Banières : Cacher les banières de ses applications (Service banner faking)

From Deimos.fr / Bloc Notes Informatique
Jump to: navigation, search

1 Introduction

This is a quick howto on faking service banners. Service banners often contain a lot of usefull information for malicious script-kiddies, like the (real) running software on the remote host and it's version number. Knowing this, they can better target their exploits. This howto deals with changing this information. Keep in mind that this won't make your system more secure against a known exploit when you run a vulnerable service, however it can provide some 'social engineering' security: script-kiddies often scan whole IP blocks for a known vulnerability, and only attack those who give back a banner telling that they run the vulnerable service. This howto aims to fake the service banners and in this way, fool the script-kiddies. However, your system will still be vulnerable to an exploit if you're running a vulnerable service! If a script-kiddie runs his exploit, even if he sees you don't send out the right banner, you can still be hacked. So, always keep your system up-to-date, see this as an way to decrease the amount of effective attacks on your system, not as a way to be invulnerable. Of course there's also the fun-factor: it's quite amusing to see script-kiddies attempt to break into your 'Microsoft-IIS/5.0' also known as Apache 1.3.27 *grin*.

In this howto we're going to hide some known services with banners from some other known (but worse) services. We've got five services running: ftp, ssh, smtp, http and pop3. Currently these services are running on: Proftpd 1.2.7, OpenSSH_3.5p1, Postfix 2.0.6, Apache/1.3.27 and Teapop 0.3.5. We're going to 'transform' these services to: Microsoft FTP Service, OpenSSH, Microsoft ESMTP MAIL Service, Microsoft-IIS/5.0 and Microsoft Exchange 2000 POP3 server. Of course we could had changed them to anything, but for the fun of it, we'll change it to Microsoft.

Probably, the service programmers don't want users to change the service banners. The only reason I can come up with is their ego. Statistics collectors on the Internet (example: Netcraft.com collecting HTTP/HEAD information), count the number of machines running service X. For programmers it's really a boost to see how many people are using their software. As long as the software is released under the GNU/GPL, you're completely free to modify anything from the source, and you're even allowed to re-distribute the changes. If you want to keep the programmers on the friendly side, you could change the banner to only advertise which software runs, not the version number or other information.

Please note:
You are completely responsable for your own actions. I can never be held responsable for any damage this HOWTO has done to you, your systems or your life. This works for me, however that doesn't guarantee this will work for you.

Terminology:
FQDN = Fully Qualified Domain Name (hostname.domain.tld) Hostname = First part of the FQDN (example: localhost) Text between the < and > should be replaced with the corresponding values.

2 Services

2.1 ProFTPd

Current banner:

220 ProFTPD 1.2.7 Server (FTP for: ) []

Banner lay-out: “response_code product_name product_version Server (ServerName) [hostname]” Wanted banner:

220 Microsoft FTP Service (Version 5.0).

Howto: Open src/main.c and search for

Configuration File src/main.c
if((id = find_config(server->conf,CONF_PARAM,"ServerIdent",FALSE))

Comment :

Configuration File src/main.c
(/* if-block */)

the whole if-block and add the following line under the if-block :

Configuration File src/main.c
send_response("220", "%s", server->ServerName);

Now re-compile proftpd. After compiling edit proftpd.conf and change the “ServerName” directive to " Microsoft FTP Service (Version 5.0).".

2.2 OpenSSH

Current banner:

SSH-2.0-OpenSSH_3.5p1

Banner lay-out: SSH-version-OpenSSH_version Wanted banner:

SSH-2.0-OpenSSH

Howto: Open version.h and cut the "_3.5p1" from the end :

Configuration File version.h
My_SSH_version

Re-compile and it's done.

2.3 Postfix

Current banner:

220  ESMTP Ready and Serving.
Banner lay-out: “response_code hostname ESMTP additional_information”

Wanted banner:

220 fire.deimos.fr Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Tue, 1 Apr 2008 16:57:50 +0200

Howto:

  • Open postfix’s main.cf (configuration file) and add this line :
Configuration File /etc/postfix/main.cf
smtpd_banner = fire.deimos.fr Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830

  • In the Postfix source edit the file src/global/mail_date.c and search the line :
Configuration File src/global/mail_date.c
#define STRFTIME_FMT "%a, %d %b %Y %H:%M:%S "

and replace with :

Configuration File src/global/mail_date.c
#define STRFTIME_FMT "%a,%d %b %Y %H:%M:%S "

There is only one space to delete.

Stay in this file and search this line :

Configuration File src/global/mail_date.c
while (strftime(vstring_end(vp), vstring_avail(vp), " (%Z)", lt) == 0)

and replace with :

Configuration File src/global/mail_date.c
while (strftime(vstring_end(vp), vstring_avail(vp), " ", lt) == 0)

This if for deleting the (EST) at the end of the line.

  • Now to finish, open src/smtpd/smtpd.c and search for the line :
Configuration File src/smtpd/smtpd.c
smtpd_chat_reply(state, "220 %s", var_smtpd_banner);

and replace it with this line:

Configuration File src/smtpd/smtpd.c
smtpd_chat_reply(state, "220 %s ready at %s", var_smtpd_banner, mail_date(time((time_t *) 0)));

  • Now recompile, restart postfix and you're done :-)

2.4 Apache

2.4.1 Method 1

Current banner:

Apache/1.3.27 (Unix) mod_perl/1.25 PHP/4.2.3

Banner lay-out: “BASEPRODUCT/BASEREVISION (OS) Apache modules”
Wanted banner:

Microsoft-IIS/5.0

Howto : Open /src/include/httpd.h and search for :

Configuration File /src/include/httpd.h
#define SERVER_BASEVENDOR “Apache Group”
#define SERVER_BASEPRODUCT “Apache”
#define SERVER_BASEREVISION “”

Change this to the desired values :

Configuration File /src/include/httpd.h
define SERVER_BASEVENDOR: Microsoft
define SERVER_BASEPRODUCT: Microsoft-IIS
define SERVER_BASEREVISION: 5.0

Now re-compile apache.

You can continue with the second method to have a full banner faking.

2.4.2 Method 2

Open your httpd.conf (or apache2.conf) and search thoses directive. If it’s not there, add it. Set ServerTokens to Min :

Configuration File /etc/apache2/apache2.conf
ServerSignature Off
ServerTokens Prod

More information about the ServerTokens directive is at: http://carnagepro.com/pub/Docs/Apache2/mod/core.html#servertokens.

2.5 Teapop

Current banner:

+OK Teapop [v0.3.5] - Teaspoon stirs around again <1048009854.3FB15180@Llywellyn>

Banner lay-out: "POP_OK Teapop [version] - banner - "
Wanted banner :

+OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 () ready.

Howto: The file /teapop/pop_hello.c contains the following line :

Configuration File /teapop/pop_hello.c
pop_socket_send(pinfo->out, "%s Teapop [v%s] - %s %s", POP_OK, POP_VERSION, POP_BANNER, pinfo->apopstr);"

Change this line to:

Configuration File /teapop/pop_hello.c
pop_socket_send(pinfo->out, "%s Microsoft Exchange 2000 POP3 server version 6.0.6249.0 () ready.", POP_OK);"

Now re-compile and it's done.

2.6 Telnet (on Solaris)

The default banner displayed during a telnet login contains the Solaris version which can be useful to a potential attacker.

Create a plain text file called "/etc/default/telnetd" which contains a line such as :

Configuration File /etc/default/telnetd
BANNER="Unauthorized access prohibited\n\n"

The \n characters encode blank lines.

2.7 Lighttpd

On Lighttpd, it's very easy, simply add this line to your configuration file and restart the server :

Configuration File /etc/lighttpd/lighttpd.conf
server.tag = "Apache/1.3.29 (Unix) mod_perl/1.29 PHP/4.4.1 mod_ssl/2.8.16 OpenSSL/0.9.7g"