Stop Microsoft
Operating Systems => Linux and UNIX => Topic started by: voidmain on 3 December 2002, 23:51
-
I'm curious if anyone might have any information on how Netcraft figures out what OS and Web server is being run on their "what's that site running?" page. I'm sure they probably fingerprint the TCP/IP stack somehow to determine the OS and I believe from recent threads that I can spoof that part with iptables.
Now I "thought" that they determined the web server software by the "Server:" string from the "head". For instance if you do a:
$ lynx -head -dump http://www.redhat.com/ (http://www.redhat.com/)
you will see this line:
Server: Apache
This string is somewhat controllable in the Apache configuration file. "Apache" is the minimal amount of info that you can give but can configure it to give more info like what modules you have loaded. Well, I hacked the Apache source code to put out a completely different string. Mine looks like this:
Server: Not IIS and certainly not Windows!
Well, it still shows up on Netcraft as "Apache on Linux", not what I was hoping. If anyone can lead me to information on things I can do to spoof Netcraft I would certainly appreciate it.
-
Void main sorry to tell you this, but you are not the first one to do this. Check out http://www.attrition.org/attrition/how-apache.html (http://www.attrition.org/attrition/how-apache.html)
-
I never said I was the first, and I did it on my own without these instructions. One thing I didn't do was change the OS string, but I didn't have to because there is an httpd.conf configuration option that allows you to remove that from the head anyway. The most you could do with an httpd.conf setting was whittle it down to only saying "Apache". That's why I hacked the source to change the "SERVER_BASEPRODUCT" string.
I am now compiling the new 2.4.20 kernel with the "ippersonality" patch so I can make it look like I am running AmigaOS (or anything else I want). (http://smile.gif) The problem is, Netcraft obviously doesn't use the "Server:" item from the web server head to determine the web server software. They must use some other way to identify the server. We'll see how the ippersonality effects it whenever my slow ass web machine gets finished compiling...
-
I just spent the last few hours patching in ippersonality into iptables and the 2.4.20 kernel so I could do a little spoofing. Now nmap can no longer figure out what OS I am running but that blasted Netcraft knows. It appears their entire determination of what OS and web server you are running is from the web server response:
http://uptime.netcraft.com/up/accuracy.html#os (http://uptime.netcraft.com/up/accuracy.html#os)
Now, if I could just figure what they look at and what methodology they use to interperet the response maybe I could figure out how to modify Apache to spoof it. I suppose I could do a network capture during a time when I check the OS on the netcraft site and see exactly what packets are received/sent, then look through the source. Someone else *has* to have already done this though. It would sure save me some work if I could figure it out. I want to be able to have my system appear on Netcraft as a Cray Supercomputer running some hack of a web server.
[ December 04, 2002: Message edited by: void main ]
-
Cool! I just set it up so an "nmap" thinks my system is a "Sega Dreamcast". (http://smile.gif) Of course that will only be known by scans done from my internal network because my firewall already takes care of that part.
Here's a port scan to my web machine in the DMZ:
[ December 04, 2002: Message edited by: void main ]
-
quote:
Originally posted by void main:
I'm curious if anyone might have any information on how Netcraft figures out what OS and Web server is being run on their "what's that site running?" page. I'm sure they probably fingerprint the TCP/IP stack somehow to determine the OS and I believe from recent threads that I can spoof that part with iptables.
Now I "thought" that they determined the web server software by the "Server:" string from the "head". For instance if you do a:
$ lynx -head -dump http://www.redhat.com/ (http://www.redhat.com/)
you will see this line:
Server: Apache
This string is somewhat controllable in the Apache configuration file. "Apache" is the minimal amount of info that you can give but can configure it to give more info like what modules you have loaded. Well, I hacked the Apache source code to put out a completely different string. Mine looks like this:
Server: Not IIS and certainly not Windows!
Well, it still shows up on Netcraft as "Apache on Linux", not what I was hoping. If anyone can lead me to information on things I can do to spoof Netcraft I would certainly appreciate it.
Ok Ive been looking at the apache documentation for a while and I couldnt figure out how you could modify httpd.conf so that only "Apache" is displayed. Right now Netcraft says
"Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6.1mdk) mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3", which basically is more info than I want to give out. Help me.
-
quote:
Originally posted by X11 / BOB: l33t h4x0r:
Now thats funny, how did you do it?
http://ippersonality.sourceforge.net/ (http://ippersonality.sourceforge.net/)
-
quote:
Originally posted by ThePreacher:
Ok Ive been looking at the apache documentation for a while and I couldnt figure out how you could modify httpd.conf so that only "Apache" is displayed. Right now Netcraft says
"Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6.1mdk) mod_ssl/2.8.10 OpenSSL/0.9.6g PHP/4.2.3", which basically is more info than I want to give out. Help me.
ServerTokens Prod
-
Thank you void main. Your knowledge never ceases to amaze me.
It seems that since Im using mandrake's preconfigured webserver, the minimum amount of info displayed is still "Apache-AdvancedExtranetServer", so people will still know I use Mandrake which is too much.
[ December 04, 2002: Message edited by: ThePreacher ]
-
quote:
Originally posted by ThePreacher:
Thank you void main. Your knowledge never ceases to amaze me.
It seems that since Im using mandrake's preconfigured webserver, the minimum amount of info displayed is still "Apache-AdvancedExtranetServer", so people will still know I use Mandrake which is too much.
Then Mandrake has hacked the source, more specifically the AP_SERVER_BASEPRODUCT definition in "ap_release.h" in the Apache source code when building it. If you can tell me the exact Apache RPM version ("rpm -qa | grep -i apache" or "rpm -qa | grep http") and exact version of Mandrake you are running I can give you instructions on how to modify the source RPM and create new binary RPMs that you can install that will be exactly what you currently have installed with only that string being changed.
It's really not difficult at all to do and might come in handy if you want to hack an RPM in the future. In fact maybe that will be my next RedHat tip. I could do a writeup of how I hacked the RedHat Apache RPM, which may not be the same way to hack the Mandrake RPM but if I do the writeup properly will give you the clues you need to figure out how to do it on the Mandrake RPM.
[ December 04, 2002: Message edited by: void main ]
-
this all isnt really giving you anymore security though.. quite amusing however. That supercomputer running some crapass webserver would be quite humourous. I want to change mine so it looks like a C64 running apache. Of course people have run apache on C64 but it cant handle more than a few requests and is slow as hell.
-
Here are the results of rpm -qa | grep -i apache
apache-conf-1.3.26-3mdk
apache-1.3.26-6.1mdk
apache-modules-1.3.26-6.1mdk
apache-mod_perl-1.3.26_1.27-7mdk
apache-common-1.3.26-6.1mdk
The exact version of Mandrake I use is Mandrake Linux 9.0 2.4.19-16mdk i686
-
quote:
Originally posted by The Master of Reality / B0B:
this all isnt really giving you anymore security though.. quite amusing however. That supercomputer running some crapass webserver would be quite humourous. I want to change mine so it looks like a C64 running apache. Of course people have run apache on C64 but it cant handle more than a few requests and is slow as hell.
You are correct that it doesn't make your system any more secure, however added obscurity can not hurt. If your server has holes it really doesn't matter much. The obscurity can throw a few would be kiddies off the trail (or attract more, either way I don't care, just wanted to do it).
-
quote:
Originally posted by ThePreacher:
Here are the results of rpm -qa | grep -i apache
apache-conf-1.3.26-3mdk
apache-1.3.26-6.1mdk
apache-modules-1.3.26-6.1mdk
apache-mod_perl-1.3.26_1.27-7mdk
apache-common-1.3.26-6.1mdk
The exact version of Mandrake I use is Mandrake Linux 9.0 2.4.19-16mdk i686
Ok, this one should be quite easy. First let me say that I am not sure of the Mandrake RPM build tree. In Red Hat it's /usr/src/redhat/*, I believe in Mandrake it is /usr/src/RPM/*. If this is not so it will be something similar. Here we go:
First download the SRC RPM and install it:
# wget ftp://csociety-ftp.ecn.purdue.edu/pub/Mandrake/updates/9.0/SRPMS/apache-1.3.26-6.1mdk.src.rpm (http://ftp://csociety-ftp.ecn.purdue.edu/pub/Mandrake/updates/9.0/SRPMS/apache-1.3.26-6.1mdk.src.rpm)
# rpm -i apache-1.3.26-6.1mdk.src.rpm
Now let's hack:
# cd /usr/src/RPM/SOURCES
# bunzip2 apache-1.3.26-baseversion.patch.bz2
Edit the "apache-1.3.26-baseversion.patch" file (I suggest vim (http://smile.gif) ) and change the line that looks like this:
to something like:
Now bzip2 it back up:
# bzip2 apache-1.3.26-baseversion.patch
and build the binary RPM by:
# cd ../SPECS
# rpmbuild -bb apache.spec
If everything goes according to plan you should have binary RPMs for Apache somewhere under "/usr/src/RPM/RPMS/*
You should only have to install the base server since all the versions of the other RPMS will be exact. Since the same version is already installed you may have to force it:
# rpm -Uvh apache-1.3.26-6.1mdk.i586.rpm --force --nodeps
Now restart the Apache service. No sweat right?
P.S. If this works for you without much modification (let me know if something is incorrect) maybe I will start a Mandrake tips page with this as the first entry.
P.S.S. This also assumes you have development packages installed (gcc, make etc) and the rpm developement packages installed (rpm-build, etc) which I am not sure if Mandrake 9.0 does by default. And I am not 100% sure if all of the ones I mentioned are necessary and if more than what I mention are necessary, I would have to look that up. The easiest way to tell if something is missing is to just try the instructions. If there is an error about something not found then you need to install something else.
[ December 04, 2002: Message edited by: void main ]
-
Dont worry I have all the development packages installed. Ill update you on this tommorrow seeing as how I soon have to go to work.
By the way Id like to reprint this tutorial on my website with your permission and giving you the proper credit of course.
[ December 04, 2002: Message edited by: ThePreacher ]
-
quote:
Originally posted by ThePreacher:
By the way Id like to reprint this tutorial on my website with your permission and giving you the proper credit of course.
Only if it works of course. (http://smile.gif)
-
Void main here is an update.I did everything you said to do in your instructions, and everything went right until
[root@badconnections SPECS]# rpmbuild -bb apache.spec
rpmbuild: error while loading shared libraries: librpmbuild-4.0.3.so: cannot open shared object file: No such file or directory
-
Is Mandrake broken? That file is part of the "rpm" RPM in RedHat. I've also seen it included in "librpmbuild" but it doesn't appear that RPM exists for Mandrake. Maybe you should try installing the other packages from your Mandrake CD that start with "rpm*". I'll do some searching on the Mandrake web site.
-
I did a little searching and it seems "librpmbuild-4.0.4.so" is what is installed on my computer. Why is rpmbuild looking for the older libraries?
-
I don't know, looks like your RPM dependencies are hosed on your "rpm" packages. This could happen if only one of the few rpm packages got upgraded without the other dependent packages being upgraded, causing rpm to be broken. If not, that would mean Mandrake itself is broken, which really wouldn't surprise me as I've already seen it with the kernel versions vs the kernel-headers that are included on the 9.0 CD.
Maybe the old syntax will work. Try "rpm -bb apache.spec" rather than "rpmbuild -bb apache.spec".
If not try linking the 4.0.4 library to 4.0.3 by:
# ln -s /usr/lib/librpmbuild-4.0.4.so /usr/lib/librpmbuild-4.0.3.so
If that doesn't work (and even if it does) give me the output of "rpm -qa | grep rpm" and I'll see if I can see any broken dependencies.
[ December 04, 2002: Message edited by: void main ]
-
quote:
Originally posted by X11 / BOB: l33t h4x0r:
Now thats funny, how did you do it?
I was just thinking. I believe it may be fairly easy to spoof the netcraft uptime chart using iptables/ippersonality. Maybe that will be my next conquest. I think it would be pretty cool if I could get my system to show up as a Sega Dreamcast with about 12 years of uptime. (http://smile.gif)
-
quote:
Originally posted by void main:
I was just thinking. I believe it may be fairly easy to spoof the netcraft uptime chart using iptables/ippersonality. Maybe that will be my next conquest. I think it would be pretty cool if I could get my system to show up as a Sega Dreamcast with about 12 years of uptime. (http://smile.gif)
This is a funny idea, spoofing the uptime, how exactly does Netcraft find a system's uptime?
-
quote:
Originally posted by ThePreacher:
This is a funny idea, spoofing the uptime, how exactly does Netcraft find a system's uptime?
I would imagine they do it in a similar way to the way nmap determines it, via TCP timestamps. I just spent the last hour or so going through ippersonality and I couldn't figure out a way of effecting nmap results via the configuration files and I don't believe it is possible without hacking it. But I'm not proficient enough with TCP at this low of a level. Might have to do some more research.
On another note, did you get my last message regarding your Apache hack?
-
did you have to recompile the kernel to use ippersonality?
-
Yes, you actually have to do a little more than that. I downloaded the 2.4.20 kernel source, applied the ippersonality kernel patch (there is a patch for 2.4.20 on sourceforge). Then I did a make config and turned on a couple of other necessary options like connection tracking (the options are listed in the README or INSTALL included with the ippersonality tar.gz package). Then compiled and installed the kernel.
Now that's not the end of it. You also have to patch "iptables". I downloaded the 1.2.7a source for iptables and applied the ippersonality patch for iptables, then modified the Makefile so iptables would install to the same directories that my distro has it already installed in. There was one more thing that needed to be done in the iptables source for 1.2.7a. There is a label/define that needs to be changed in several places in the source because it was changed in the new kernel source. This was easily done with a perl command that I found in one of the ippersonality message list archives. Then I did a "make" and "make install".
Then to masquerade as another OS you have to run a couple of iptables commands along with a configuration file of the operating system you want to masquerade as and you are done.
This sounds like a lot but if you are interested I could do another step by step instruction and put it in my RedHat tips section. I think if I did that it wouldn't be hard for anyone to follow. I also wrote my own script to make it easy to change what OS you are masquerading as and call it from the /etc/init.d/iptables service script. Basically once installed all you have to do is comment out one line and uncomment another to change which OS you want to masquerade as. I started last night writing my own config file for a Cray supercomputer but fell asleep from exhaustion. (http://smile.gif) Maybe this evening I will work on it some more. Shouldn't take too long to create.
[ December 05, 2002: Message edited by: void main ]
-
putting it in your tips section isnt a bad idea. I might try it on my slackware box, but i have quite a bit of work to do on that box so i can use it as my server.
-
quote:
Originally posted by void main:
I would imagine they do it in a similar way to the way nmap determines it, via TCP timestamps. I just spent the last hour or so going through ippersonality and I couldn't figure out a way of effecting nmap results via the configuration files and I don't believe it is possible without hacking it. But I'm not proficient enough with TCP at this low of a level. Might have to do some more research.
On another note, did you get my last message regarding your Apache hack?
I did try what you suggested with the exact same result as before. What Im gonna try is using my other linux box to do this, then tranferring the modified apache-1.3.26-6.1mdk through the network. Ill fill you in when I get this finished.
-
Heh, now I'm running Solaris 8. Or so Netcraft thinks:
Void on Netcraft (http://uptime.netcraft.com/up/graph/?mode_u=off&mode_w=on&site=voidmain.kicks-ass.net&submit=Examine)
[ December 06, 2002: Message edited by: void main ]
-
And it won't be long now before Netcraft is showing my supposed "Solaris 8" machine with around 350 days of uptime:
nmap:
I can now change my uptime to anything I want (below 497 days because of the 2.4 kernel uptime limitation). And I can do it on the fly without having to reboot. Here's the uptime command:
It was easy as adding two lines of code to one of the kernel source files which creates a proc file "/proc/sys/kernel/jiffies". "jiffies" is the counter variable that the kernel uses to keep track of how long the kernel has been running and all other applications indirectly key off of that variable (even the TCP/IP timestamps). So basically you can set the variable to anything you want on the fly by doing something like:
# echo "3000000000" > /proc/sys/kernel/jiffies
which will set your uptime to about 347 days. Obviously there are some ramifications of mucking with this somewhere along the line. The only thing I have noticed so far is if you set it to a high value like above the system stops responding for a period of time and then seems to get its wits back after about a minute. So if you try something similar I just want to warn you that something disasterous could happen.
If you feel adventerous and want to try it on an old machine then I have created a patch for the 2.4.20 kernel source. Put the following code in a file called "/usr/src/jiffies.patch":
Then assuming your 2.4.20 kernel source is in "/usr/src/linux" type:
# cd /usr/src/linux
# patch -p1 < ../jiffies.patch
Now make and install your new kernel and you should find a /proc/sys/kernel/jiffies variable that you can modify by my earlier instructions.
I didn't completely figure this out on my own. I happen to run across this:
http://www.zevv.nl/jiffies/ (http://www.zevv.nl/jiffies/)
However, the patch on that page is obviously not for the 2.4.20 kernel, I figured out what they did in the patch and made the same modification to the 2.4.20 kernel source and created my own patch.
[edit]
NOTE: I just found out a few important commands appear to not work if you set this too high. It seems I can set it to 3000000000 (347 days) without any problems but I'm not quite sure why when I had it set to 3500000000 400+ days it made a couple of commands hang.
It seems that under certain conditions commands like "top" and "sleep" will just hang. Any script that contains the "sleep" command will more or less just hang until you kill it. But going back and setting it to 3000000000 seemed to wake things up and everythign starts running fine from that point on. Maybe at this point I should just say the behavior is erratic and your mileage may vary. Let me know if you come up with the secret answer...
[/edit]
[ December 07, 2002: Message edited by: void main ]
-
Weee, look at it climb:
By IP (http://uptime.netcraft.com/up/graph?site=24.171.60.38)
voidmain.kicks-ass.net (http://uptime.netcraft.com/up/graph?site=voidmain.kicks-ass.net)
(http://smile.gif)
[ December 09, 2002: Message edited by: void main ]
-
Void main, this just isnt right. Im up here sitting next to my server hoping to one day achieve 300 days uptime, and you successfully cheated this. Not only that, but you can say you are running any OS and webserver. This is too much. Now Im gonna have to try it myself.
-
Well I recommend doing it the legit way. I just wanted to see if it could be done. I have a few servers listed with more than that amount of uptime (legit). But if you want to play, it's a great learning experience.
-
quote:
Originally posted by void main:
Yes, you actually have to do a little more than that. I downloaded the 2.4.20 kernel source, applied the ippersonality kernel patch (there is a patch for 2.4.20 on sourceforge). Then I did a make config and turned on a couple of other necessary options like connection tracking (the options are listed in the README or INSTALL included with the ippersonality tar.gz package). Then compiled and installed the kernel.
Now that's not the end of it. You also have to patch "iptables". I downloaded the 1.2.7a source for iptables and applied the ippersonality patch for iptables, then modified the Makefile so iptables would install to the same directories that my distro has it already installed in. There was one more thing that needed to be done in the iptables source for 1.2.7a. There is a label/define that needs to be changed in several places in the source because it was changed in the new kernel source. This was easily done with a perl command that I found in one of the ippersonality message list archives. Then I did a "make" and "make install".
Then to masquerade as another OS you have to run a couple of iptables commands along with a configuration file of the operating system you want to masquerade as and you are done.
This sounds like a lot but if you are interested I could do another step by step instruction and put it in my RedHat tips section. I think if I did that it wouldn't be hard for anyone to follow. I also wrote my own script to make it easy to change what OS you are masquerading as and call it from the /etc/init.d/iptables service script. Basically once installed all you have to do is comment out one line and uncomment another to change which OS you want to masquerade as. I started last night writing my own config file for a Cray supercomputer but fell asleep from exhaustion. (http://smile.gif) Maybe this evening I will work on it some more. Shouldn't take too long to create.
[ December 05, 2002: Message edited by: void main ]
You are really good with these tutorials, and I am interested in doing this.
-
I think I have the uptime thing worked out. It's pretty touchy about how you artificially raise your uptime. What I ended up with is the kernel patch I made and then creating a script that will raise the uptime starting about 6 minutes after the system has been up. The script is called /etc/rc.d/rc.uptime:
And a call to it should be added to the end of /etc/rc.d/rc.local right before the last line:
I was going to do the PDC tutorial next as I just built a fresh one but I've been putting it off. Maybe I'll do the ippersonality/uptime tutorial next although some people might get huffy about the uptime one...
-
Huh? You quoted old news. I figured out how to modify the uptime with a kernel patch.