Security Basics mailing list archives
RE: Preventing OS Detection
From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Fri, 27 Feb 2004 10:09:47 -0600
this prevents iis from starting ? or does this work cleanly ? googled around for results but had some reports that iis crashes or becomes unresponcive after this lobotization -aditya
It works cleanly: GET / HTTP/1.0 HTTP/1.1 302 Object moved Server: Dummy Server 1.0! Date: Fri, 27 Feb 2004 15:42:14 GMT X-Powered-By: ASP.NET Location: localstart.asp Connection: Keep-Alive Content-Length: 121 Content-Type: text/html Cache-control: private I believe the reason some people can't get IIS to start afterward is byte misalignment. Whatever you replace Microsoft-IIS/5.0 and Server: Microsoft-IIS/5.0 with *must* fit into the same space. One byte off and you get: Invalid access to memory location. You really need to use a HEX editor for this, even though the article from Securiteam states notepad can be used. IIRC, the FTP DLL is not as picky (it's been quite a while, but I seem to remember changing the FTP banner with notepad). Also, remember WFP will replace your new DLL, with one from DLLCache, so delete the cached DLL before trying to save your modified version. Personally, I copied the original to my desktop, deleted original from cache, modified the desktop copy, then moved it into \inetsrv. Although, as discussed, this is pretty much moot, if "they" can fire tools directly at you: [root@xxx jpelo1]# nmap -O -p 80 -vv 10.x.x.x Port State Service 80/tcp open http Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP Good Luck! Joey Peloquin
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. If the reader of this message is not the intended recipient, you are hereby notified that your access is unauthorized, and any review, dissemination, distribution or copying of this message including any attachments is strictly prohibited. If you are not the intended recipient, please contact the sender and delete the material from any computer.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Preventing OS Detection Paul Kurczaba (Feb 20)
- RE: Preventing OS Detection dave kleiman (Feb 24)
- RE: Preventing OS Detection Tiago Halm (Feb 27)
- Re: Preventing OS Detection Vincent (Feb 24)
- RE: Preventing OS Detection Jim Laverty (Feb 25)
- RE: Preventing OS Detection Joey Peloquin (Feb 24)
- RE: Preventing OS Detection Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
- RE: Preventing OS Detection Joey Peloquin (Feb 27)
- RE: Preventing OS Detection Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
- <Possible follow-ups>
- RE: Preventing OS Detection Hagen, Eric (Feb 24)
- RE: Preventing OS Detection Hagen, Eric (Feb 24)
- Re: Preventing OS Detection Naren (Feb 25)
- FW: Preventing OS Detection check (Feb 25)
- MS IIS Urlscan - Preventing OS Detection Tom Milliner (Feb 25)
- RE: Preventing OS Detection dave kleiman (Feb 24)