Penetration Testing mailing list archives

RE: NT/IIS decoy

From: "Clement-Evans, Rhys" <Rhys.Clement-Evans () swisslife co uk>
Date: Tue, 11 Dec 2001 10:00:03 -0000
I believe that there are three (or more?) ways to do this. One is to write
your own ISAPI filter - not having played with this I cannot comment on how
effective it is. 

Another method is by modifying the w3svc.dll file as you have already done. 

You do need to ensure that only the 'text' characters are modified, and I
suspect that you may have overrun the text section when editing it
previously (this solution has worked for me on IIS4 systems, so I can say
for certain that it will work). If you'd prefer not to hand-edit the file
then you could try a third party  w3svc.dll specific editor (for example
http://www.nstalker.com/banners.php (IIS-Banner-Edit) - I haven't used this
and the usual 'you use it at your own risk' disclaimer applies)

IIS 5 is a different story - the Win2k file protection system will revert a
modified w3svc.dll back to the original vanilla version. I would assume that
you can modify the w3svc.dll in the DLL cache and that this will then be a
permanent change. Not having a Win2k system to hand I am unable to provide
verification on this (if you try it then please let me know how it goes).

The third method is by installing the Microsoft IIS Lockdown utility and
setting the URLScan RemoveServerHeader variable to 1, and the
AlternateServerName to the text of your choice. This would be my preferred
option as you don't need to worry about service pack/patch file overwrites
of w3svc.dll. Further details of lockdown are available from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
tools/locktool.asp - or for a quick look at the URLScan options -
http://www.iisfaq.com/Articles/384/

Enjoy

Rhys

-----Original Message-----
From: Lambott () aol com [mailto:Lambott () aol com]
Sent: 07 December 2001 11:53
To: pen-test () securityfocus com
Subject: NT/IIS decoy

Hello

Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server
such that if a "GET" command is issued following a telnet to the server on
port 80, the server will display a different server type so as to hide it's
true identity.

I searched the IIS installation drive using the following strings -
Microsoft-IIS/4.0 and Microsoft-IIS/5.0
The result was a file called w3svc.dll which is aparently the IIS world wide
web publishing service, I manually stopped this service, backed up the file
and then ammended it to reflect my decoy server type, however, next time I
attempt to start the service it failed.
I have heard of honey pot type program that can also achieve my desired
result, but never actually played with one myself.

Has anyone come across this and does anyone know of any solution for what I
am trying to achieve.

Thanks

Taiye Lambo, CISSP
Principal Security Consultant
CyberCops Europe (UK)


Swiss Life (UK) plc

Group Risk Provider of the Year 2001 - Professional Pensions Magazine
Best Individual Income Protection Provider 2001 - Health Insurance Magazine
Best Group Critical Illness Provider 2001 - Health Insurance Magazine
Visit our Website at www.swisslife.co.uk

Swiss Life (UK) plc (Reg No 2529609), Registered Address:- Swiss Life House, 24 - 26 South Park, Sevenoaks, Kent TN13 
1BG England. Swiss Life (UK) Services Ltd (Reg No 844703) and Interact Health Management Ltd (Reg No 1009752) also have 
their registered office at the address above. All three companies are incorporated in England. Swiss Life (UK) plc for 
insurance and pension products and Swiss Life (UK) Services Ltd, marketing associate, are regulated by the Financial 
Services Authority and are members of the Swiss Life (UK) Marketing Group.

Please note: This e-mail and any attachments are confidential. They may contain privileged information and are intended 
for the named addressee(s) only. They must not be distributed without our consent. If you are not the intended 
recipient, please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are 
those of the individual sender, and not of Swiss Life (UK) plc. Swiss Life (UK) plc intercept and monitor incoming / 
outgoing e-mail and you should neither expect or intend any e-mail to be private in nature. Telephone calls may be 
monitored and recorded. Any attachments to this message have been checked for viruses, but please rely on your own 
virus checker and procedures as we do not accept responsibility for any loss or damage caused to your computer systems.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Current thread:

NT/IIS decoy Lambott (Dec 10)
- Re: NT/IIS decoy Michael Katz (Dec 10)
- Re: NT/IIS decoy Chuck Fitzpatrick (Dec 10)
- <Possible follow-ups>
- RE: NT/IIS decoy nvondadelszen (Dec 10)
- RE: NT/IIS decoy Clement-Evans, Rhys (Dec 11)
- RE: NT/IIS decoy Thor (Dec 12)
- Re: NT/IIS Decoy Qazi M.M. Ahmed (Dec 12)