Security Basics mailing list archives

RE: Preventing OS Detection

From: Joey Peloquin <jpelo1 () jcpenney com>
Date: Fri, 27 Feb 2004 10:09:47 -0600

this prevents iis from starting ? or does this work cleanly ? 
googled around for results but had some reports that iis 
crashes or becomes unresponcive after this lobotization


-aditya


It works cleanly:
GET / HTTP/1.0

HTTP/1.1 302 Object moved
Server: Dummy Server 1.0!
Date: Fri, 27 Feb 2004 15:42:14 GMT
X-Powered-By: ASP.NET
Location: localstart.asp
Connection: Keep-Alive
Content-Length: 121
Content-Type: text/html
Cache-control: private

I believe the reason some people can't get IIS to start afterward is byte
misalignment.  Whatever you replace Microsoft-IIS/5.0 and Server:
Microsoft-IIS/5.0 with *must* fit into the same space.  

One byte off and you get: Invalid access to memory location.

You really need to use a HEX editor for this, even though the article from
Securiteam states notepad can be used.  IIRC, the FTP DLL is not as picky
(it's been quite a while, but I seem to remember changing the FTP banner
with notepad).

Also, remember WFP will replace your new DLL, with one from DLLCache, so
delete the cached DLL before trying to save your modified version.
Personally, I copied the original to my desktop, deleted original from
cache, modified the desktop copy, then moved it into \inetsrv.

Although, as discussed, this is pretty much moot, if "they" can fire tools
directly at you:

[root@xxx jpelo1]# nmap -O -p 80 -vv 10.x.x.x
Port       State       Service
80/tcp     open        http
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or
WinXP

Good Luck!

Joey Peloquin

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  If the reader of this message is not the intended recipient,
you are hereby notified that your access is unauthorized, and any review,
dissemination, distribution or copying of this message including any
attachments is strictly prohibited.   If you are not the intended
recipient, please contact the sender and delete the material from any
computer.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Preventing OS Detection Paul Kurczaba (Feb 20)
- RE: Preventing OS Detection dave kleiman (Feb 24)
  - RE: Preventing OS Detection Tiago Halm (Feb 27)
- Re: Preventing OS Detection Vincent (Feb 24)
  - RE: Preventing OS Detection Jim Laverty (Feb 25)
- RE: Preventing OS Detection Joey Peloquin (Feb 24)
  - RE: Preventing OS Detection Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
    - RE: Preventing OS Detection Joey Peloquin (Feb 27)
- <Possible follow-ups>
- RE: Preventing OS Detection Hagen, Eric (Feb 24)
- RE: Preventing OS Detection Hagen, Eric (Feb 24)
  - Re: Preventing OS Detection Naren (Feb 25)
- FW: Preventing OS Detection check (Feb 25)
  - MS IIS Urlscan - Preventing OS Detection Tom Milliner (Feb 25)