Don't leak service and version info to would-be hackers: How to hide it

Christopher Patterson shows an easy tweak that removes some of the information potential hackers are looking for in order to try to gain access to your systems.

It is a well known fact that hackers, when in the initial stages of an attack, will spend a great deal of time and effort on research and information-gathering. This ranges from the very base information on their target, for example, what is the name of the local IT guy (social engineering potential), to what type of exploit is most likely to be successful against your servers or websites.

Now for the purpose of this article, we are going to assume that your attacker is going attempt to infiltrate your server, not attempt to socially engineer access, or perform a denial of service attack on it.

Much of your company's IT infrastructure information will be gathered from the most heavily exposed places, such as the Contact Us and Staff sections of your website, or the Whois records, but when it comes to the server, system scanning is what's involved. Network scanning tools such as Nmap and Ncat (which we will see later), can provide a great deal of information on what OS your system is using and which services are running on it. Scanning is not illegal in most cases, however, it's worth noting that in some countries, it is illegal to have scanning tools; ensure you know the legal boundaries before embarking on a system scan.

A hacker knowing your OS narrows down the potential successful attacks which can be performed, so also does knowing the services running. Each extra piece of information that's given out simply makes the task a little bit easier; so consider the difference between an ATM card thief knowing only the first digit and knowing the first three digits of your ATM card pin number! With one, it will take a lot of time and guess work, and the thief will likely give up or the card will be retained by the machine, but with three numbers, the potential for getting access is very high. The three numbers we're talking about here in the context of your server would be your OS, service name, and service version.

So, if you think that giving out service information might be creating a hole in your security, let's look at how you can assess if your server is giving out hazardous information, and then we will move on to the possible ways to remove this information.

Let's take a look at a service banner with Ncat:

(Click to enlarge images)

As you can see, simply running Ncat with the IP address and port specified can give you the service, and the exact version that is running. Now, if an attacker checks vulnerability databases or even simply googles this for vulnerabilities, they will find a lot of information; they may even find an exact exploit and or payload for metasploit (vulnerability exploitation tool). This will enable them to run a pre-coded exploit against your server and potentially "get shell". What happens from here is not something you want to experience. Needless to say, hackers differ in their talents, a metasploit exploit not being available for your particular service or service version means nothing; if there is vulnerability, it will be found. So, to put it plainly, we need to stop unnecessary information being visible to our potential attackers where possible.

Mitigating the threat

So, let's take a look at one of the most frequently used and exploited services, Simple Mail Transport Protocol.

We will use Ncat again here, formerly Netcat. This has been described as the TCP/IP "Swiss army knife" due to its versatility. Ncat has the added benefit of being able to run from Linux, Windows, and Mac OS, but needless to say, there are a few known tools of the same type that will do the job; however, some may only be available for certain environments.

So, let's use the basics of Ncat to scan the SMTP port on a test server and see what is returned. This can be run from the server itself, using the localhost IP, or from another internal, or external host. As I mentioned before, be aware, as the location of the attack/scanning machine changes, so too do the legal aspects involved. Read up on this before performing a scan. You may also need to alter your scan technique depending on where you are in relation to the target machine network and what functions protect it (i.e., firewalls). Familiarise yourself with Ncat and its commands and switches.

The command syntax is: nc or ncat <ip address of target> <port of target>

So, from this command using a test server environment IP and port 25 for SMTP, we can see that this machine has SMTP Mail service version 5.0.2172.1. If nothing is returned, try again with the command switch -vv (very verbose e.g. nc -vv x.x.x.x 25)

As explained already, this information makes it that much easier, and quicker for an attacker to assess and eventually penetrate your system, so, let's look at one method of this banner removal.

Note: Below, I will use MetaEdit as one example of a method of removing certain service banners from your Windows Servers, and although it will work in Windows Server 2008, it is designed for earlier versions (2000/2003). It is beyond the scope of this article to go through the numerous services and methods available, however once you run your first scan and see which ports are leaking information, you can spend some time in researching each leak and the ways to patch or remove your banner information.

To remove the SMTP banner, download MetaEdit (available from Microsoft) and install it in your administrative tools folder. Once installed, simply open MetaEdit and Expand its LM folder. Then expand SMTP, expand 1 and click on 1. Here, we want to enter a new string value for our banner, so, in the top right hand box, enter the value 36907 and in the bottom data area, enter the new banner you want for SMTP; in this instance, I will enter, "This is a new banner for port 25". Once this is done, click OK, and exit out of MetaEdit. Now, let's restart the SMTP service, go back and scan port 25 again with Ncat, and see what we receive this time.

As you can see, our banner no longer gives away version information about our SMTP service, therefore making it that little bit harder for an attacker to pinpoint a vulnerability to gain access with.

IIS can be easily safeguarded from this respect with the use of the IIS lockdown tool, also freely available, however it is worth noting that this is only required in versions below 6.0, as IIS now incorporates IIS lockdown functions within it.

There are many services that can be running on your system, and you may not be able to keep information invisible for them all, but it's an important area to look into. Merely assessing your system banners may give you a greater idea of what type of attacks you could be subject to, and also arm you with a little more knowledge in protecting yourself and your systems.

By Christopher Patterson

Christopher Patterson currently works as a System Admin, Business Analyst, and Solutions Consultant for a large IT company. Christopher is a qualified security tester and is currently undertaking his Masters in IT Security and Digital forensics. Chri...