question

mohsenMJ-8783 avatar image
0 Votes"
mohsenMJ-8783 asked mohsenMJ-8783 edited

Remove IIS server version worked for HTTP, but not HTTPS!

Hello,
I used the HTTP Response headers and changed IIS to the Apache, but Nmap tool could detect IIS on port 443. How can I change it on port 443 too?

Thank you.

windows-server-securitywindows-server-iis-configurationwindows-server-iis-security
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Each web servers has tons of unique behaviors so that they can be detected even if you change the Server response header. You cannot fool a patient hacker (Nmap is just one of the tools for hackers).

0 Votes 0 ·

I used the HTTP Response headers and changed IIS to the Apache


What does that mean? Did you configure an IIS web site to return a header to make it look like you are running Apache instead of IIS? Or did you update the bindings in IIS to stop it from listening on port 80, and launched Apache with a site on port 80?

What specifically did you change?

If you updated the response headers, you have to do that for each web site in IIS.




0 Votes 0 ·

Hello,
Thank you so much for your reply.
I configured an IIS web site to return a header to make it look like I'm running Apache instead of IIS:

135307-response-headers.png
Can you share some of your experiences about fool the hackers? Can I install an Apache web server and use IIS to redirect all HTTP requests to the Apache web server?

Thank you.


0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 published

Can you share some of your experiences about the hackers?

Be happy to. Caveat: I have been retired the past 4 years so I've been out of touch a bit and I don't know what the current threat landscape is. Memory might be a little fuzzy too.

This is somewhat of an opinion, but I wouldn't mess around with Apache or trying to hide that you're running IIS. The hackers don't care if your site reports that it's IIS or Apache or CICS/COBOL. They're gong to throw every known exploit at you.

The biggest problem that we had was SQL injections. Some of our sites were ASP based and were particularly vulnerable. I implemented UrlScan to block certain requests. Later IIS versions have request filtering instead of urlscan.

https://blogs.iis.net/peterviola/blocking-sql-injection-with-iis-request-filtering

I wrote a VB script (circa 2002) to analyze the query strings in the IIS logs. What I noticed was that hacking requests usually contained 3 or more encoded spaces, "%20". They also had parens and brackets, "(" and "[". The script flagged these requests for me to analyze because sometimes they were legitimate requests. I also looked for ".exe" and ".dll" in the request.

I also see that at one point in time I was looking at these sequences. These came from UrlScan.

https://forums.iis.net/t/1165537.aspx

 '    ..  ; Don't allow directory traversals
 '    ./  ; Don't allow trailing dot on a directory name
 '    \   ; Don't allow backslashes in URL
 '    :   ; Don't allow alternate stream access
 '    %   ; Don't allow escaping after normalization
 '    &   ; Don't allow multiple CGI processes to run on a single request

I dug into my archives and here are the strings that I parsed out of my logs for UrlScan. Some might be redundant and as I mentioned earlier, memory might be a bit fuzzy here. You would need to do your own analysis on your logs to see what the current injection strings are.

 %20and%20char(124)%2buser%2bchar(124)
 %20as%20varchar(
 %20as%20nvarchar
 (select%20top%20
 %20and%20db_name()
 %20and%20%28db_name%28
 %20from%20sysobjects%20where%20
 %20varbinary(
 %20cast(is_srvrolemember
 %20table_name%20from%20information_schema.tables
 (select%20top%201%20convert
 select%20*%20from%20sysobjects)
 cast(0x4400450043004c004100520045
 cast(0x4445434c415245204054207661
 %20and%20user%3e0%20and%20
 )%2buser%2bchar(
 %20from%20tbluser
 %20cursor%20for%20select%20
 %20from%20information_schema.columns%20
 %20and%20user%2bchar(
 )%2bdb_name()%2bchar(
 %20and%20(select%20len
 %20and%20len(db_name(
 %20and%20unicode(substring
 %20is_srvrolemember('sysadmin'
 %20and%20'1'='1
 %20and%20exists%20(select%20*%20from%20
 select%20top%209%20userid%20from%20
 =convert(int,(select%20top%20
 %20and%20exists%20(select%20"

One final item was to look at any IP's that had high activity. We would block the IP's where the activity looked suspicious. As we moved sites to Akamai and behind content switches that kinda diminished in value. And the hackers would just move to different networks too. Still, it's something that you want to keep an eye on. The LogParser tool is great for that kind of analysis.

Wish I could help you more with request filtering but I left UrlScan in place and then with changes in my "work situation" I no longer cared if those folks got hacked or not.






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mohsenMJ-8783 avatar image
0 Votes"
mohsenMJ-8783 answered mohsenMJ-8783 commented

Hello,
No idea about it?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Are you referring to my reply? What is the "it" that you have no idea about?

0 Votes 0 ·

Hello,
I meant to be how can I change the HTTPS server version!

Thank you.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered mohsenMJ-8783 edited

configured an IIS web site to return a header

Add the response header at the server level instead of at the site level.

137102-capture.jpg



Or add the header to all web sites.


capture.jpg (39.9 KiB)
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,
I did it, but Microsoft IIS couldn't start!
I scanned my host via Nmap and as you see, Nmap detected my server as an IIS:

137363-nmap.png



Any idea?

0 Votes 0 ·
nmap.png (22.1 KiB)
MotoX80 avatar image MotoX80 mohsenMJ-8783 ·

I did it, but Microsoft IIS couldn't start!

What error did you get? There should have been an entry in the system or application event log.

0 Votes 0 ·

Hello,
The Microsoft IIS showed me:

138152-http-error.png


0 Votes 0 ·
http-error.png (60.5 KiB)
Show more comments
MotoX80 avatar image
0 Votes"
MotoX80 answered MotoX80 edited

Nmap detected my server as an IIS:

Mine too. Even though I set the headers to report as MVS and CICS.

137445-capture.jpg


https://nmap.org/book/man-version-detection.html


After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running. The nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol (e.g. FTP, SSH, Telnet, HTTP), the application name (e.g. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux).


https://nmap.org/book/vscan.html

To reiterate what I posted in my first reply, this falls into the "So What?" category. If' you've got a web server exposed to the internet, then you are likely running one of these web servers.

https://w3techs.com/technologies/overview/web_server

If you really have IIS running but you set the host headers to report that you are running Apache, It's not like any hacker is going to say: "well, he's running Apache, so we will only run Apache specific hack attempts against him".

Heck no, they are going to try every known exploit that they have access to to see if they can break into your server. Because you never know when an IIS exploit might work on Apache.


Disclaimer: The above reply is my personal opinion based on decades of professional experience. I do not represent Microsoft.





capture.jpg (83.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MotoX80 avatar image
0 Votes"
MotoX80 answered mohsenMJ-8783 edited

Should I remove it completely?


I would, I don't see any value in adding a header that says that you are running Apache.


Are you sure no one can hide the IIS version from the scanners like Nmap?

No, I am not sure. If your organization is extremely concerned with your public facing web site, then it might be a good idea to hire a security firm who specializes in penetration testing and web security analysis and have them probe your sites and see what they recommend. The company that I used to work for did that, but it was 6 years ago. I don't remember who did that for us.


You should be able to use the configuration editor and remove the header. Start at the server level and set it to false.

system.webServer/security/requestFiltering


139485-capture.jpg



Then check each of your sites to see that they are inheriting the server config.


139504-capture1.jpg




capture1.jpg (75.3 KiB)
capture.jpg (65.7 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,
Thank you for your help.
I did it already, but a scanner like Nmap can detect my Microsoft IIS version!

0 Votes 0 ·
MotoX80 avatar image MotoX80 mohsenMJ-8783 ·

but a scanner like Nmap can't detect my Microsoft IIS version!

I'm confused. Isn't that what you want? To hide the fact that you are running IIS 10 (or whatever)?

Or did you mean to say: Nmap can detect





0 Votes 0 ·

Hello,
Thank you so much for your reply.
I'm sorry, it was a typo.
You're right, I want a scanner like Nmap can't detect the web server that I'm using or IIS version.

0 Votes 0 ·