Changing Apache and SSH banner

[vvpalin]

When i was going through the offsec course and took my test.. dare i admit it, but after i was finished i decided to give the rest of the range a indepth scan. Immediately i noticed that there was another BT box on the wire ... how you ask? By looking at the default apache banner.

This is what it looks like every time you fire it up.

Quote:

root@ph33r:~# nmap -sV 192.168.0.222
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.9 ((Ubuntu) PHP/5.2.6-bt0 with Suhosin-Patch)
Service Info: Host: local; OS: Linux
root@ph33r:~#

So it got me thinking, if im out on a pentest and some crafty admin decides to give me a sweep hes going to notice rite away what OS im running. While it might not do much since there is no exploit as of yet ... knowldge is power plain and simple .. and id rather keep that knowldge in my hands.

So lets modify our default banner. These simple lines are all that you need.

Quote:

sed -i 's/ServerTokens Full/ServerTokens Prod/' /etc/apache2/conf.d/security
sed -i 's/TraceEnable On/TraceEnable Off/' /etc/apache2/conf.d/security
sed -i 's/ServerSignature On/ServerSignature Off/' /etc/apache2/conf.d/security

Now lets look at our banner

Quote:

root@ph33r:~# nmap -sV 192.168.0.222
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd
Service Info: Host: local; OS: Linux
root@ph33r:~#

While we are at it lets give everyone that logs into our ssh a friendly welcome message.

Quote:

echo "Can you smell that?" > /etc/motd
echo "Welcome to the vag box!" > /etc/ssh/sshd-banner
echo "Banner /etc/ssh/sshd-banner" >> /etc/ssh/sshd_config

The before

Quote:

me@lappy:~# ssh root@192.168.0.222
root@192.168.0.222's password:
BackTrack 4 (PwnSauce) Penetration Testing and Auditing Distribution
root@ph33r:~#

The after

Quote:

me@lappy:~# ssh root@192.168.0.222
Can you smell that?
root@192.168.0.222's password:
Welcome to the vag box!
root@ph33r:~#

While the above is rather harmless to your system the below can quickly bork your sshd. Personally i had had no problems but let this serve as a warning.
YOU CAN SCREW THINGS UP!

Ok so lets ncat into our host on 22 and see what we have.

Quote:

me@lappy:~# ncat 192.168.0.222 22
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1

Cool no exploits or anything but lets edit it just for fun. First lets make a copy of sshd to work with.

Quote:

root@ph33r:~# mkdir tmp
root@ph33r:~# cd tmp
root@ph33r:~/tmp# cp /usr/sbin/sshd .

Now let modify it.

Quote:

root@ph33r:~/tmp# hexedit sshd

Ok a blue window should have popped up, now look at the bottom and notice the commands. We want to use search so press control+w make sure "Search for text string" is in white hit enter. Now type "OpenSSH" hit enter and you will be directed to the exact part you need to modify.

It will look like this, just change everything that is in red to 0 and you will end up with what i have below. If you want to type something else Press TAB and type what you want into the ascii part, just remember there is no backspace.

Quote:

00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 5F nd-line.OpenSSH_
00053FF0 35 2E 31 70 31 20 44 65 62 69 61 6E 2D 33 75 62 5.1p1 Debian-3ub
00054000 75 6E 74 75 31 00 25 73 2C 20 25 73 0A 00 4B 52 untu1.%s, %s..KR

It should now look like this.

Quote:

00053FE0 6E 64 2D 6C 69 6E 65 00 4F 70 65 6E 53 53 48 00 nd-line.OpenSSH.
00053FF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00054000 00 00 00 00 00 00 25 73 2C 20 25 73 0A 00 4B 52 ......%s, %s..KR

When your done hit control+x to save it, and give it a launch, remember it requires the exact path.

Quote:

root@ph33r:~/tmp# /root/tmp/sshd
root@ph33r:~/tmp# ncat localhost 22
SSH-2.0-OpenSSH

Just make sure you can connect to it and your good to go.

Quote:

killall sshd
rm /usr/sbin/sshd
mv /root/tmp/sshd /usr/sbin/

Enjoy!

[Gitsnik]

Actually if you want to get really crafty you can use a hexeditor to modify the sshd binary and replace the SSH-2.0-OpenSSH blah string. Etch, for example, defaults to something like OpenSSH Debian-9 - you can edit out the Debian-9 bit.

As with everything binary, you can only replace the particular string pieces with same size (I usually just blank them out), that way you can get something like this:

Code:

Last login: Mon Oct 26 17:01:06 on ttys000
[xserve:~] admin% nc localhost 22
SSH-2.0-OpenSSH_5.1
^C
[xserve:~] admin%

Also be careful not to blank out the SSH-2.0-OpenSSH_5.1 bit as openssh actually uses a lot of this for selection of protocols and such.

Advanced Note: You can actually wipe that out as well (but it's easier to firewall it off) so long as you write a wrapper script and use the -o for it. But I'm not going to go into that

[vvpalin]

I just modified the source, recompiled, then replaced the binary, was allot easier i think. However i might just give your way a go for the experience ... any tips on what to use ?

(Edit) took me less than 20min to figure it out, guide is now updated

[Gitsnik]

Quote:

Originally Posted by vvpalin

I just modified the source, recompiled, then replaced the binary, was allot easier i think.

Hard to do when you apt-get everything in, plus it's good skills to learn to hexedit binaries - especially for changing the way the basics work - like "strings".

[wyze]

This is the proper way to do it SSHD hide version patch | 0x80

[Gitsnik]

Quote:

Originally Posted by wyze

This is the proper way to do it SSHD hide version patch | 0x80

We already covered that, and I did mention that it was good to learn the other way as well.

[wyze]

Quote:

Originally Posted by Gitsnik

We already covered that, and I did mention that it was good to learn the other way as well.

Actually..... you _didnt_.

Furthermore, hex editing the SSH binary could very well destroy the binary, which for those that would attempt this on a remote box, could very well be S.O.L. if thy did in fact make a mistake.

[Gitsnik]

Quote:

Originally Posted by wyze

Actually..... you _didnt_.

Furthermore, hex editing the SSH binary could very well destroy the binary, which for those that would attempt this on a remote box, could very well be S.O.L. if thy did in fact make a mistake.

Quote:

plus it's good skills to learn to hexedit binaries - especially for changing the way the basics work - like "strings".

But yes, hexediting it can be dangerous. But then again we're all professionals and try these things in VM's or development installations before hand because we would never trust out and out what someone on a.. ahem.. "hacker" forum said.

[vvpalin]

Quote:

Originally Posted by wyze

This is the proper way to do it SSHD hide version patch | 0x80

I hate to say this but that wont work on 5.3, take a look at the patch and the source, the line numbers are wrong.

Another thing i should say real fast, Ive used that modified binary about 20 times now since i edited it, no problems as of yet. Even the vpn works good =0

As with everything there is a risk ... in fact ill put a nice little warning on the main post just in case its not clear.

[wyze]

Quote:

Originally Posted by vvpalin

I hate to say this but that wont work on 5.3, take a look at the patch and the source, the line numbers are wrong.

But as agreed on in private, the changes in sshd.c itself will work.

Also regarding Apache banners, you can't overlook ModSecurity - namely the SecServerSignature directive, where one can change the Apache server banner to just about anything.