
removed $v in /etc/mail/helpfile


Daemon Spoofing 

By Kevin Zhu (admin@root.com.cn) 

Intruders usually get the useful information they want from scans on target machine. 
One of the most popular ways is port scanning, it can help intruders knowing the 
service that has been used by target machine. When intruders got the port list of target 
machine, they will think of some way to acquire information on the Daemon 
programs, which used by target machine. Once they find out the version information 
of daemon programs, an attack will begin with the searching for vulnerability and 
exploit of the version of daemon. Will, now you can see how danger it is to leave the 
daemon program white open to attackers. So can we modify or hide the information 
of daemon programs?  The answer is yes, this paper will introduce few basic daemon-
spoofing tips on some of the most popular daemon programs today. 


FTP 
^^^^ 
When a user logon an ftp servers, it usually will be displaying some kind of ftp 
version. Following lines is an example from a WU-FTP daemon program. 
#ftp www.targe.com 
Connected to www.target.com 
220 FTP server (Version wu-2.6.0(1) Tue Aug 28 18:12:37 CST 2001) ready. 
Name(ChinaOS:root): 
In order to modify this, you can use any kind of text editor to open it, and add 
following line to the file: 

greeting text <message> 
 


<message> is the massage which you want to display when user logon to the servers. 

HTTP 
^^^^^ 
When a user telnet to the port 80 on a HTTP servers, to get the servers information are 
simple as just type in "HEAD / HTTP/1.0". Following lines is an example from an 
Apache daemon program: 

$ telnet www.targe.com 80 
Trying 127.0.0.1... 
Connected to www.targe.com. 
Escape character is '^]'. 
HEAD / HTTP/1.0 

HTTP/1.1 200 OK 
Date: Tue, 28 Aug 2001 18:20:54 GMT 
Server: Apache/1.3.12 (Unix)  (Red Hat/Linux) mod_fastcgi/2.2.10 PHP/4.0.2 
Last-Modified: Mon, 26 Mar 2001 21:44:10 GMT 
ETag: "6406d-b7d-3abfb82a" 
Content-Length: 2941 
Keep-Alive: timeout=15, max=100 
Content-Type: text/html 
Connection: close 
 


To modify this, go to the apache daemon programÆs source directory, open 
/src/include/httpd.h, then search and modify these lines to the way you like: 

#define SERVER_BASEVERSION "Apache/1.3.0" /* SEE COMMENTS ABOVE */ 
#define SERVER_VERSION SERVER_BASEVERSION 
enum server_token_type { 
SrvTk_MIN, /* eg: Apache/1.3.0 */ 
SrvTk_OS, /* eg: Apache/1.3.0 (UNIX) */ 
SrvTk_FULL /* eg: Apache/1.3.0 (UNIX) PHP/3.0 FooBar/1.2b */ 
}; 
 


After modify the file, recompile the Apache program. 

TELNET 
^^^^^^^^ 
Defaulted Telnet daemon program will display sys te information when user logon on 
it, this is a very dangers feature. For example: 

telnet www.targe.com 
Red Hat Linux release 6.2(Zoot) 
Kernel 2.2.14-5.0 on an i686 
login: 



To modify it, we need use text editor to edit the issue file in /etc directory. But the 
system will be modify it back every time you reboot, so if you want keep it the way 
you want, you must edit the RC file. Example: 

more /etc/issue 
Red Hat Linux release 6.1
echo >> /etc/rc.d/rc.local
#echo "" > /etc/issue 
#echo "Sun OS 5.6 <Datalib>" > /etc/issue
EOF

cp -f /etc/issue /etc/issue.net
 
telnet 127.0.0.1
Sun OS 5.6 <Datalib> 
login: 




SMTP 
^^^^^^ 
When user telnet to port 25 on a SMTP servers, it will display the version 
inFORMation of the SMTP daemon program. Following lines is an example from a 
Sendmail daemon program: 

# telnet www.target.com 25 
Trying 127.0.0.1... 
Connected to localhost. 
Escape character is '^]'. 
220 www.target.com ESMTP Sendmail 8.7.5/8.7.3; Tuesday, August 28, 01 18:34 
 


We can modify it by modify /etc/sendmail.cf file. Open this file and search for 
"SmtpGreetingMessage=$j sendmail $V/$Z; $b", and modify "$V/$Z" part. For 
example: 

SmtpGreeting Message=$j sendmail ?.?/?.?; $b 
 


When user telnet to port 25 next time, it will display something like this: 

220 www.target.com ESMTP Sendmail ?.?/?.?; Tuesday, August 28, 01 18:34 
 



DNS 
^^^^ 

$ nslookup -q=txt -class=CHAOS version.bind. www.target.com 
Server: www.target.com 
Address: 127.0.0.1 
VERSION.BIND text = "8.2.2-P5" 
 


Bind always is a trouble causer, so let other people knowing the vision of it is a very 
dangers thing. But that is ok, we can hide it by modify named.conf file. 
Open named.conf file by text editor, and modify the options part: 

options { 
directory "/var/named"; 
version "<message>"; 
}; 
 
 


<message> is the massage which you want to display when user logon to the servers