Results 1 to 10 of 11

Thread: Changing Apache and SSH banner

Hybrid View

  1. #1
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default Changing Apache and SSH banner

    When i was going through the offsec course and took my test.. dare i admit it, but after i was finished i decided to give the rest of the range a indepth scan. Immediately i noticed that there was another BT box on the wire ... how you ask? By looking at the default apache banner.

    This is what it looks like every time you fire it up.

    root@ph33r:~# nmap -sV 192.168.0.222
    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd 2.2.9 ((Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch)
    Service Info: Host: local; OS: Linux
    root@ph33r:~#
    So it got me thinking, if im out on a pentest and some crafty admin decides to give me a sweep hes going to notice rite away what OS im running. While it might not do much since there is no exploit as of yet ... knowldge is power plain and simple .. and id rather keep that knowldge in my hands.

    So lets modify our default banner. These simple lines are all that you need.

    sed -i 's/ServerTokens Full/ServerTokens Prod/' /etc/apache2/conf.d/security
    sed -i 's/TraceEnable On/TraceEnable Off/' /etc/apache2/conf.d/security
    sed -i 's/ServerSignature On/ServerSignature Off/' /etc/apache2/conf.d/security
    Now lets look at our banner

    root@ph33r:~# nmap -sV 192.168.0.222
    PORT STATE SERVICE VERSION
    80/tcp open http Apache httpd
    Service Info: Host: local; OS: Linux
    root@ph33r:~#

    While we are at it lets give everyone that logs into our ssh a friendly welcome message.

    echo "Can you smell that?" > /etc/motd
    echo "Welcome to the vag box!" > /etc/ssh/sshd-banner
    echo "Banner /etc/ssh/sshd-banner" >> /etc/ssh/sshd_config
    The before

    me@lappy:~# ssh root@192.168.0.222
    root@192.168.0.222's password:
    BackTrack 4 (PwnSauce) Penetration Testing and Auditing Distribution
    root@ph33r:~#
    The after
    me@lappy:~# ssh root@192.168.0.222
    Can you smell that?
    root@192.168.0.222's password:
    Welcome to the vag box!
    root@ph33r:~#
    While the above is rather harmless to your system the below can quickly bork your sshd. Personally i had had no problems but let this serve as a warning.
    YOU CAN SCREW THINGS UP!

    Ok so lets ncat into our host on 22 and see what we have.

    me@lappy:~# ncat 192.168.0.222 22
    SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
    Cool no exploits or anything but lets edit it just for fun. First lets make a copy of sshd to work with.

    root@ph33r:~# mkdir tmp
    root@ph33r:~# cd tmp
    root@ph33r:~/tmp# cp /usr/sbin/sshd .
    Now let modify it.

    root@ph33r:~/tmp# hexedit sshd
    Ok a blue window should have popped up, now look at the bottom and notice the commands. We want to use search so press control+w make sure "Search for text string" is in white hit enter. Now type "OpenSSH" hit enter and you will be directed to the exact part you need to modify.

    It will look like this, just change everything that is in red to 0 and you will end up with what i have below. If you want to type something else Press TAB and type what you want into the ascii part, just remember there is no backspace.
    00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 5F nd-line.OpenSSH_
    00053FF0 35 2E 31 70 31 20 44 65 62 69 61 6E 2D 33 75 62 5.1p1 Debian-3ub
    00054000 75 6E 74 75 31 00 25 73 2C 20 25 73 0A 00 4B 52 untu1.%s, %s..KR
    It should now look like this.

    00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 00 nd-line.OpenSSH.
    00053FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00054000 00 00 00 00 00 00 25 73 2C 20 25 73 0A 00 4B 52 ......%s, %s..KR
    When your done hit control+x to save it, and give it a launch, remember it requires the exact path.

    root@ph33r:~/tmp# /root/tmp/sshd
    root@ph33r:~/tmp# ncat localhost 22
    SSH-2.0-OpenSSH
    Just make sure you can connect to it and your good to go.
    killall sshd
    rm /usr/sbin/sshd
    mv /root/tmp/sshd /usr/sbin/
    Enjoy!
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Actually if you want to get really crafty you can use a hexeditor to modify the sshd binary and replace the SSH-2.0-OpenSSH blah string. Etch, for example, defaults to something like OpenSSH Debian-9 - you can edit out the Debian-9 bit.

    As with everything binary, you can only replace the particular string pieces with same size (I usually just blank them out), that way you can get something like this:

    Code:
    Last login: Mon Oct 26 17:01:06 on ttys000
    [xserve:~] admin% nc localhost 22
    SSH-2.0-OpenSSH_5.1
    ^C
    [xserve:~] admin%
    Also be careful not to blank out the SSH-2.0-OpenSSH_5.1 bit as openssh actually uses a lot of this for selection of protocols and such.

    Advanced Note: You can actually wipe that out as well (but it's easier to firewall it off) so long as you write a wrapper script and use the -o for it. But I'm not going to go into that
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    I just modified the source, recompiled, then replaced the binary, was allot easier i think. However i might just give your way a go for the experience ... any tips on what to use ?

    (Edit) took me less than 20min to figure it out, guide is now updated
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  4. #4
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by vvpalin View Post
    I just modified the source, recompiled, then replaced the binary, was allot easier i think.
    Hard to do when you apt-get everything in, plus it's good skills to learn to hexedit binaries - especially for changing the way the basics work - like "strings".
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    This is the proper way to do it SSHD hide version patch | 0x80
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Quote Originally Posted by wyze View Post
    This is the proper way to do it SSHD hide version patch | 0x80
    We already covered that, and I did mention that it was good to learn the other way as well.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  7. #7
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Quote Originally Posted by wyze View Post
    This is the proper way to do it SSHD hide version patch | 0x80
    I hate to say this but that wont work on 5.3, take a look at the patch and the source, the line numbers are wrong.

    Another thing i should say real fast, Ive used that modified binary about 20 times now since i edited it, no problems as of yet. Even the vpn works good =0

    As with everything there is a risk ... in fact ill put a nice little warning on the main post just in case its not clear.
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •