Service Banner Faking in FreeBSD

this is a simple howto faking banner service, Service banner often contain a lot of information like the real software running, etc. Knowing this (service banner), make our machine be more vurnerable with exploit, because it contain version number, real sofware running, etc. Keep it mind that this won’t make your machine/server more secure against exploit when you run vurnerable service. This article only aims to fake the banner and in this way, fool the script-kiddies. However, your system still be vurnerable to an exploit, if you run a vurnerable service. If a script-kiddies runs his exploit, even if he sees you don’t send out the right banner, you can still be attacked. So, always keep your system up-to-date, see this as an way to decrease the amount of attacks on your system, not as a way to be invulnerable.

let’s start changing the service banner. In this case, i will explain how to change SSH Service Banner.

Current SSH Banner = SSH-2.0-OpenSSH_x.x (default from freebsd)

Wanted SSH Banner = SSH-2.0-just_look_at_me be_with_you_forever

hmmmm….. how?? it’s so simple. just follow this step

open version.h located in /usr/src/crypto/openssh/ then edit these line :

#define SSH_VERSION (ssh_version_get())
#define SSH_RELEASE (ssh_version_get())
#define SSH_VERSION_BASE “just_look_at_me”
#define SSH_VERSION_ADDENDUM “be_with_you_forever”

save version.h and then, go to /usr/src/secure/lib/libssh . Recompile the ssh and restart your ssh service.

make obj && make depend && make && make install

/etc/rc.d/ssh restart

wanna see the changes??? just telnet to your ssh server, or maybe you can use nmap.

simple?? yeahhh…..

tested in FreeBSD 6.0-stable, Freebsd 6.2-Release, and Freebsd 6.3-PRERELEASE, and it works

And, how about in APACHE web server? ohhohoh, just use additional module called mod security, additional cool module in apache. how? read my last article in friendster blog

oks, time to sleep now………… byee

simple Loadable Kernel Module (LKM) in freebsd

oksss……. sick of love today, and enjoying this life. hmm look like a serius topic. LKM, a.k.a Loadable Kernel Module. hohohohho. if you are a freebsd User, or maybe Linux Users, often found something like that, loading A module, loading B module, and etc, in freebsd you can using kldload module_module. (you can find lot of freebsd kernel module in /boot/defaults/loader.conf), in Linux??? sorry, i’m forget it

okeyy…. lets start our first LKM…. have a good programmer skill, will help you lot, (i’m still newbie ). just simple LKM, when you load this module, this will give you an output “first LKM freebsd ^_^”. okeyyy, seriuss now.

when LKM is loaded or unloaded, module event handler is called. this function handles all the runtime, when you load the module, unloading the module, shutdown the module. the prototype for the event handle will look like this (you can find these line in /usr/include/sys/module.h)

typedef int (*modeventhand_t)(module_t, int /* modeventtype_t */, void *);



typedef enum modeventtype {
MOD_LOAD,
MOD_UNLOAD,
MOD_SHUTDOWN,
MOD_QUIESCE
} modeventtype_t;


confuse???? hahahahahahah, me too
next, when LKM is loaded or unloaded, it must linked with the kernel. its easy step, just calling DECLARE_MODULE macroo. (you can find these in /usr/include/sys/module.h). the header will look like this :

#define DECLARE_MODULE(name, data, sub, order) \
MODULE_METADATA(_md_##name, MDT_MODULE, &data, #name); \
SYSINIT(name##module, sub, order, module_register_init, &data) \
struct __hack


okeeyyy, lets start coding (filename is kld.c)

#include <sys/param.h>
#include <sys/module.h>
#include <sys/kernel.h>
#include <sys/systm.h>

static int load_module(struct module *m, int _c, void *arg)
{
 int error = 0;
 switch (_c)
 {
 	case MOD_LOAD:
 		uprintf("first LKM freebsd ^_^ \n");
 		break;

		case MOD_UNLOAD:
 		uprintf("unloading the frist LKM \n");
 		break;

		default:
 		error = EOPNOTSUPP;
 		break;
 }
 return(error);
}

static moduledata_t first_module =
{
 "hello_world",
 load_module,
 NULL
};

DECLARE_MODULE(hello_world, first_module, SI_SUB_DRIVERS, SI_ORDER_MIDDLE);

to compile this code, create simple Makefile file located same directory with kld.c, Makefile contain these line :

KMOD= hello_world
SRCS= kld.c
.include <bsd.kmod.mk>

just simply execute this comment make.
output will look like these :

su-2.05b# make
Warning: Object directory not changed from original /usr/home/tunky/lat/bsdkernel/lagi
@ -> /usr/src/sys
machine -> /usr/src/sys/i386/include
cc -O2 -fno-strict-aliasing -pipe -Werror -D_KERNEL -DKLD_MODULE -nostdinc -I- -I. -I@ -I@/contrib/altq -I@/../include -I/usr/include -finline-limit=8000 -fno-common -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -ffreestanding -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -std=c99 -c kld.c
ld -d -warn-common -r -d -o hello_world.kld kld.o
:> export_syms
awk -f /sys/conf/kmod_syms.awk hello_world.kld export_syms | xargs -J% objcopy % hello_world.kld
ld -Bshareable -d -warn-common -o hello_world.ko hello_world.kld
objcopy --strip-debug hello_world.ko
so, how we can load these module??? just simply  kldload ./hello_world.ko. output will look like this :

su-2.05b# kldload ./hello_world.ko
first LKM freebsd ^_^
unloading the module : kldunload ./hello_world.ko
su-2.05b# kldunload ./hello_world.ko
unloading the frist LKM


hmmmmmmmmmmm, simple LKM, wanna more?? just keep ngoprek