Spoofing Banners with Open-Source Servers

by m0untainrebel  (m0untainrebel@riseup.net)

When trying to gain access to a computer through non-traditional means, one of the first things you do is a port scan.

You want to find out what ports are open, what software is running on those ports, and, if possible, the version of that software.  Then, you can see if there are any known vulnerabilities for you to exploit.

In many cases, you can use banner grabbing to determine which software is running and its version.  After you connect to an open port, it's often polite for the service to send you a welcome banner containing information about it.  This article is about how to spoof the welcome banner in open-source servers, using OpenSSH as an example, to trick or otherwise throw off potential attackers.

The most popular port scanner today is Nmap, which you can get at insecure.org.  It has a plethora of features, and if you're not already familiar with it, I suggest you read up on it.

A typical Nmap scan looks like this:

# nmap 192.168.1.10 Starting Nmap 4.60 ( http://nmap.org ) at 2008-04-26 20:45 EDT Interesting ports on 192.168.1.10: Not shown: 1711 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3128/tcp open squid-http 5900/tcp open vnc Nmap done: 1 IP address (1 host up) scanned in 0.139 seconds

Nmap can also do version detection and OS fingerprinting, though I would avoid using these features unless you're out of other options.  They aren't very stealthy.  OS fingerprinting has been known to crash servers before, and it's not always accurate.

Here's what the same scan looks like with version detection enabled:

# nmap -sV 192.168.1.10 Starting Nmap 4.60 ( http://nmap.org ) at 2008-04-26 20:46 EDT Interesting ports on 192.168.1.10: Not shown: 1711 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) 80/tcp open http Apache httod 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch) 3128/tcp open http-proxy Squid webproxy 3.0.STABLE1 5900/tcp open vnc VNC (protocol 3.7) Nmap done: 1 IP address (1 host up) scanned in 11.194 seconds

It might be tempting to always do version detection, or even OS detection, with your Nmap scans because the results may contain a lot of juicy information.  But if the goal is stealth, it's best to make as little unnecessary traffic on your victim's network as possible.

Instead, I would suggest using the TCP SYN scan, which is the default scan type if you're running as root, with no other special features.  You may want to slow down the scan to make it less likely that an intrusion detection system will notice you.  Once you know what you're dealing with, you can try figuring out the server software and version one at a time.  There's no need to do a version scan on the http-proxy port if you don't intend to attack it, right?

How does banner grabbing work?

Servers listen on TCP ports, and some services send out a welcome banner as soon as a connection is made to these ports.  To do a manual banner grab, you just need to connect to your target server on a specific port using a program like Telnet or Netcat.  Then, you can see what it says.  This certainly doesn't always work, but it works a lot of the time.

Here are example banner grabs for the services above:

# nc 192.168.1.10 22 SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1 # nc 192.168.1.10 80 # nc 192.168.1.10 3128 # nc 192.168.1.10 5900 RFB 003.007

As you can see, the services on port 80 and 3128 don't display welcome banners.

Port 5900 does, but in order to figure out what it means, you'd probably have to Google for it.

In those cases, I think it would be safe to just use Nmap's version detection.

Here's how you would only scan ports 80 and 3128, with version detection:

# nmap -sV -p80,3128 192.168.1.10

For this article, we'll hide the banner for the OpenSSH server, making it much harder to attack that port.  As long as you're reasonably comfortable with the syntax of the programming language that the server was programmed in, you can do this on your own with any other open-source server.

If you're already running an SSH server, uninstall it.  Go to openssh.org and download source code for the latest version of OpenSSH.

Extract the code, and edit the file: sshd.c

This is the C file for the SSH daemon.  If you're trying this with some other server, it might take a little bit of figuring out the program flow before you find exactly where the banner gets displayed in the code.

In OpenSSH, it's in the function sshd_exchange_identification().  Search for the line that looks like this:

snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);

This is the line which prints a banner that looks similar to: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1

The first part, SSH-%d.%d- is necessary for SSH clients to know what version of the SSH protocol they're dealing with, and they won't be able to connect if that isn't intact.  The next part displays the value of the constant SSH_VERSION, which is defined in version.h.

Here's what I changed that line of code to:

snprintf(buf, sizeof buf, "SSH-%d.%d-MESS WITH THE BEST, DIE LIKE THE REST\n", major, minor);

That's it.

Save the file, and compile and install OpenSSH.

There are detailed instructions in the file INSTALL, but, in short, you need to make sure you have the zlib and OpenSSL development libraries installed.

Then, you type: ./configure, then make, then make install.

Now that I'm running my newly compiled OpenSSH server, here's what the banner grab looks like:

# nc 192.168.1.10 22 SSH-2.0-MESS WITH THE BEST, DIE LIKE THE REST

And here's what the Nmap version detection scan looks like:

# nmap -sV -p22 192.168.1.10 Starting Nmap 4.60 ( http://nmap.org ) at 2008-04-26 21:00 EDT Interesting ports on 192.168.1.10: PORT STATE SERVICE VERSION 22/tcp open ssh (protocol 2.0) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port52186-TCP:V=4.60%I=7%D=4/26%Time=4813D050%P=x86_64-unknown-linux-gnu%r(NULL,2E,"SSH-2\.0-MESS\x20WITH\x20THE\x20BEST,\x20DIE\x20LIKE\x20\THE\x2 SF:0REST\n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.087 seconds

Editing other people's software like this really isn't as intimidating as it might seem, provided that you understand some of the language it's programmed in.

Without too much trouble, you could even edit the server so that it doesn't send the SSH protocol version and edit the client so it doesn't require a protocol version to be sent.

This way, attackers won't even know that they're dealing with an SSH server, and you'll only be able to connect to it with your special client.

The possibilities of bulletproof security with just a little bit of code hacking are endless.