Hiding or Changing Service Versions from Port Scans
Results 1 to 2 of 2

Thread: Hiding or Changing Service Versions from Port Scans

  1. #1
    Junior Member
    Join Date
    Mar 2009
    Posts
    1

    Hiding or Changing Service Versions from Port Scans

    I was wondering if there was a way to change how a port scan like nmap views service versions, or a way to spoof it so that it thinks it's something different or just can't figure it out. I'm trying to do this on a *nix system, specifically ubuntu server.

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey,

    That's a fairly generic question... so here's a fairly generic answer

    It is indeed possible to change the reported version for many of your services. This will confuse software that does banner checking, it will not necessarily deter software that relies on feature-printing. Feature-printing is the act of researching responses from various servers (Apache vs IIS vs nginx) and then the unique responses within various server versions (apache 1.3 vs 2.0 vs 2.2) and finally looking at minor version changes (apache 2.2.4 vs 2.2.6 vs 2.2.10). Feature-printing is generally difficult to beat as you actually have to modify the operation of the software.

    Now for banner detection (which is what quite a bit of software uses -- nmap included in many cases), you can generally quite easily change your banner.

    In Apache you can use ServerTokens to adjust how much of the banner is displayed (Server Name vs Server Version vs Server Version + OS vs Server & Software Versions). You can also modify if your banner is displayed on error pages with the ServerSignature option.

    If you wanted the server to offer up a different banner all together (and not say Apache) you'd have to recompile it from source and modify the file ap_release.h. You'd be interested in the following code:
    Code:
    /*
     * The below defines the base string of the Server: header. Additional
     * tokens can be added via the ap_add_version_component() API call.
     *
     * The tokens are listed in order of their significance for identifying the
     * application.
     *
     * "Product tokens should be short and to the point -- use of them for 
     * advertizing or other non-essential information is explicitly forbidden."
     *
     * Example: "Apache/1.1.0 MrWidget/0.1-alpha" 
     */
    #define AP_SERVER_BASEVENDOR "Apache Software Foundation"
    #define AP_SERVER_BASEPROJECT "Apache HTTP Server"
    #define AP_SERVER_BASEPRODUCT "Apache"
    
    #define AP_SERVER_MAJORVERSION_NUMBER 2
    #define AP_SERVER_MINORVERSION_NUMBER 3
    #define AP_SERVER_PATCHLEVEL_NUMBER   2
    #define AP_SERVER_DEVBUILD_BOOLEAN    1
    
    #if AP_SERVER_DEVBUILD_BOOLEAN
    #define AP_SERVER_ADD_STRING          "-dev"
    #else
    #define AP_SERVER_ADD_STRING          ""
    #endif
    From it depends on the software you're talking about, so perhaps you have a better idea of what you want to change the banner for?

    One more example would be DNS -- BIND Specifically.... BIND will respond to a version.bind query. You can perform this query using nslookup with the following command: nslookup -q=txt -class=CHAOS version.bind. <dns server>

    Here's my router, which is running m0n0wall and using dnsmasq-2.45 to resolve queries
    Code:
    C:\Documents and Settings\treguly>nslookup -q=txt -class=CHAOS version.bind. 192.168.1.1
    Server:  m0n0wall
    Address:  192.168.1.1
    
    version.bind    text =  "dnsmasq-2.45"
    While this is my remote dns server, which I've masked the version on:
    Code:
    treguly@ns:~$ nslookup -q=txt -class=CHAOS version.bind. ns
    Server:         ns
    Address:        74.208.X.X#53
    
    version.bind    text = "None of your Business!"
    The code to change the banner to "None of your Business!" was:

    version "None of your Business!";

    within the options { } directive of the bind config file.

    For more info on featureprinting you may want to check out this presentation:
    PDF
    Slides w/ Audio
    Last edited by HTRegz; March 8th, 2009 at 01:04 AM.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 10:33 AM
  2. Help with this hijack log
    By phgonline in forum Spyware / Adware
    Replies: 12
    Last Post: June 19th, 2006, 12:30 AM
  3. improved scanner in bata status
    By mr-unix in forum Programming Security
    Replies: 4
    Last Post: April 26th, 2006, 03:33 AM
  4. Home NAT Routers: Port Triggering/Special Applications
    By yanksfan in forum The Security Tutorials Forum
    Replies: 1
    Last Post: July 6th, 2004, 05:01 PM
  5. My firewall block this attempt.. but need info
    By LordChaos in forum Firewall & Honeypot Discussions
    Replies: 19
    Last Post: October 4th, 2002, 12:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •