Operating Systems > Linux and UNIX
Netcraft - Web Server Signatures help
voidmain:
I'm curious if anyone might have any information on how Netcraft figures out what OS and Web server is being run on their "what's that site running?" page. I'm sure they probably fingerprint the TCP/IP stack somehow to determine the OS and I believe from recent threads that I can spoof that part with iptables.
Now I "thought" that they determined the web server software by the "Server:" string from the "head". For instance if you do a:
$ lynx -head -dump http://www.redhat.com/
you will see this line:
Server: Apache
This string is somewhat controllable in the Apache configuration file. "Apache" is the minimal amount of info that you can give but can configure it to give more info like what modules you have loaded. Well, I hacked the Apache source code to put out a completely different string. Mine looks like this:
Server: Not IIS and certainly not Windows!
Well, it still shows up on Netcraft as "Apache on Linux", not what I was hoping. If anyone can lead me to information on things I can do to spoof Netcraft I would certainly appreciate it.
preacher:
Void main sorry to tell you this, but you are not the first one to do this. Check out http://www.attrition.org/attrition/how-apache.html
voidmain:
I never said I was the first, and I did it on my own without these instructions. One thing I didn't do was change the OS string, but I didn't have to because there is an httpd.conf configuration option that allows you to remove that from the head anyway. The most you could do with an httpd.conf setting was whittle it down to only saying "Apache". That's why I hacked the source to change the "SERVER_BASEPRODUCT" string.
I am now compiling the new 2.4.20 kernel with the "ippersonality" patch so I can make it look like I am running AmigaOS (or anything else I want). The problem is, Netcraft obviously doesn't use the "Server:" item from the web server head to determine the web server software. They must use some other way to identify the server. We'll see how the ippersonality effects it whenever my slow ass web machine gets finished compiling...
voidmain:
I just spent the last few hours patching in ippersonality into iptables and the 2.4.20 kernel so I could do a little spoofing. Now nmap can no longer figure out what OS I am running but that blasted Netcraft knows. It appears their entire determination of what OS and web server you are running is from the web server response:
http://uptime.netcraft.com/up/accuracy.html#os
Now, if I could just figure what they look at and what methodology they use to interperet the response maybe I could figure out how to modify Apache to spoof it. I suppose I could do a network capture during a time when I check the OS on the netcraft site and see exactly what packets are received/sent, then look through the source. Someone else *has* to have already done this though. It would sure save me some work if I could figure it out. I want to be able to have my system appear on Netcraft as a Cray Supercomputer running some hack of a web server.
[ December 04, 2002: Message edited by: void main ]
voidmain:
Cool! I just set it up so an "nmap" thinks my system is a "Sega Dreamcast". Of course that will only be known by scans done from my internal network because my firewall already takes care of that part.
Here's a port scan to my web machine in the DMZ:
--- Code: ---
--- End code ---
[ December 04, 2002: Message edited by: void main ]
Navigation
[0] Message Index
[#] Next page
Go to full version