I believe that there are three (or more?) ways to do this. One is to write your own ISAPI filter - not having played with this I cannot comment on how effective it is. Another method is by modifying the w3svc.dll file as you have already done. You do need to ensure that only the 'text' characters are modified, and I suspect that you may have overrun the text section when editing it previously (this solution has worked for me on IIS4 systems, so I can say for certain that it will work). If you'd prefer not to hand-edit the file then you could try a third party w3svc.dll specific editor (for example http://www.nstalker.com/banners.php (IIS-Banner-Edit) - I haven't used this and the usual 'you use it at your own risk' disclaimer applies) IIS 5 is a different story - the Win2k file protection system will revert a modified w3svc.dll back to the original vanilla version. I would assume that you can modify the w3svc.dll in the DLL cache and that this will then be a permanent change. Not having a Win2k system to hand I am unable to provide verification on this (if you try it then please let me know how it goes). The third method is by installing the Microsoft IIS Lockdown utility and setting the URLScan RemoveServerHeader variable to 1, and the AlternateServerName to the text of your choice. This would be my preferred option as you don't need to worry about service pack/patch file overwrites of w3svc.dll. Further details of lockdown are available from http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ tools/locktool.asp - or for a quick look at the URLScan options - http://www.iisfaq.com/Articles/384/ Enjoy Rhys -----Original Message----- From: Lambottat_private [mailto:Lambottat_private] Sent: 07 December 2001 11:53 To: pen-testat_private Subject: NT/IIS decoy Hello Does anyone know how to hide or mask the identity of a IIS 4.0 or 5.0 server such that if a "GET" command is issued following a telnet to the server on port 80, the server will display a different server type so as to hide it's true identity. I searched the IIS installation drive using the following strings - Microsoft-IIS/4.0 and Microsoft-IIS/5.0 The result was a file called w3svc.dll which is aparently the IIS world wide web publishing service, I manually stopped this service, backed up the file and then ammended it to reflect my decoy server type, however, next time I attempt to start the service it failed. I have heard of honey pot type program that can also achieve my desired result, but never actually played with one myself. Has anyone come across this and does anyone know of any solution for what I am trying to achieve. Thanks Taiye Lambo, CISSP Principal Security Consultant CyberCops Europe (UK) Swiss Life (UK) plc Group Risk Provider of the Year 2001 - Professional Pensions Magazine Best Individual Income Protection Provider 2001 - Health Insurance Magazine Best Group Critical Illness Provider 2001 - Health Insurance Magazine Visit our Website at www.swisslife.co.uk Swiss Life (UK) plc (Reg No 2529609), Registered Address:- Swiss Life House, 24 - 26 South Park, Sevenoaks, Kent TN13 1BG England. Swiss Life (UK) Services Ltd (Reg No 844703) and Interact Health Management Ltd (Reg No 1009752) also have their registered office at the address above. All three companies are incorporated in England. Swiss Life (UK) plc for insurance and pension products and Swiss Life (UK) Services Ltd, marketing associate, are regulated by the Financial Services Authority and are members of the Swiss Life (UK) Marketing Group. Please note: This e-mail and any attachments are confidential. They may contain privileged information and are intended for the named addressee(s) only. They must not be distributed without our consent. If you are not the intended recipient, please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden. Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Swiss Life (UK) plc. Swiss Life (UK) plc intercept and monitor incoming / outgoing e-mail and you should neither expect or intend any e-mail to be private in nature. Telephone calls may be monitored and recorded. Any attachments to this message have been checked for viruses, but please rely on your own virus checker and procedures as we do not accept responsibility for any loss or damage caused to your computer systems. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 11:04:00 PST