banner grabing

unkn0wn · 05-04-2006, 03:57 AM

Is it possible to change for example ssh banner

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0)

-output from nmap.

Can i tweak ssh to show some my string.
Can i do that for apache also?

muha · 05-04-2006, 04:50 AM

I don't get you, sorry

Please give a better example cause i think then i can help you.

gabsik · 05-04-2006, 04:54 AM

The sshd banner is /etc/issue.net file as in the /etc/sshd/sshd.conf comment out the Banner /etc/issue.net.

hareeshvv · 05-04-2006, 05:52 AM

did you mean welcome note ?

unkn0wn · 05-05-2006, 03:23 AM

no no i know for sshd banner.
I dont want to some kiddi with nmap get my ssh server version.
with nmap i get this
22/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 2.0)

can i tweak something to be:

22/tcp open ssh OpenSSH KIDDI get out of here!

lurker79 · 05-05-2006, 03:35 AM

Usually this kind of tweak you need to make in the source code for the application itself.
It is a server identification string, some servers (e.g. apache) have config options that allow you to modify the amount of information you show is this string.

unkn0wn · 05-05-2006, 06:49 AM

i see that

soooo i must compile sshd by hand no apt

where is in apache that config?

unkn0wn · 05-05-2006, 06:54 AM

i see that

soooo i must compile sshd by hand no apt

where is in apache that config?

lurker79 · 05-05-2006, 07:27 AM

For apache you want to look at the ServerTokens directive http://httpd.apache.org/docs/2.2/mod...l#servertokens
for more control over the server string again you would have to edit the source code

nx5000 · 05-05-2006, 09:31 AM

Quote:

Originally Posted by unkn0wn

i see that

soooo i must compile sshd by hand no apt

Or modify directly the binary:

Code:

sed -i 's/OpenSSH_4.2p1 Debian/AwayAwayAwayAwayAway/' /usr/sbin/sshd

unkn0wn · 05-07-2006, 08:47 AM

i modiy and get segmentation fault

what now

nx5000 · 05-09-2006, 02:32 AM

Quote:

Originally Posted by unkn0wn

i modiy and get segmentation fault

what now

Did you make a copy of the old sshd?
And you have put your version?

There is a mistake in the above line, should be:

Code:

sed -i 's/OpenSSH_4\.2p1 Debian/AwayAwayAwayAwayAway/' /usr/sbin/sshd

Take a new binary, launch strings on sshd
strings `which sshd` | grep -i debian

and do the operation as above, replacing . by \.

Worked on my sshd, the cleanest would be to recompile.
I don't think its really usefull to hide your version. Better tighten your security than hiding.

unkn0wn · 05-12-2006, 01:10 AM

i menage it
recompile and edit version.h
tnx

gabsik · 05-12-2006, 01:42 AM

i have done sed -i 's/OpenSSH_4\.2p1 Debian/AwayAwayAwayAwayAway/' /usr/sbin/sshd but ....

root@argo:~# nmap -sV 192.168.0.2 -p 666

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-05-12 08:41 CEST
Interesting ports on argo.ath.cx (192.168.0.2):
PORT STATE SERVICE VERSION
666/tcp open ssh OpenSSH 3.8.1p1 Debian-8.sarge.4 (protocol 1.99)

Nmap finished: 1 IP address (1 host up) scanned in 0.149 seconds

nx5000 · 05-15-2006, 04:07 AM

What I gave was an example. I'm not sure you really understand the command sed
sed replaces something with something else
I was running OpenSSH_4.2p1 so I replaced OpenSSH_4.2p1 by some junk. For you its something else!

To get the correct string, type this:

(1)

Code:

strings `which sshd` | grep -i debian

then to get the number of chars to replace do this

(2)

Code:

strings `which sshd` | grep -i debian | wc -c

Then issue:

sed -i 's/your version/Junk/'

WHERE

"your version" is the result of (1) after having replaced . by \.
"Junk" has to be a text of your choice of length [result of (2) - 1 ] So if (2) gave 21, then you have to put a text of length 20: AwayAwayAwayAwayAway in my case.

then restart sshd and check

If you are wrong, you've corrupted your ssh, so keep a backup