Author Topic: Netcraft - Web Server Signatures help  (Read 1278 times)

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« on: 3 December 2002, 23:51 »
I'm curious if anyone might have any information on how Netcraft figures out what OS and Web server is being run on their "what's that site running?" page. I'm sure they probably fingerprint the TCP/IP stack somehow to determine the OS and I believe from recent threads that I can spoof that part with iptables.

Now I "thought" that they determined the web server software by the "Server:" string from the "head". For instance if you do a:

$ lynx -head -dump http://www.redhat.com/

you will see this line:

Server: Apache

This string is somewhat controllable in the Apache configuration file. "Apache" is the minimal amount of info that you can give but can configure it to give more info like what modules you have loaded. Well, I hacked the Apache source code to put out a completely different string. Mine looks like this:

Server: Not IIS and certainly not Windows!

Well, it still shows up on Netcraft as "Apache on Linux", not what I was hoping. If anyone can lead me to information on things I can do to spoof Netcraft I would certainly appreciate it.
Someone please remove this account. Thanks...

preacher

  • VIP
  • Member
  • ***
  • Posts: 858
  • Kudos: 107
    • http://kansascity.cjb.net
Netcraft - Web Server Signatures help
« Reply #1 on: 4 December 2002, 00:55 »
Void main sorry to tell you this, but you are not the first one to do this. Check out http://www.attrition.org/attrition/how-apache.html
Kansas City Hustle
http://kansascity.cjb.net

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #2 on: 4 December 2002, 01:39 »
I never said I was the first, and I did it on my own without these instructions. One thing I didn't do was change the OS string, but I didn't have to because there is an httpd.conf configuration option that allows you to remove that from the head anyway. The most you could do with an httpd.conf setting was whittle it down to only saying "Apache". That's why I hacked the source to change the "SERVER_BASEPRODUCT" string.

I am now compiling the new 2.4.20 kernel with the "ippersonality" patch so I can make it look like I am running AmigaOS (or anything else I want).    The problem is, Netcraft obviously doesn't use the "Server:" item from the web server head to determine the web server software. They must use some other way to identify the server. We'll see how the ippersonality effects it whenever my slow ass web machine gets finished compiling...
Someone please remove this account. Thanks...

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #3 on: 4 December 2002, 21:07 »
I just spent the last few hours patching in ippersonality into iptables and the 2.4.20 kernel so I could do a little spoofing. Now nmap can no longer figure out what OS I am running but that blasted Netcraft knows. It appears their entire determination of what OS and web server you are running is from the web server response:

http://uptime.netcraft.com/up/accuracy.html#os

Now, if I could just figure what they look at and what methodology they use to interperet the response maybe I could figure out how to modify Apache to spoof it. I suppose I could do a network capture during a time when I check the OS on the netcraft site and see exactly what packets are received/sent, then look through the source. Someone else *has* to have already done this though. It would sure save me some work if I could figure it out. I want to be able to have my system appear on Netcraft as a Cray Supercomputer running some hack of a web server.

[ December 04, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #4 on: 4 December 2002, 21:51 »
Cool! I just set it up so an "nmap" thinks my system is a "Sega Dreamcast".        Of course that will only be known by scans done from my internal network because my firewall already takes care of that part.

Here's a port scan to my web machine in the DMZ:

Code: [Select]

[ December 04, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

preacher

  • VIP
  • Member
  • ***
  • Posts: 858
  • Kudos: 107
    • http://kansascity.cjb.net
Netcraft - Web Server Signatures help
« Reply #5 on: 4 December 2002, 12:28 »
quote:
Originally posted by void main:
I'm curious if anyone might have any information on how Netcraft figures out what OS and Web server is being run on their "what's that site running?" page. I'm sure they probably fingerprint the TCP/IP stack somehow to determine the OS and I believe from recent threads that I can spoof that part with iptables.

Now I "thought" that they determined the web server software by the "Server:" string from the "head". For instance if you do a:

$ lynx -head -dump http://www.redhat.com/

you will see this line:

Server: Apache

This string is somewhat controllable in the Apache configuration file. "Apache" is the minimal amount of info that you can give but can configure it to give more info like what modules you have loaded. Well, I hacked the Apache source code to put out a completely different string. Mine looks like this:

Server: Not IIS and certainly not Windows!

Well, it still shows up on Netcraft as "Apache on Linux", not what I was hoping. If anyone can lead me to information on things I can do to spoof Netcraft I would certainly appreciate it.




Ok Ive been looking at the apache documentation for a while and I couldnt figure out how you could modify httpd.conf so that only "Apache" is displayed. Right now Netcraft says  
"Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6.1mdk) mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3", which basically is more info than I want to give out. Help me.
Kansas City Hustle
http://kansascity.cjb.net

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #6 on: 4 December 2002, 13:49 »
quote:
Originally posted by X11 / BOB: l33t h4x0r:
Now thats funny, how did you do it?


http://ippersonality.sourceforge.net/
Someone please remove this account. Thanks...

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #7 on: 4 December 2002, 13:51 »
quote:
Originally posted by ThePreacher:
Ok Ive been looking at the apache documentation for a while and I couldnt figure out how you could modify httpd.conf so that only "Apache" is displayed. Right now Netcraft says  
"Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6.1mdk) mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3", which basically is more info than I want to give out. Help me.



ServerTokens Prod
Someone please remove this account. Thanks...

preacher

  • VIP
  • Member
  • ***
  • Posts: 858
  • Kudos: 107
    • http://kansascity.cjb.net
Netcraft - Web Server Signatures help
« Reply #8 on: 4 December 2002, 21:24 »
Thank you void main. Your knowledge never ceases to amaze me.

It seems that since Im using mandrake's preconfigured webserver, the minimum amount of info displayed is still "Apache-AdvancedExtranetServer", so people will still know I use Mandrake which is too much.

[ December 04, 2002: Message edited by: ThePreacher ]

Kansas City Hustle
http://kansascity.cjb.net

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #9 on: 4 December 2002, 22:03 »
quote:
Originally posted by ThePreacher:
Thank you void main. Your knowledge never ceases to amaze me.

It seems that since Im using mandrake's preconfigured webserver, the minimum amount of info displayed is still "Apache-AdvancedExtranetServer", so people will still know I use Mandrake which is too much.



Then Mandrake has hacked the source, more specifically the AP_SERVER_BASEPRODUCT definition in "ap_release.h" in the Apache source code when building it. If you can tell me the exact Apache RPM version ("rpm -qa | grep -i apache" or "rpm -qa | grep http") and exact version of Mandrake you are running I can give you instructions on how to modify the source RPM and create new binary RPMs that you can install that will be exactly what you currently have installed with only that string being changed.

It's really not difficult at all to do and might come in handy if you want to hack an RPM in the future. In fact maybe that will be my next RedHat tip. I could do a writeup of how I hacked the RedHat Apache RPM, which may not be the same way to hack the Mandrake RPM but if I do the writeup properly will give you the clues you need to figure out how to do it on the Mandrake RPM.

[ December 04, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

Master of Reality

  • VIP
  • Member
  • ***
  • Posts: 4,249
  • Kudos: 177
    • http://www.bobhub.tk
Netcraft - Web Server Signatures help
« Reply #10 on: 4 December 2002, 22:39 »
this all isnt really giving you anymore security though.. quite amusing however. That supercomputer running some crapass webserver would be quite humourous. I want to change mine so it looks like a C64 running apache. Of course people have run apache on C64 but it cant handle more than a few requests and is slow as hell.
Disorder | Rating
Paranoid: Moderate
Schizoid: Moderate
Linux User #283518
'It takes more than a self-inflicted gunshot wound to the head to stop Bob'

preacher

  • VIP
  • Member
  • ***
  • Posts: 858
  • Kudos: 107
    • http://kansascity.cjb.net
Netcraft - Web Server Signatures help
« Reply #11 on: 4 December 2002, 22:46 »
Here are the results of rpm -qa | grep -i apache

apache-conf-1.3.26-3mdk
apache-1.3.26-6.1mdk
apache-modules-1.3.26-6.1mdk
apache-mod_perl-1.3.26_1.27-7mdk
apache-common-1.3.26-6.1mdk

The exact version of Mandrake I use is Mandrake Linux 9.0  2.4.19-16mdk i686
Kansas City Hustle
http://kansascity.cjb.net

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #12 on: 4 December 2002, 23:02 »
quote:
Originally posted by The Master of Reality / B0B:
this all isnt really giving you anymore security though.. quite amusing however. That supercomputer running some crapass webserver would be quite humourous. I want to change mine so it looks like a C64 running apache. Of course people have run apache on C64 but it cant handle more than a few requests and is slow as hell.


You are correct that it doesn't make your system any more secure, however added obscurity can not hurt. If your server has holes it really doesn't matter much. The obscurity can throw a few would be kiddies off the trail (or attract more, either way I don't care, just wanted to do it).
Someone please remove this account. Thanks...

voidmain

  • VIP
  • Member
  • ***
  • Posts: 5,605
  • Kudos: 184
    • http://voidmain.is-a-geek.net/
Netcraft - Web Server Signatures help
« Reply #13 on: 4 December 2002, 23:38 »
quote:
Originally posted by ThePreacher:
Here are the results of rpm -qa | grep -i apache

apache-conf-1.3.26-3mdk
apache-1.3.26-6.1mdk
apache-modules-1.3.26-6.1mdk
apache-mod_perl-1.3.26_1.27-7mdk
apache-common-1.3.26-6.1mdk

The exact version of Mandrake I use is Mandrake Linux 9.0 2.4.19-16mdk i686



Ok, this one should be quite easy. First let me say that I am not sure of the Mandrake RPM build tree. In Red Hat it's /usr/src/redhat/*, I believe in Mandrake it is /usr/src/RPM/*. If this is not so it will be something similar. Here we go:

First download the SRC RPM and install it:

# wget ftp://csociety-ftp.ecn.purdue.edu/pub/Mandrake/updates/9.0/SRPMS/apache-1.3.26-6.1mdk.src.rpm
# rpm -i apache-1.3.26-6.1mdk.src.rpm

Now let's hack:

# cd /usr/src/RPM/SOURCES
# bunzip2 apache-1.3.26-baseversion.patch.bz2

Edit the "apache-1.3.26-baseversion.patch" file (I suggest vim   ) and change the line that looks like this:

Code: [Select]

to something like:

Code: [Select]

Now bzip2 it back up:

# bzip2 apache-1.3.26-baseversion.patch

and build the binary RPM by:

# cd ../SPECS
# rpmbuild -bb apache.spec

If everything goes according to plan you should have binary RPMs for Apache somewhere under "/usr/src/RPM/RPMS/*

You should only have to install the base server since all the versions of the other RPMS will be exact. Since the same version is already installed you may have to force it:

# rpm -Uvh apache-1.3.26-6.1mdk.i586.rpm --force --nodeps

Now restart the Apache service. No sweat right?

P.S. If this works for you without much modification (let me know if something is incorrect) maybe I will start a Mandrake tips page with this as the first entry.

P.S.S. This also assumes you have development packages installed (gcc, make etc) and the rpm developement packages installed (rpm-build, etc) which I am not sure if Mandrake 9.0 does by default. And I am not 100% sure if all of the ones I mentioned are necessary and if more than what I mention are necessary, I would have to look that up. The easiest way to tell if something is missing is to just try the instructions. If there is an error about something not found then you need to install something else.

[ December 04, 2002: Message edited by: void main ]

Someone please remove this account. Thanks...

preacher

  • VIP
  • Member
  • ***
  • Posts: 858
  • Kudos: 107
    • http://kansascity.cjb.net
Netcraft - Web Server Signatures help
« Reply #14 on: 5 December 2002, 00:18 »
Dont worry I have all the development packages installed. Ill update you on this tommorrow seeing as how I soon have to go to work.

By the way Id like to reprint this tutorial on my website with your permission and giving you the proper credit of course.

[ December 04, 2002: Message edited by: ThePreacher ]

Kansas City Hustle
http://kansascity.cjb.net