ANTI Reconnaissance whitehatGuru.net twitter.com/linuxender linuxender.blogspot.com
DOMAIN 1: ANTI RECONNAISSANCE Module Objective This module will familiarize you with the following Understanding Reconnaissance Types of Reconnaissance Why is anti-reconnaissance effective? How To Be Secure From Reconnaissance (Following Anti-Reconnaissance) Service Detection
DOMAIN 1: ANTI RECONNAISSANCE Understanding Reconnaissance The term reconnaissance refers to the first pre-attack phase of the hacking process: it involves information-gathering behaviors that aim to profile the target organization or network for the efficient attack tactics.
DOMAIN 1: ANTI RECONNAISSANCE Generally, hacking-relevant reconnaissance activities are carried out before a malicious attack for the following two purposes: To improve the probability of successful operation against the target. To improve the probability of successful anonymization ( e. g., hiding the attackers identity). The reconnaissance target range may include the target organizations clients, employees, operations, network and systems.
DOMAIN 1: ANTI RECONNAISSANCE Types Of Reconnaissance Social Engineering Site (Physical) Reconnaissance Dumpster Diving Internet Reconnaissance
DOMAIN 1: ANTI RECONNAISSANCE Social Engineering An attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretend to be a new employee, customer, system administrator, or business partner.
DOMAIN 1: ANTI RECONNAISSANCE Site (Physical) Reconnaissance Physically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employee or being hired as an employee or temp.
DOMAIN 1: ANTI RECONNAISSANCE Dumpster Diving Going through an organization’s discarded documents to find sensitive information. Often, employees throws out papers that reveal critical information, sometimes it may contains notes with user ID’s and password.
DOMAIN 1: ANTI RECONNAISSANCE Internet Reconnaissance Organization’s Website: Can reveal important information, such as the employee’s contact information, clues about the corporate culture and language, business partners, and what technologies the organization uses. Search Engines: Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use. Usenet: Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses. Whois Database: It contains information about the assignment of Internet addresses, domain names, registrars, and individual contacts.
DOMAIN 1: ANTI RECONNAISSANCE Why is anti-reconnaissance effective? Cyber criminals lay the groundwork for any attack by scanning networks to identify valid IP addresses, domain name system (DNS) names, operating systems, applications, and open IP ports. These reconnaissance attempts may come in the form of hard-to-detect, "slow and low" single-packet probes, complex bounce or idle scans, or self-propagating worms looking for the next victim. Each of these probes looks for a reply from the intended target, which provides the attacker with critical information about the target server and the services it is presently running. The logical step is to prevent reconnaissance attempts from providing any useful information to the attacker. The best way to do this is to thwart all reconnaissance attempts with both active and passive is anti-reconnaissance.
DOMAIN 1: ANTI RECONNAISSANCE How To Be Secure From Reconnaissance Training An efficient training program should consist of all security policies and methods to increase awareness on Information Security. If the organization does not have good media control policies, many types of sensitive information will probably go directly in the trash like phone bills, Contact Information, Financial Information, Operations related information, etc. Organizations should inform employees to shred sensitive information or dispose of it in an approved way. Don’t think that you are secure if you take adequate precautions with paper documents.
DOMAIN 1: ANTI RECONNAISSANCE Avoid Over-publicizing the Internal Information If the hacker is still struggling for information, he can turn to what many consider the hacker’s most valuable reconnaissance tool, the Internet. Internet offers the hacker a multitude of possibilities for gathering information. For example, www.whois.net is one of the online information resources which is used by hackers. Let’s start with the company website. The company website might have key employees listed, technologies used, job listings probably detailing software and hardware types used, and some sites even have databases with employee names and email addresses. For example: If wipro is looking for an administrator with Expert skills in Redhat Means Company’s backbone is based on Redhat Enterprise Linux 5, so indirectly attacker came to know about Operating System without scanning.
DOMAIN 1: ANTI RECONNAISSANCE whois.net example
DOMAIN 1: ANTI RECONNAISSANCE Job opening example
DOMAIN 1: ANTI RECONNAISSANCE Job opening example cont’d
DOMAIN 1: ANTI RECONNAISSANCE Anti-Social Engineering Training to Employee A social engineer is a person who can smooth talk other individuals into revealing sensitive information or by sending an email to an insider telling him he needs to reset an account. Social engineering can be done in many ways. To be secure from this, Organization should be having good policies, and educating employees to follow them. Training should include the following key points: For example: Categorizing the information as top secret, proprietary, for internal use only, for public use, and s on. Administrator, user and guest accounts with proper authorization and access Employee should not reply to the emails, that offers free gifts such as money on the condition that to end personal details including contact number, company name, designation, etc.
DOMAIN 1: ANTI RECONNAISSANCE example cont’d: While surfing the Internet, a Windows that suddenly popped up, asking for user’s information to login or sign-in. So employee should not give his personal information in any of the unauthorized sites.
DOMAIN 1: ANTI RECONNAISSANCE Sending spam mail that involves nearly identical messages sent to numerous recipients by email. Spam is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations. This is known as phishing. Spam filters, anti-phishing tools should be integrated with web browsers which can be used to protect from Phishers.
DOMAIN 1: ANTI RECONNAISSANCE Phishing Example: Links might lead you to a fake page from where an attacker can grab your personal details including your account number, password, etc.
DOMAIN 1: ANTI RECONNAISSANCE Phishing Example (cont’d):
DOMAIN 1: ANTI RECONNAISSANCE Anytime a web page asks you for sensitive information, you need to be able to identify if the page is secure or not. The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year. How can you identify if a web page is secured? There are two general indications of a secured web page: 1) Check the web page URL Normally, when browsing the web, the URLs (web page addresses) begin with the letters "http". However, over a secure connection the address displayed should begin with "https“, s stands for secure. 2) Check for the "Lock" icon There is a de facto standard among web browsers to display a "lock" icon somewhere in the window of the browser.
DOMAIN 1: ANTI RECONNAISSANCE Secure connection indicators in Chrome Secure connection indicators in Firefox
DOMAIN 1: ANTI RECONNAISSANCE Hiding Banner Do not disclose un-needed information It will make it harder for an attacker to identify the version or status of running services on the target
DOMAIN 1: ANTI RECONNAISSANCE Anti-Reconnaissance – Service Detection • Objective: – Modifying webserver banner – Hiding Apache Version detection from attacker
DOMAIN 1: ANTI RECONNAISSANCE Hiding OS and Apache version number Example: • In the below banner you can simply see the name of Operating System and running Services. • It can help out the attacker to filter out the specific attack designed specially for the target running these services.
DOMAIN 1: ANTI RECONNAISSANCE This information can be hidden by changing these two lines in /etc/httpd/conf/httpd.conf. ServerTokens controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules. Possible values: ServerTokens Setting Server Banner Header ProductOnly Server: Apache Major Server: Apache/2 Minor Server: Apache/2.0 Minimal Server: Apache/2.0.55 OS Server: Apache/2.0.55 (Red Hat) Full Server: Apache/2.0.55 (Red Hat) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8
DOMAIN 1: ANTI RECONNAISSANCE Anti-Reconnaissance – Service Detection • Objective: – Modifying PHP information file to hide the PHP Version detection
DOMAIN 1: ANTI RECONNAISSANCE To hide the PHP information you have to edit /etc/php.ini and modify the following options. Search for below line: Modify it to: Now you need to restart your apache server After making this change PHP will no longer add it’s signature to the web server header.
DOMAIN 1: ANTI RECONNAISSANCE Anti-Reconnaissance – Service Detection • Objective: – Modifying FTP information file to hide the FTP Version detection
DOMAIN 1: ANTI RECONNAISSANCE Hiding FTP Banner Following steps are used to change FTP banner In order to improve security you may need to change default banner message. To change banner message open configuration file /etc/ vsftpd/vsftpd.conf file: Locate line which is read as follows: Uncomment line to customize the login banner and setup new text message:
DOMAIN 1: ANTI RECONNAISSANCE Save and close the file. Restart vsftpd: Test your new banner Anti-Hacking Tip: It is recommended that root login should be disabled. By default root is disabled for ftp. But if it is enabled then disable root login by following the mentioned steps: 1. Open vsftpd user list configuration file /etc/vsftpd/user_list using a text editor. 2. Check for the below entry.
DOMAIN 1: ANTI RECONNAISSANCE Anti-Reconnaissance – Service Detection • Objective: – Changing the SSH server login banner
DOMAIN 1: ANTI RECONNAISSANCE Change The SSH Server Login Banner By default, no banner is displayed if you are using latest version of Linux/UNIX then you do not have to worry about version issue. But Pre login banner is used for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. Following steps are use to change OpenSSH pre login banner: Create your login banner file: Append text: Open sshd configuration file /etc/ssh/sshd_config using a text editor:
DOMAIN 1: ANTI RECONNAISSANCE Add/edit the following line: Save file and restart the sshd server: Test your new banner Anti-Hacking Tip: root login should be disabled. To disable root login follow the mentioned steps: 1. Open sshd configuration file /etc/ssh/sshd_config using a text editor 2. Add/edit the following line: 3. Save file and restart the sshd server.
DOMAIN 1: ANTI RECONNAISSANCE Hiding OS detection what’s the Big Deal Perhaps you are wondering why do you want to spend your precious time changing your Linux kernel to hide your real OS version against ‘bad purposes’ users. Maybe the following reasons can convince you: Revealing your OS makes things easier to find and successfully run an exploit against any of your devices. Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won’t trust you any longer! In addition, these kind of ‘bad’ news are always sent to the public opinion. Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference)