Saturday, October 4, 2008

Hide Apache Version

From this url

HTTP Server Identity Hiding Guide

The following is a list of hiding tips (grouped by vendor). Each section
below is organized as follows:

- Configuration changes (easy to make)
- Source Code changes (harder to make)
- lexical
- syntactic
- semantic

In this document I will focus on changes made to the server itself either
through configuration options or source code changes. Alternatively, one
could in theory normalize the traffic going into and coming out of a
server with some sort of intermediary proxy.

Sections:

Apache
IIS

######################################################################
Apache
######################################################################

CONFIGURATION CHANGES

Apche has a number of ServerDirectives that can help hide a server's
identity.

LimitRequestBody
LimitRequestFields
LimitRequestFieldsize
LimitRequestLine

These directives each give the system administrator the ability set
upper limits on the size of Request elements. Several HMAP tests
check for the ranges of different errors and at what size these
errors are elicited. By changing these limits to values different
from the defaults (which does not appear to be commonly done) these
errors will then occur at different ranges. It is not clear if the
sequence of errors encountered will change however.

ServerTokens

This server directive allows you to truncate (but not completely
remove) the identity and characteristics of a server.

ServerTokens Prod[uctOnly]
Server sends (e.g.): Server: Apache
ServerTokens Min[imal]
Server sends (e.g.): Server: Apache/1.3.0
ServerTokens OS
Server sends (e.g.): Server: Apache/1.3.0 (Unix)
ServerTokens Full (or not specified)
Server sends (e.g.): Server: Apache/1.3.0 (Unix) PHP/3.0

Header

The "Header" directive provides the ability to add, remove and
append to header entries in a Response. Unfortunately these do not
apply to the Server header (see ServerTokens above). Experiments
with adding and removing headers have been attempted. Unless the
header is one that you have created yourself, they can have erratic
results (appending instead of replacing, replacing in addition to
appending, and so on). But this method is worth investigating.
Adding headers will at least add some subterfuge.

----------------------------------------------------------------------

SOURCE CODE MODIFICATIONS
(note: this information was derived from Apache;/1.3.12 but should be
"mostly" true for other versions as well)

LEXICAL

Response Code Message Text

The file http_protocol.c contains an array of strings called
status_lines[RESPONSE_CODES] that hold the human readable
messages for each return code. Each of these can be changed
synonymously to other phrases without changing the meaning of the
response.

Capitalization of Header Fields

The header fields must retain the same wording so that the client
will be able to interpret them, but most clients seem to
understand variations in capitalization style. This technique
will require some hunting around the code since the headers tend
to be hard coded in many different places through out. One good
concentration of them is in http_protocol.c in the function
ap_send_http_header(request_rec *r). Here one could change
"Content-Type" to "Content-type" for instance.

Remove or Change Server Name

A simple technique that will frustrate the naive attacker is to
remove or alter the server's name. There are several locations
where this could be accomplished. The simplest is to simply use
the SERVER_BASEVERSION key word in httpd.h and change this to the
desired value (or simply leave as blank).

Other places you can play with the Server header:

http_protocol.c - where "Server:" gets added to header
ap_send_header_field(r,"Server",ap_get_server_version());
http_static int read_request_line(request_rec *r)
main.c
ap_get_server_version -> static void ap_set_version(void)

Date Format

There are several different date formats that are permitted by the
HTTP/1.1 specification. The format of the date returned from the
header could be modified to another of these legal formats. A
convenient place to make this change would be in the function
ap_gm_timestr_822(pool *p, time_t sec). It's possible that some
clients may be confused by alternate formats since the common
format (i.e. Date: Fri, 23 Feb 2001 22:06:03 GMT) is by far the
most common.

SYNTACTIC

Allow Header Options Order

In response to an OPTIONS method a server typically responds with
a message that includes an "Allow" header listing the methods that
can be used against the designated URI. In the function
make_allow(request_rec *r) in http_protocol.c, the order that
these methods are listed can be rearranged.

Header Order

Here are some of the locations where the order of headers could be
rearranged:

http_protocol.c:
ap_basic_http_header(request_rec *r),
ap_send_http_header(request_rec *r),
ap_send_error_response(request_rec *r, int recursive_error),
ap_send_http_options(request_rec *r), etc.)

alloc.c:
ap_table_setn(table *t, const char *key, const char *val)).

ETags

Since the main function of the ETag is to provide a unique
identifier of a document one could easily change the format and
still provide distinct values. These changes should be made in:

ap_make_etag(request_rec *r, int force_weak)

SEMANTIC

http_protocol.c
static int read_request_line(request_rec *r)

Changing the semantics of Apache would require a significant amount.
We can briefly discuss the sort of translation function that would be
needed to do this. A straight forward way to achieve this would be
to create a "regularizing" function that pre-processes the request
and alters the content of any unusual requests so they match a more
generic format. For instance, long URIs could be truncated to some
acceptable length before normal processing. Another example would be
to check if the request line contains unknown methods or bad version
numbers. A default "bad request" could be substituted for this
before processing. In both of these scenarios a valid fingerprint
could not be generated since the core Apache engine never directly
interacts with the probing requests.

Time permitting I will put together an example of this at some
point.


######################################################################
IIS (Microsoft)
######################################################################

Not much info yet.

I haven't tried it yet, but you might want to check the following non-free
tool.

http://dfasdf.sadf.asdf