Login or Register to Ask a Question and Join Our Community


Solaris

How to hide SSH version

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris How to hide SSH version
# 15  
Old 02-18-2008
Quote:
Originally Posted by sb008
To answer question 3) en 4).

Someone from the outside is using telnet, and clearly you can't disable telnet on his/her machine.
That's just lame.
Quote:
Furthermore, initially SSH will see no difference between a real ssh connecting or a telnet session on port 22.
And?
The point I was trying to make is that there is no benefit security-wise of hiding your ssh version if you are going to allow telnet to be enabled.

I'm just going to shut up and move along as I am not offering anything else of value to the original poster.
# 16  
Old 02-18-2008
Ok, I won't guarantee that this will work for you. But here is a way to change a string in an executable. You will need the gnu strings command. It is available in the binutils package at sunfreeware. So I need a binary to fiddle with....
Code:
$ cp /usr/bin/ftp .
$ ./ftp
ftp> help
Commands may be abbreviated.  Commands are:

!               cd              edit            help            mdir            newer           prompt          reset           size            user
$               cdup            epsv4           idle            mget            nlist           proxy           restart         status          verbose
account         chmod           exit            image           mkdir           nmap            put             rhelp           struct          ?
append          close           form            lcd             mls             ntrans          pwd             rmdir           sunique
ascii           cr              ftp             less            mode            open            quit            rstatus         system
bell            debug           get             lpwd            modtime         page            quote           runique         tenex
binary          delete          gate            ls              more            passive         recv            send            trace
bye             dir             glob            macdef          mput            preserve        reget           sendport        type
case            disconnect      hash            mdelete         msend           progress        rename          site            umask
ftp> bye
$

Ok, Let's say that my auditors are demanding that I render the word abbreviated in all caps. This means that my replacement text has the exact same number of characters as my original text. That is important. I can change the text easily but changing the size is harder. I need to locate the string and that is why I am using the GNU strings program.
Code:
$ strings -t d -a -n 7 ftp | grep abbreviated
 290112 %sommands may be abbreviated.  Commands are:
$

There is my string but I need to code up a dd command that isolates it. It looks about 15 characters long starting a little bit after 290112. So I try...
Code:
$ dd if=./ftp bs=1 skip=290130 count=15 | od -A n -c
15+0 records in
15+0 records out
15 bytes transferred in 1 secs (15 bytes/sec)
           b   b   r   e   v   i   a   t   e   d   .           C   o

This got me close. But I need it exact...
Code:
$ dd if=./ftp bs=1 skip=290129 count=11 | od -A n -c
11+0 records in
11+0 records out
11 bytes transferred in 1 secs (11 bytes/sec)
           a   b   b   r   e   v   i   a   t   e   d
$

OK, that got it. What I really want to do is crack my ftp executable up into 3 pieces: the stuff before my string, my string, and the stuff after my string. This will take 3 dd statements and now I know how to code them...
Code:
$ dd if=./ftp bs=1 count=290129 of=ftp.1
290129+0 records in
290129+0 records out
290129 bytes transferred in 2 secs (145064 bytes/sec)
$ dd if=./ftp bs=1 skip=290129 count=12 of=ftp.2
12+0 records in
12+0 records out
12 bytes transferred in 1 secs (12 bytes/sec)
$ dd if=ftp bs=1 skip=290141 count=999999999 of=ftp.3
38563+0 records in
38563+0 records out
38563 bytes transferred in 1 secs (38563 bytes/sec)

Now I want to be sure that the middle piece is the string I am expecting and then I want to change the string...
Code:
$ od -A n -c ftp.2
           a   b   b   r   e   v   i   a   t   e   d   .
$ print -n ABBREVIATED. > ftp.2
$ od -A n -c ftp.2
           A   B   B   R   E   V   I   A   T   E   D   .
$

Now I can reassemble the the pieces into a new binary and try it out...
Code:
$ cat ftp.* > ftp2
$ chmod u+x ftp2
$ ./ftp2
ftp> help
Commands may be ABBREVIATED.  Commands are:

!               cd              edit            help            mdir            newer           prompt          reset           size            user
$               cdup            epsv4           idle            mget            nlist           proxy           restart         status          verbose
account         chmod           exit            image           mkdir           nmap            put             rhelp           struct          ?
append          close           form            lcd             mls             ntrans          pwd             rmdir           sunique
ascii           cr              ftp             less            mode            open            quit            rstatus         system
bell            debug           get             lpwd            modtime         page            quote           runique         tenex
binary          delete          gate            ls              more            passive         recv            send            trace
bye             dir             glob            macdef          mput            preserve        reget           sendport        type
case            disconnect      hash            mdelete         msend           progress        rename          site            umask
ftp> bye
$ ./ftp
ftp> help
Commands may be abbreviated.  Commands are:

!               cd              edit            help            mdir            newer           prompt          reset           size            user
$               cdup            epsv4           idle            mget            nlist           proxy           restart         status          verbose
account         chmod           exit            image           mkdir           nmap            put             rhelp           struct          ?
append          close           form            lcd             mls             ntrans          pwd             rmdir           sunique
ascii           cr              ftp             less            mode            open            quit            rstatus         system
bell            debug           get             lpwd            modtime         page            quote           runique         tenex
binary          delete          gate            ls              more            passive         recv            send            trace
bye             dir             glob            macdef          mput            preserve        reget           sendport        type
case            disconnect      hash            mdelete         msend           progress        rename          site            umask
ftp> bye
$

That is pretty much it. But you need to get the arithmetic right or it won't work.
# 17  
Old 02-18-2008
WOW excellent job Perderabo,

I must say your "fly by wire" method is radical. Let me try this. If it works i'll paste the results.

thanx again
# 18  
Old 02-19-2008
It works. Put it here just it case anybody ever needs this.

[root]# cd /tmp
[root]# cp /usr/lib/ssh/sshd .
[root]# ksh -o vi (I like korn)
[root]# strings -t d -a -n 7 sshd | grep Sun
989376 Sun_SSH_1.1
989472 Sun_SSH_1.1
989532 Sun_SSH_1.1
993040 Sun_SSH_1.0.*
993056 Sun_SSH_1.0*
999159 @(#)SunOS 5.9 Generic 113273-13 Oct 2006
[root]#

3 locations having Sun_SSH_1.1, hmm which one? .. lets try the first line.

[root]# dd if=./sshd bs=1 skip=989376 count=11 | od -A n -c
S u n _ S S H _ 1 . 1
11+0
records in
11+0 records out

[root]# dd if=./sshd bs=1 count=989376 of=sshd.1
989376+0 records in
989376+0 records out

[root]# dd if=./sshd bs=1 skip=989376 count=11 of=sshd.2
11+0 records in
11+0 records out

[root]# od -A n -c sshd.2 (testing to make sure)
S u n _ S S H _ 1 . 1

[root]# dd if=./sshd bs=1 skip=989387 count=999999999 of=sshd.3
11141+0 records in
11141+0 records out

[root]# ls -l sshd.2
-rw------- 1 root root 11 Feb 19 13:56 sshd.2

[root]# print -n JESUSLOVESu > sshd.2
[root]# ls -l sshd.2
-rw------- 1 root root 11 Feb 19 14:00 sshd.2

[root]# cat sshd.* > sshd.new
[root]# ls -l /usr/lib/ssh/sshd
-r-xr-xr-x 1 root bin 1000528 Oct 27 2006 /usr/lib/ssh/sshd
[root]# chmod 755 ./sshd.new
[root]# cp -p ./sshd.new /usr/lib/ssh/.

stop ssh;ps -ef and kill -9

cd /usr/lib/ssh
[root]# cp -p sshd sshd.ORG # back it up first
[root]# cp -p sshd.new sshd
[root]# cd /

[root]# /usr/lib/ssh/sshd # startup ssh
[root]# ps -ef |grep sshd
root 5652 1 0 14:04:28 ? 0:00 /usr/lib/ssh/sshd
root 5654 3665 0 14:04:31 pts/3 0:00 grep sshd
[root]#

[root]# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-JESUSLOVESu

box8[root]# ssh <some ip> root
Password:
Last login: Tue Feb 19 13:48:21 2008 from localhost
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
[root]#

there's a couple of errors on messages which I'll monitor for a few days but generally it works Smilie)

Perderabo you just saved my weekend I'll down a few brews for you this weekend.

heaps of thanx again
# 19  
Old 02-21-2008
I am impressed!

Excellet job!
# 20  
Old 02-24-2008
That's pretty cool Perderabo Smilie
Just to add a word of warning though: Be careful of Solaris packages etc here as the binary will no longer have the same checksum and could trigger warnings. Possible what you're seeing in your messages file?

I forget the commandline, but you can have the pkg database update itself with a new checksum for a modified binary.

It's also possible that a checksum test elsewhere in the code could trip up.

Just worth being careful you consider all the ramifications of fiddling with code like ssh.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

How do I remove or hide SunOS version/release from remote login prompt?

For any SunOS 5.XX release, it appears prior to the "login:" prompt (as if a "uname" command is run). Would anyone know where that initial display of SunOS release comes from upon a remote login and how I can stop if from displaying? Thank you (4 Replies)
Discussion started by: ssid61
4 Replies

2. Programming

How to hide from UNIX strings - obfuscate or hide a literal or constant?

Hi, I need to somehow pipe the password to a command and run some SQL, for example, something like echo $password | sqlplus -s system @query01.sql To make it not so obvious, I decided to try out writing a small C program that basically just do echo $password. So now I just do x9.out | sqlplus... (8 Replies)
Discussion started by: newbie_01
8 Replies

3. Shell Programming and Scripting

Hide the output of spawn ssh user@server

Hi All, I have written one script, which is connecting 3 diffrent servers and executing script placed on those. It is smthing like: spawn ssh user@server1 expect "*? assword:" send "pw \r" expect "$" send " sh ./filename1 \r" expect "$" expect eof spawn ssh user@server2 expect "*?... (7 Replies)
Discussion started by: KDMishra
7 Replies

4. IP Networking

ssh version 1 problem please help

Hi guys please help with the following. $ssh -1 -vvv -l username -o "ForwardX11 yes" server.name netscape OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011 debug2: ssh_connect: needpriv 0 debug1: Connecting to server.address port 22. debug1: Connection established. debug1: identity file... (1 Reply)
Discussion started by: llcooljatt
1 Replies

5. Cybersecurity

Disable SSH 1.99 version?

Hello. My security audit reconise SSH 1.99 protocol version allowed. But in my sshd_config config is only: SSH version: How can I disable support for ssh protocol 1.99 version? (1 Reply)
Discussion started by: jabalv
1 Replies

6. Shell Programming and Scripting

Help to hide shell terminal and run prompt program after ssh login for specified user

Hey guys, I have some task from my office to lock user on the specified directory after the user logged on using ssh. And then run prompt program to fill the required information. Yeah, just like an ATM system. My question: How could I do those?? AFAIK I have to edit the ~./bashrc. But the... (1 Reply)
Discussion started by: franzramadhan
1 Replies

7. AIX

SSH Protocol Version 1

SSH Protocol Version 1 Session Key Retrieval Disable compatibility with version 1 of the protocol can any one advice in this regard and how can I Disable compatibility with version 1 of the protocol Pls advice .. (2 Replies)
Discussion started by: Mr.AIX
2 Replies

8. UNIX for Dummies Questions & Answers

SSH version of rlogin (ie without password prompt)

I have 3 Solaris 10 UNIX servers, the shadow and passwd file are all identical and are automatically sync every 5 minutes. A majority of the users do not have CLI access but rather use a menu. I currently have menu options that allows them to rlogin to another server and I need to have the... (1 Reply)
Discussion started by: creedonjm
1 Replies

9. Solaris

command to know ssh version

Hi, I want to know the command to know ssh version on solaris (1 Reply)
Discussion started by: manoj.solaris
1 Replies

10. Solaris

ssh version

Which version of SSH is this ssh -V SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0. (2 Replies)
Discussion started by: csaunders
2 Replies
Login or Register to Ask a Question