RE: NT/IIS decoy
From: Clement-Evans, Rhys (Rhys.Clement-Evans@swisslife.co.uk)Date: 12/11/01
- Previous message: Philipp Stucke: "Re: Pen-Testing help (Compaq Insight & htsearch)"
- Maybe in reply to: Lambott@aol.com: "NT/IIS decoy"
- Next in thread: Thor@HammerofGod.com: "RE: NT/IIS decoy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Clement-Evans, Rhys" <Rhys.Clement-Evans@swisslife.co.uk> To: "'Lambott@aol.com'" <Lambott@aol.com>, pen-test@securityfocus.com Date: Tue, 11 Dec 2001 10:00:03 -0000
I believe that there are three (or more?) ways to do this. One is to write
your own ISAPI filter - not having played with this I cannot comment on how
effective it is.
Another method is by modifying the w3svc.dll file as you have already done.
You do need to ensure that only the 'text' characters are modified, and I
suspect that you may have overrun the text section when editing it
previously (this solution has worked for me on IIS4 systems, so I can say
for certain that it will work). If you'd prefer not to hand-edit the file
then you could try a third party w3svc.dll specific editor (for example
http://www.nstalker.com/banners.php (IIS-Banner-Edit) - I haven't used this
and the usual 'you use it at your own risk' disclaimer applies)
IIS 5 is a different story - the Win2k file protection system will revert a
modified w3svc.dll back to the original vanilla version. I would assume that
you can modify the w3svc.dll in the DLL cache and that this will then be a
permanent change. Not having a Win2k system to hand I am unable to provide
verification on this (if you try it then please let me know how it goes).
The third method is by installing the Microsoft IIS Lockdown utility and
setting the URLScan RemoveServerHeader variable to 1, and the
AlternateServerName to the text of your choice. This would be my preferred
option as you don't need to worry about service pack/patch file overwrites
of w3svc.dll. Further details of lockdown are available from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/locktool.asp - or for a quick look at the URLScan options -
http://www.iisfaq.com/Articles/384/
Enjoy
Rhys
-----Original Message-----
From: Lambott@aol.com [mailto:Lambott@aol.com]
Sent: 07 December 2001 11:53
To: pen-test@securityfocus.com
Subject: NT/IIS decoy
Hello
Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server
such that if a "GET" command is issued following a telnet to the server on
port 80, the server will display a different server type so as to hide it's
true identity.
I searched the IIS installation drive using the following strings -
Microsoft-IIS/4.0 and Microsoft-IIS/5.0
The result was a file called w3svc.dll which is aparently the IIS world wide
web publishing service, I manually stopped this service, backed up the file
and then ammended it to reflect my decoy server type, however, next time I
attempt to start the service it failed.
I have heard of honey pot type program that can also achieve my desired
result, but never actually played with one myself.
Has anyone come across this and does anyone know of any solution for what I
am trying to achieve.
Thanks
Taiye Lambo, CISSP
Principal Security Consultant
CyberCops Europe (UK)
Swiss Life (UK) plc
Group Risk Provider of the Year 2001 - Professional Pensions Magazine
Best Individual Income Protection Provider 2001 - Health Insurance Magazine
Best Group Critical Illness Provider 2001 - Health Insurance Magazine
Visit our Website at www.swisslife.co.uk
Swiss Life (UK) plc (Reg No 2529609), Registered Address:- Swiss Life House, 24 - 26 South Park, Sevenoaks, Kent TN13 1BG England. Swiss Life (UK) Services Ltd (Reg No 844703) and Interact Health Management Ltd (Reg No 1009752) also have their registered office at the address above. All three companies are incorporated in England. Swiss Life (UK) plc for insurance and pension products and Swiss Life (UK) Services Ltd, marketing associate, are regulated by the Financial Services Authority and are members of the Swiss Life (UK) Marketing Group.
Please note: This e-mail and any attachments are confidential. They may contain privileged information and are intended for the named addressee(s) only. They must not be distributed without our consent. If you are not the intended recipient, please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Swiss Life (UK) plc. Swiss Life (UK) plc intercept and monitor incoming / outgoing e-mail and you should neither expect or intend any e-mail to be private in nature. Telephone calls may be monitored and recorded. Any attachments to this message have been checked for viruses, but please rely on your own virus checker and procedures as we do not accept responsibility for any loss or damage caused to your computer systems.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Philipp Stucke: "Re: Pen-Testing help (Compaq Insight & htsearch)"
- Maybe in reply to: Lambott@aol.com: "NT/IIS decoy"
- Next in thread: Thor@HammerofGod.com: "RE: NT/IIS decoy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
