i made to hide or mask its identity.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Several things:

    - Netcraft identify the web server from the "Server" header. On most web servers, this cannot be removed or customised. On Apache, it can be reduced to "Apache" from "Apache-1.3.27 (Unix)" or whatever. On IIS it can be modified by 3rd party products.

    - Netcraft identify the OS from the TCP characteristics of the machine. This cannot be changed easily on most systems (although there are a number of efforts to do so). It is likely to be difficult to make a win98 box look like Linux (although you might have more success making a Linux box look like win98). In particular, you can't make the OS better at choosing initial TCP sequence numbers.

    - I wrote a program which attempts to identify web servers even when the "Server:" header is absent or lying, info is available here http://projectz.org/?id=142 (I don't yet have a signature for any of the less common web servers)

  9. #9
    Junior Member
    Join Date
    May 2003
    Posts
    13
    You might try a server identification tool like Idserv at http://grc.com/id/idserve.htm

  10. #10
    Banned
    Join Date
    May 2003
    Posts
    1,004
    (Not entirely on the subject, since I am unfamiliar with your webserver, but.. might be useful to others reading this thread)

    For IIS get URLScan (which you should be running anyhow) from:

    http://www.microsoft.com/technet/tre...ls/urlscan.asp

    RemoveServerHeader=1 in urlscan.ini does exactly what it says, this gives the following response from my server:

    HTTP/1.1 200 Ok
    Date: Sat, 17 May 2003 21:08:40 GMT
    pics-label: (pics-1.1 "http://www.icra.org/ratingsv02.html" comment "ICRAonline v2.0" l r (nz 1 vg 1 vj 1 lb 1 lc 1 og 1 cz 1) "http://www.rsac.org/ratingsv01.html" l r (n 0 s 0 v 3 l 2))
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html

    Hope this is useful to someone.
    As for your webserver, do you know how dangerous it is to run a webserver on a system that lacks access controls? Aside from that, there should be something in the docs, or just contact who made it and ask them what is wrong, maybe your system was cached on netcraft before the change?
    I personally don't see the need to try and hide what you are running, normally it takes an attacker all of one request to tell that you lied in the response and worms don't care. For the effort required of setting a 0 to a 1, I suppose it might have some net gain of protection over effort though, but only cause the effort is so minimal.

    catch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •