Security

Don't leak service and version info to would-be hackers: How to hide it

Christopher Patterson shows an easy tweak that removes some of the information potential hackers are looking for in order to try to gain access to your systems.

It is a well known fact that hackers, when in the initial stages of an attack, will spend a great deal of time and effort on research and information-gathering. This ranges from the very base information on their target, for example, what is the name of the local IT guy (social engineering potential), to what type of exploit is most likely to be successful against your servers or websites.

Now for the purpose of this article, we are going to assume that your attacker is going attempt to infiltrate your server, not attempt to socially engineer access, or perform a denial of service attack on it.

Much of your company's IT infrastructure information will be gathered from the most heavily exposed places, such as the Contact Us and Staff sections of your website, or the Whois records, but when it comes to the server, system scanning is what's involved. Network scanning tools such as Nmap and Ncat (which we will see later), can provide a great deal of information on what OS your system is using and which services are running on it. Scanning is not illegal in most cases, however, it's worth noting that in some countries, it is illegal to have scanning tools; ensure you know the legal boundaries before embarking on a system scan.

A hacker knowing your OS narrows down the potential successful attacks which can be performed, so also does knowing the services running. Each extra piece of information that's given out simply makes the task a little bit easier; so consider the difference between an ATM card thief knowing only the first digit and knowing the first three digits of your ATM card pin number! With one, it will take a lot of time and guess work, and the thief will likely give up or the card will be retained by the machine, but with three numbers, the potential for getting access is very high. The three numbers we're talking about here in the context of your server would be your OS, service name, and service version.

So, if you think that giving out service information might be creating a hole in your security, let's look at how you can assess if your server is giving out hazardous information, and then we will move on to the possible ways to remove this information.

Let's take a look at a service banner with Ncat:

(Click to enlarge images)

As you can see, simply running Ncat with the IP address and port specified can give you the service, and the exact version that is running. Now, if an attacker checks vulnerability databases or even simply googles this for vulnerabilities, they will find a lot of information; they may even find an exact exploit and or payload for metasploit (vulnerability exploitation tool). This will enable them to run a pre-coded exploit against your server and potentially "get shell". What happens from here is not something you want to experience. Needless to say, hackers differ in their talents, a metasploit exploit not being available for your particular service or service version means nothing; if there is vulnerability, it will be found. So, to put it plainly, we need to stop unnecessary information being visible to our potential attackers where possible.

Mitigating the threat

So, let's take a look at one of the most frequently used and exploited services, Simple Mail Transport Protocol.

We will use Ncat again here, formerly Netcat. This has been described as the TCP/IP "Swiss army knife" due to its versatility. Ncat has the added benefit of being able to run from Linux, Windows, and Mac OS, but needless to say, there are a few known tools of the same type that will do the job; however, some may only be available for certain environments.

So, let's use the basics of Ncat to scan the SMTP port on a test server and see what is returned. This can be run from the server itself, using the localhost IP, or from another internal, or external host. As I mentioned before, be aware, as the location of the attack/scanning machine changes, so too do the legal aspects involved. Read up on this before performing a scan. You may also need to alter your scan technique depending on where you are in relation to the target machine network and what functions protect it (i.e., firewalls). Familiarise yourself with Ncat and its commands and switches.

The command syntax is: nc or ncat <ip address of target> <port of target>

So, from this command using a test server environment IP and port 25 for SMTP, we can see that this machine has SMTP Mail service version 5.0.2172.1. If nothing is returned, try again with the command switch -vv (very verbose e.g. nc -vv x.x.x.x 25)

As explained already, this information makes it that much easier, and quicker for an attacker to assess and eventually penetrate your system, so, let's look at one method of this banner removal.

Note: Below, I will use MetaEdit as one example of a method of removing certain service banners from your Windows Servers, and although it will work in Windows Server 2008, it is designed for earlier versions (2000/2003). It is beyond the scope of this article to go through the numerous services and methods available, however once you run your first scan and see which ports are leaking information, you can spend some time in researching each leak and the ways to patch or remove your banner information.

To remove the SMTP banner, download MetaEdit (available from Microsoft) and install it in your administrative tools folder. Once installed, simply open MetaEdit and Expand its LM folder. Then expand SMTP, expand 1 and click on 1. Here, we want to enter a new string value for our banner, so, in the top right hand box, enter the value 36907 and in the bottom data area, enter the new banner you want for SMTP; in this instance, I will enter, "This is a new banner for port 25". Once this is done, click OK, and exit out of MetaEdit. Now, let's restart the SMTP service, go back and scan port 25 again with Ncat, and see what we receive this time.

As you can see, our banner no longer gives away version information about our SMTP service, therefore making it that little bit harder for an attacker to pinpoint a vulnerability to gain access with.

IIS can be easily safeguarded from this respect with the use of the IIS lockdown tool, also freely available, however it is worth noting that this is only required in versions below 6.0, as IIS now incorporates IIS lockdown functions within it.

There are many services that can be running on your system, and you may not be able to keep information invisible for them all, but it's an important area to look into. Merely assessing your system banners may give you a greater idea of what type of attacks you could be subject to, and also arm you with a little more knowledge in protecting yourself and your systems.

About

Christopher Patterson currently works as a System Admin, Business Analyst, and Solutions Consultant for a large IT company. Christopher is a qualified security tester and is currently undertaking his Masters in IT Security and Digital forensics. Chri...

10 comments
JCitizen
JCitizen

too bad most of my victims come to me after their attackers already know too much about them. Changing software and hardware is not an option either, in this economy. It basically boils down to something akin to hand to hand combat!

seanferd
seanferd

There are plenty of "open directories" that enterprises/institutions don't seem to be aware of in their networks. Even if they aren't open, but return the standard "this is not a valid directory" or "you don't have permission" page, one can learn a lot from them: OS, webserver, versions and patch-levels. And all one needs to do is try changing the directory segments of the URL.

Alpha_Dog
Alpha_Dog

Service and version information is leaked by all kinds of "helpful" apps. Periodically scan your network traffic for the day and spend a week going through the log files in the little bits of free time we all have (j/k). Make a note of any app that volunteers information and take appropriate steps. Further, get the info the way a hacker does. Generally a hacker will not connect to the net and sniff traffic. Brute forcing good encryption just isn't worth the effort anymore. He will grab an open AP from the parking lot, walk in with the cleaning crew and place an AP in the ceiling, or jack into the ethernet port in the waiting room while acting like they are waiting for an interview. Leave these entrances open and you have more to worry about than email headers or an unpatched server.

Michael Kassner
Michael Kassner

Scanning is not something I would suggest doing, unless written permission from the person in-charge of the network is obtained. Side note: Make sure the person is truly in-charge.

HuberCarl
HuberCarl

Thanks...I got a $ 829.99 i-P??d2 for only $ 103.37 and my mom got a $ 1498.99 H-D T.V for only $ 251.92, they are both coming with U.S.P.S tomorrow. I would be an id!ot to ever pay full ret??il pr??c??s at plac??s like W??lm??rt or B??stbuy. I sold a 37" H-D T.V to my boss for $ 600 that I only paid $ 78.24 for. I use...,Tagcent.com

Neon Samurai
Neon Samurai

One can get a lot out of the service banner responses so it's always best to see if your program allows custom banner messages or similar. If you really want to get serious about it, things like SSH with a hard coded banner can be re-compiled (on the *nix server side anyhow). In the case of this example, wouldn't it just be a matter of identifying the server OS? You can do that through TCP response packets and once you know it's a Windows box, you can be pretty sure it's an Exchange MTA behind an open port 25. You might not have the exact version though which does add a little effort. I'd also try sending an email to an expected dead account to see what header information is returned with the "user not found" response. One could also use that nifty Ncat or telnet.exe to connect to the port and check it out that way (user name validation, potential MTA brand/version based on available commands?) As a sidenote, this article would have been even better if the correct term "criminal" was used when meaning criminal intent. if you have a "Hacker" trying to break into your mail server it's because you gave them permission. If you didn't give them permission then the correct term is "criminal" regardless of if they use a similar skill set to real Hackers. C'mon TR.. let's stop with the sensationalism and use proper terms when discussing these things.

JCitizen
JCitizen

physical security is something that is thought of last by many organizations!

seanferd
seanferd

:^0 Unauthorized "permission" is probably the last thing anyone wants to deal with. That could be extremely costly. Very, very good point, Michael!

Neon Samurai
Neon Samurai

Nice.. always a good idea when someone says "sure, pentest this machine which I claim to have authority over." For scanning specifically, it may depend on the jurisdiction. In past my understanding was that scanning was not a legal issue until one made the login/exploit attempt. Still, as you point out, I wouldn't want to gamble on it being legal in the applicable jurisdiction without having the get-out-of-jail letter signed by the owner.

Michael Kassner
Michael Kassner

Using Wi-Fi Stumbler requires care in some states, if TCP is enabled on the scanning device.