-
March 7th, 2009, 09:37 PM
#1
Junior Member
Hiding or Changing Service Versions from Port Scans
I was wondering if there was a way to change how a port scan like nmap views service versions, or a way to spoof it so that it thinks it's something different or just can't figure it out. I'm trying to do this on a *nix system, specifically ubuntu server.
-
March 8th, 2009, 12:58 AM
#2
Hey,
That's a fairly generic question... so here's a fairly generic answer
It is indeed possible to change the reported version for many of your services. This will confuse software that does banner checking, it will not necessarily deter software that relies on feature-printing. Feature-printing is the act of researching responses from various servers (Apache vs IIS vs nginx) and then the unique responses within various server versions (apache 1.3 vs 2.0 vs 2.2) and finally looking at minor version changes (apache 2.2.4 vs 2.2.6 vs 2.2.10). Feature-printing is generally difficult to beat as you actually have to modify the operation of the software.
Now for banner detection (which is what quite a bit of software uses -- nmap included in many cases), you can generally quite easily change your banner.
In Apache you can use ServerTokens to adjust how much of the banner is displayed (Server Name vs Server Version vs Server Version + OS vs Server & Software Versions). You can also modify if your banner is displayed on error pages with the ServerSignature option.
If you wanted the server to offer up a different banner all together (and not say Apache) you'd have to recompile it from source and modify the file ap_release.h. You'd be interested in the following code:
Code:
/*
* The below defines the base string of the Server: header. Additional
* tokens can be added via the ap_add_version_component() API call.
*
* The tokens are listed in order of their significance for identifying the
* application.
*
* "Product tokens should be short and to the point -- use of them for
* advertizing or other non-essential information is explicitly forbidden."
*
* Example: "Apache/1.1.0 MrWidget/0.1-alpha"
*/
#define AP_SERVER_BASEVENDOR "Apache Software Foundation"
#define AP_SERVER_BASEPROJECT "Apache HTTP Server"
#define AP_SERVER_BASEPRODUCT "Apache"
#define AP_SERVER_MAJORVERSION_NUMBER 2
#define AP_SERVER_MINORVERSION_NUMBER 3
#define AP_SERVER_PATCHLEVEL_NUMBER 2
#define AP_SERVER_DEVBUILD_BOOLEAN 1
#if AP_SERVER_DEVBUILD_BOOLEAN
#define AP_SERVER_ADD_STRING "-dev"
#else
#define AP_SERVER_ADD_STRING ""
#endif
From it depends on the software you're talking about, so perhaps you have a better idea of what you want to change the banner for?
One more example would be DNS -- BIND Specifically.... BIND will respond to a version.bind query. You can perform this query using nslookup with the following command: nslookup -q=txt -class=CHAOS version.bind. <dns server>
Here's my router, which is running m0n0wall and using dnsmasq-2.45 to resolve queries
Code:
C:\Documents and Settings\treguly>nslookup -q=txt -class=CHAOS version.bind. 192.168.1.1
Server: m0n0wall
Address: 192.168.1.1
version.bind text = "dnsmasq-2.45"
While this is my remote dns server, which I've masked the version on:
Code:
treguly@ns:~$ nslookup -q=txt -class=CHAOS version.bind. ns
Server: ns
Address: 74.208.X.X#53
version.bind text = "None of your Business!"
The code to change the banner to "None of your Business!" was:
version "None of your Business!";
within the options { } directive of the bind config file.
For more info on featureprinting you may want to check out this presentation:
PDF
Slides w/ Audio
Last edited by HTRegz; March 8th, 2009 at 01:04 AM.
Similar Threads
-
By GbinaryR in forum AntiVirus Discussions
Replies: 11
Last Post: October 30th, 2008, 09:33 AM
-
By phgonline in forum Spyware / Adware
Replies: 12
Last Post: June 18th, 2006, 11:30 PM
-
By mr-unix in forum Programming Security
Replies: 4
Last Post: April 26th, 2006, 02:33 AM
-
By yanksfan in forum The Security Tutorials Forum
Replies: 1
Last Post: July 6th, 2004, 04:01 PM
-
By LordChaos in forum Firewall & Honeypot Discussions
Replies: 19
Last Post: October 4th, 2002, 11:58 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|