Thursday, September 6, 2012

Changing apache banner to trick nmap scans

'Security Through Obscurity'. This principle is used in securing computer systems by implementation of secrecy in design to provide security. The basic idea is not revealing details about the system or giving out wrong information in attempt to thwart possible attacks. Although this principle provides security upto some extent, it does not actually fix the vulnerability. The only possible benefit is the delay in information gathering phase (wikipedia). However i've been willing to try it out and here I'd like to share it...

I'll show you how to change apache server name to anything you wish (like windows IIS and so on) which will appear in HTTP response headers. The folloing screenshot shows default output of the apache server to nmap scan.

Here I am using apache2 on ubuntu box in VM.
First of all, we need to install mod_security apache module. We do that by typing the following commands on a shell.
       root@ubuntu:~#apt-get update
     root@ubuntu:~#apt-get install libapache-mod-security

Now that mod-security is installed, we need to enable it by typing:
            root@ubuntu:~#a2enmod mod-security

You may want to restart your server at this point of time by typing:
           root@ubuntu:~#/etc/init.d/apache2 restart

Navigate to the following directory:
            /etc/apache2/conf.d/
and open the file "security" with your favorite editor. It should look something like this:

See the line "ServerTokens OS" ?
Replace that with "ServerTokens Full". (alternatively, you can comment out 'ServerTokens OS' and remove the comment on 'ServerTokens Full').

Scroll down a bit and you'll see this line: ServerSignature On
Replace this line with : SecServerSignature Microsoft-IIS/5.0
Note the difference. Here, you can replace "Microsoft-IIS/5.0" with any other name you want. This is the string which is going to appear in the HTTP responses of the server.

Save the file and exit. Restart the server typing in:
          root@ubuntu:~#etc/init.d/apache2 restart

Now you're ready to fire up nmap and scan your host!

There it is! It showed our apache server as microsoft iis.

This technique can be used to temporarily mask the web server name while a critical unpatched vulnerability is existing.
However, there are many other ways a skilled hacker can determine the actual service and version running on the machine. One should not totally depend upon 'security through obscurity' principle and it should never be used as the primary defense against attacks.
Nothing beats secure application coding!
Please let me know your comments and suggestions.. :)
Thank you!





DNS Changer Malware

Hello readers,
Its difficult to juggle between academics, extracurricular, social life, learning stuff and still finding time to write article for my blog. I've got some nice advice today from one of the senior member on a hacker's forum. Nowonwards I'll be doing my best to keep this blog updated. So do check out!
This is an article I wrote for our college magazine which will be published tomorrow. There was a word limit and it's intended for general audience. Here we go...



These warnings splashed across the internet, facebook, google and newspapers, ‘you may lose your access to internet on 9th of July.’ The reason behind it, the FBI was to take down around 100 rough DNS servers that infected over 4 million computers in over 100 countries. ‘Operation Ghost Click’ –as it was codenamed- is considered one of the biggest cybercrime takedowns in the history.
          Year 2007, a group of Estonian and Russian hackers released this DNS hijacking malware. This ‘DNS changer’ malware made its way into user’s computers by tricking them into downloading a video-codec (a piece of software required to play the video format)  when they visit certain websites.  This malware would then change the DNS server entries in the infected computer to point them to a rogue DNS set up by attackers. These servers redirected links of certain websites to advertising pages, thus pulling a revenue of whooping $14 million to its creators through fraudulent advertising. The malware also prevented any installed antivirus from receiving security updates. Within four years of presence of this malware all over the world, its botnet (zombie network) grew up to few million, a large part of which was in the USA.
          On 9 Nov 2011, FBI and the US authorities began the ‘operation ghost click’ to take down this multi million cybercrime racket. Six Estonian and one Russian national connected to the DNSchanger being charged and arrested, FBI seized the DNS servers connected to the malware. Plan was to immediately take down these rough DNS changer, although this would mean leaving millions of infected users without a way to connect to the internet. Hence the court ordered Internet Systems Consortium (ISC) to operate the replacement DNS servers and prompt the infected users about the presence of malware. The deadline of this court order was delayed up to 9th July 2012 because of the concern that there were still many infected computers across the world. During this period, FBI began extensive media campaign to warn users about the DNS changer malware and they might lose access to internet on 9th July.
          Impact of this shutdown is considered minimal, credits to the informational campaign surrounding the malware, ISPs providing temporary DNS to the affected customers, Antivirus companies doing their best along with facebook and google providing notifications to the visitors who were affected by the malware. It has been estimated that number of infections still present is dropped down to some ten thousands. A website http://www.dcwg.org is set up to provide information and help people scan and remove malware from their machines.
          While the damage done by DNSchanger is much under control now, many botnets consisting thousands of zombies, still exist in the world. At worst, sophisticated attacks against government and military systems can be launched from these infected computers, which may create trouble for the end user. It won’t hurt to follow simple security practices to combat the evergrowing hackers’ underground.