Penetration Testing mailing list archives

RE: NT/IIS decoy

From: nvondadelszen () deloitte co nz
Date: Tue, 11 Dec 2001 08:43:42 +1300

You can use URLscan to hide the server header.  Hope this helps.

Nick von Dadelszen
Deloitte Touche Tohmatsu (NZ)


Hello

Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server
such that if a "GET" command is issued following a telnet to the server on
port 80, the server will display a different server type so as to hide it's
true identity.

I searched the IIS installation drive using the following strings -
Microsoft-IIS/4.0 and Microsoft-IIS/5.0
The result was a file called w3svc.dll which is aparently the IIS world wide
web publishing service, I manually stopped this service, backed up the file
and then ammended it to reflect my decoy server type, however, next time I
attempt to start the service it failed.
I have heard of honey pot type program that can also achieve my desired
result, but never actually played with one myself.

Has anyone come across this and does anyone know of any solution for what I
am trying to achieve.

Thanks

Taiye Lambo, CISSP
Principal Security Consultant
CyberCops Europe (UK)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

************************************************************
CAUTION:  This e-mail and any attachment(s) contains
information that is both confidential and possibly legally
privileged.  No reader may make any use of its content
unless that use is approved by Deloitte separately in writing.
Any opinion, advice or information contained in this e-mail
and any attachment(s) is to be treated as interim and
provisional only and for the strictly limited purpose of the
recipient as communicated to us.  Neither the recipient nor
any other person should act upon it without our separate
written authorisation of reliance.
If you have received this message in error please notify us
immediately and destroy this message.  Thank you.
Deloitte Touche Tohmatsu
Internet: www.deloitte.co.nz
************************************************************ 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

NT/IIS decoy Lambott (Dec 10)
- Re: NT/IIS decoy Michael Katz (Dec 10)
- Re: NT/IIS decoy Chuck Fitzpatrick (Dec 10)
- <Possible follow-ups>
- RE: NT/IIS decoy nvondadelszen (Dec 10)
- RE: NT/IIS decoy Clement-Evans, Rhys (Dec 11)
- RE: NT/IIS decoy Thor (Dec 12)
- Re: NT/IIS Decoy Qazi M.M. Ahmed (Dec 12)