Home Documentation

Projects | Tools | Docs | About

The first step any serious attacker will perform against a target is to footprint it.

Footprinting consists basically in obtaining as much information about the target as possible. Later, attackers will use that info to exploit specific bugs/misconfigurations in the system. There are several measures to cope with this risk: one is to cut off all response, not prodivig any information. While this is a very useful technique (and we will see in next tutorials how to hide some details to outsiders), it's possibly more useful to provide incorrect information, for a simple reason: 90% of your attackers will use it as correct.

1. Modify the Apache version.

Uncompress the sources and go to the src/include directory. Edit the "httpd.h" file. Look for the following lines:

#define SERVER_BASEREVISION "1.3.23"
#define APACHE_RELEASE 10323100

Just replace the number for another previous version:

#define SERVER_BASEREVISION "1.2.1"

and the right release (just for added safety):

#define APACHE_RELEASE 10201100

2. Modify the operating system (optional)

If you want, you can also fake the fingerprint for the OS Apache is running on. The file to change is: src/os/your_os/os.h (in this case, src/os/unix/os.h).

Look for the line:

#define PLATFORM "Unix"

and change it to look:

#define PLATFORM "Win32"

Take note of the time of your machine, and change it to a couple of months after the fake Apache version was released (say October 1999). Issue a date, touch all the files in the Apache directory tree, run configure, make and make build, and then reissue date with the correct time:

# date
Sun Feb 17 18:09:18 CET 2002

# date 9910232043
Sat Oct 23 20:43:00 CEST 1999

# pwd
/root/apache_1.3.23

# find . -exec touch {} ";"

# ./configure --prefix=/www
# make
# make install
# date 0202171810
Sun Feb 17 18:09:18 CET 2002

Now, we have successfully installed a faked Apache. Let's see it in action:

#/www/bin/httpd -v
Server version: Apache/1.2.1 (Win32)
Server built: Oct 23 1999 22:36:05

#lynx localhost/noexists
Not Found
The requested URL /noexists was not found on this server

Apache/1.2.1 Server at 127.0.0.1 Port 80

Looks good! :)

A couple of things left to change: the manual pages and the Apache manual. Download the original source code for the version you are faking and copy the documentation in the proper directories. This way you won't get newer docs if you request those pages. You can also remove them altogether.

With this simple steps, most attackers will be misleaded in their quest for vulnerabilities in your webserver. They will try other exploits that work against a different version of Apache, and on different operating systems. These attempts will be very noisy and your error_log will catch many people trying to exec command.com... ;)

Don't forget preventive steps: instruct your IDS to detect specific attacks for the faked version of Apache, check your logs for those attacks...

Before finishing this tutorial, a minimal warning about the use of a different (faked) operating system. In our example, we have a Unix box and we simulate Windows under Apache (Win32). This is probably always an error, since most attackers (even beginners) can tell the difference from a Unix and a Windows box. Faking a whole machine is much more challenging that necessary. Also, Apache is typically used in Unix boxes. Don't follow step two unless you know what else to change to simulate minimally a different OS. Next tutorials will cover some of these stages.

A final remainder: this will not stop all attempts, and will not mislead all people, but it will prevent a good part of them.