本文共 6566 字,大约阅读时间需要 21 分钟。
This is a quick howto on faking service banners. Service banners often contain a lot of usefull information for malicious script-kiddies, like the (real) running software on the remote host and it's version number. Knowing this, they can better target their exploits. This howto deals with changing this information. Keep in mind that this won't make your system more secure against a known exploit when you run a vulnerable service, however it can provide some 'social engineering' security: script-kiddies often scan whole IP blocks for a known vulnerability, and only attack those who give back a banner telling that they run the vulnerable service. This howto aims to fake the service banners and in this way, fool the script-kiddies. However, your system will still be vulnerable to an exploit if you're running a vulnerable service! If a script-kiddie runs his exploit, even if he sees you don't send out the right banner, you can still be hacked. So, always keep your system up-to-date, see this as an way to decrease the amount of effective attacks on your system, not as a way to be invulnerable. Of course there's also the fun-factor: it's quite amusing to see script-kiddies attempt to break into your 'Microsoft-IIS/5.0' also known as Apache 1.3.27 *grin*.
In this howto we're going to hide some known services with banners from some other known (but worse) services. We've got five services running: ftp, ssh, smtp, http and pop3. Currently these services are running on: Proftpd 1.2.7, OpenSSH_3.5p1, Postfix 2.0.6, Apache/1.3.27 and Teapop 0.3.5. We're going to 'transform' these services to: Microsoft FTP Service, OpenSSH, Microsoft ESMTP MAIL Service, Microsoft-IIS/5.0 and Microsoft Exchange 2000 POP3 server. Of course we could had changed them to anything, but for the fun of it, we'll change it to Microsoft.
Probably, the service programmers don't want users to change the service banners. The only reason I can come up with is their ego. Statistics collectors on the Internet (example: Netcraft.com collecting HTTP/HEAD information), count the number of machines running service X. For programmers it's really a boost to see how many people are using their software. As long as the software is released under the GNU/GPL, you're completely free to modify anything from the source, and you're even allowed to re-distribute the changes. If you want to keep the programmers on the friendly side, you could change the banner to only advertise which software runs, not the version number or other information.
Please note: You are completely responsable for your own actions. I can never be held responsable for any damage this HOWTO has done to you, your systems or your life. This works for me, however that doesn't guarantee this will work for you.
Terminology:FQDN = Fully Qualified Domain Name (hostname.domain.tld)
Hostname = First part of the FQDN (example: localhost)
Text between the < and > should be replaced with the corresponding values.
- proftpd:Current banner: 220 ProFTPD 1.2.7 Server (FTP for: ) [ ]Banner lay-out: “response_code product_name product_version Server (ServerName) [hostname]”Wanted banner: 220 Microsoft FTP Service (Version 5.0).Howto:Open /src/main.c and search for “if((id = find_config(server->conf,CONF_PARAM,"ServerIdent",FALSE))”. Comment (/* if-block */) the whole if-block and add the following line under the if-block:send_response("220", "%s", server->ServerName);Now re-compile proftpd. After compiling edit proftpd.conf and change the “ServerName” directive to " Microsoft FTP Service (Version 5.0).".
- sshd:Current banner: SSH-2.0-OpenSSH_3.5p1Banner lay-out: SSH-version-OpenSSH_versionWanted banner: SSH-2.0-OpenSSHHowto:Open /version.h and cut the "_3.5p1" from the end. Re-compile and it's done.
- postfix:Current banner: 220 ESMTP Ready and Serving.Banner lay-out: “response_code hostname ESMTP additional_information”Wanted banner: 220 Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Tue, 18 Mar 2003 18:35:40 +0100Howto:Open postfix’s main.cf (configuration file) and search for “smtpd_banner”. Change the banner to whatever you want. The problem: Microsoft’s ESMTP sends a date back, Postfix can’t. However, the file /src/global/mail_date.c returns a time in this form: "Mon, 9 Dec 1996 05:38:26 -0500 (EST)". So, if you really want to pretend to be Microsoft’s ESMTP do the following:Before compiling, open /src/smtpd/smtpd.c and search for the line "smtpd_chat_reply(state, "220 %s", var_smtpd_banner);" and replace it with these two lines:state->time = time((time_t *) 0);smtpd_chat_reply(state, "220 %s ready at %s", var_smtpd_banner, mail_date(state->time));Now recompile, edit the main.cf to say " Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329" and you're done.
- apache:Current banner: Apache/1.3.27 (Unix) mod_perl/1.25 PHP/4.2.3Banner lay-out: “BASEPRODUCT/BASEREVISION (OS) Apache modules”Wanted banner: Microsoft-IIS/5.0Howto:Open /src/include/httpd.h and search for:#define SERVER_BASEVENDOR “Apache Group”#define SERVER_BASEPRODUCT “Apache”#define SERVER_BASEREVISION “ ”Change this to the desired values (BASEVENDOR: Microsoft, BASEPRODUCT: Microsoft-IIS, BASEREVISION: 5.0). Now re-compile apache.Next: open your httpd.conf and search for the ServerTokens directive. If it’s not there, add it. Set ServerTokens to Min (“ServerTokens Min”). More information about the ServerTokens directive is at: .
- teapop:Current banner: +OK Teapop [v0.3.5] - Teaspoon stirs around again <1048009854.3FB15180@Llywellyn>Banner lay-out: "POP_OK Teapop [version] - banner - "Wanted banner: +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 ( ) ready.Howto: The file /teapop/pop_hello.c contains the following line:"pop_socket_send(pinfo->out, "%s Teapop [v%s] - %s %s", POP_OK, POP_VERSION, POP_BANNER, pinfo->apopstr);"Change this line to:"pop_socket_send(pinfo->out, "%s Microsoft Exchange 2000 POP3 server version 6.0.6249.0 ( ) ready.", POP_OK);"Now re-compile and it's done.Okay, now you know how to change the service banners for five very often used services. But, what if you run a service not mentioned here? The difficulty of changing service banners depends on the programmers of these services, but it's generally not very hard. All I had to do was a little guessing. A good start is to look in "/src/" and "/include/" directories. Now in these directories, do a grep on typical banner layout. E.g.: search for "OpenSSH_3.5p1". Sometimes it's a bit harder, but with some time and good looking, I'm sure you'll find them.
转载地址:http://udmmb.baihongyu.com/