linux- anti reconnaissance

Linuxender

ANTIReconnaissance

whitehatGuru.net

twitter.com/linuxender

linuxender.blogspot.com

Understanding Reconnaissance

Types of Reconnaissance

Why is anti-reconnaissance effective?

How To Be Secure From Reconnaissance (Following Anti-Reconnaissance)

Service Detection

DOMAIN 1: ANTI RECONNAISSANCE

Module ObjectiveThis module will familiarize you with the following

The term reconnaissance refers to the first pre-attack phase of the hacking process: it involves information-gathering behaviors that aim to profile the target organization or network for the efficient attack tactics.


Understanding Reconnaissance

Generally, hacking-relevant reconnaissance activities are carried out before a malicious attack for the following two purposes:

The reconnaissance target range may include the target organization's clients, employees, operations, network and systems.


To improve the probability of successful operation against the target.

To improve the probability of successful anonymization ( e. g., hiding the attacker's identity).

Types Of Reconnaissance

Social Engineering Site (Physical) Reconnaissance Dumpster Diving Internet Reconnaissance



Social EngineeringAn attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretend to be a new employee, customer, system administrator, or business partner.


Site (Physical) ReconnaissancePhysically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employee or being hired as an employee or temp.


Dumpster DivingGoing through an organization’s discarded documents to find sensitive information. Often, employees throws out papers that reveal critical information, sometimes it may contains notes with user ID’s and password.


Internet ReconnaissanceOrganization’s Website: Can reveal important information, such as the employee’s contact information, clues about the corporate culture and language, business partners, and what technologies the organization uses.

Search Engines: Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use.

Usenet: Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses.

Whois Database: It contains information about the assignment of Internet addresses, domain names, registrars, and individual contacts.

Why is anti-reconnaissance effective?Cyber criminals lay the groundwork for any attack by scanning networks to identify valid IP addresses, domain name system (DNS) names, operating systems, applications, and open IP ports. These reconnaissance attempts may come in the form of hard-to-detect, "slow and low" single-packet probes, complex bounce or idle scans, or self-propagating worms looking for the next victim. Each of these probes looks for a reply from the intended target, which provides the attacker with critical information about the target server and the services it is presently running.

The logical step is to prevent reconnaissance attempts from providing any useful information to the attacker. The best way to do this is to thwart all reconnaissance attempts with both active and passive is anti-reconnaissance.



TrainingAn efficient training program should consist of all security policies and methods to increase awareness on Information Security.

If the organization does not have good media control policies, many types of sensitive information will probably go directly in the trash like phone bills, Contact Information, Financial Information, Operations related information, etc.

Organizations should inform employees to shred sensitive information or dispose of it in an approved way.

Don’t think that you are secure if you take adequate precautions with paper documents.

How To Be Secure From Reconnaissance


Avoid Over-publicizing the Internal Information

If the hacker is still struggling for information, he can turn to what many consider the hacker’s most valuable reconnaissance tool, the Internet. Internet offers the hacker a multitude of possibilities for gathering information. For example, www.whois.net is one of the online information resources which is used by hackers.

Let’s start with the company website. The company website might have key employees listed, technologies used, job listings probably detailing software and hardware types used, and some sites even have databases with employee names and email addresses.

For example: If wipro is looking for an administrator with Expert skills in Redhat Means Company’s backbone is based on Redhat Enterprise Linux 5, so indirectly attacker came to know about Operating System without scanning.

http://www.whois.net/


whois.net example


Job opening example


Job opening example cont’d


Anti-Social Engineering Training to Employee

A social engineer is a person who can smooth talk other individuals into revealing sensitive information or by sending an email to an insider telling him he needs to reset an account.

Social engineering can be done in many ways. To be secure from this, Organization should be having good policies, and educating employees to follow them. Training should include the following key points:

For example: Categorizing the information as top secret, proprietary, for internal use only, for public use, and s on.

Administrator, user and guest accounts with proper authorization and access

Employee should not reply to the emails, that offers free gifts such as money on the condition that to end personal details including contact number, company name, designation, etc.

example cont’d: While surfing the Internet, a Windows that suddenly popped up, asking for user’s information to login or sign-in. So employee should not give his personal information in any of the unauthorized sites.



Sending spam mail that involves nearly identical messages sent to numerous recipients by email.

Spam is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations. This is known as phishing.

Spam filters, anti-phishing tools should be integrated with web browsers which can be used to protect from Phishers.

Phishing Example:

Links might lead you to a fake page from where an attacker can grab your personal details including your account number, password, etc.


Phishing Example (cont’d):



Anytime a web page asks you for sensitive information, you need to be able to identify if the page is secure or not. The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year.

How can you identify if a web page is secured?There are two general indications of a secured web page:

1) Check the web page URLNormally, when browsing the web, the URLs (web page addresses) begin with the letters "http". However, over a secure connection the address displayed should begin with "https“, s stands for secure.

2) Check for the "Lock" iconThere is a de facto standard among web browsers to display a "lock" icon somewhere in the window of the browser.


Secure connection indicators in Chrome

Secure connection indicators in Firefox


Hiding Banner

Do not disclose un-needed information

It will make it harder for an attacker to identify the version or status of running services on the target

Anti-Reconnaissance – Service Detection

• Objective:– Modifying webserver banner– Hiding Apache Version detection from attacker



Hiding OS and Apache version numberExample:• In the below banner you can simply see the name of Operating System

and running Services.• It can help out the attacker to filter out the specific attack designed

specially for the target running these services.


This information can be hidden by changing these two lines in /etc/httpd/conf/httpd.conf.

ServerTokens controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.

Possible values:

ServerTokens Setting Server Banner HeaderProductOnly Server: Apache

Major Server: Apache/2

Minor Server: Apache/2.0

Minimal Server: Apache/2.0.55

OS Server: Apache/2.0.55 (Red Hat)

Full Server: Apache/2.0.55 (Red Hat) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8


• Objective:– Modifying PHP information file to hide the PHP

Version detection



To hide the PHP information you have to edit /etc/php.ini and modify the following options.

Search for below line:

Modify it to:

Now you need to restart your apache server

After making this change PHP will no longer add it’s signature to the web server header.


• Objective:– Modifying FTP information file to hide the FTP

Version detection



Hiding FTP BannerFollowing steps are used to change FTP banner

In order to improve security you may need to change default banner message. To change banner message open configuration file /etc/ vsftpd/vsftpd.conf file:

Locate line which is read as follows:

Uncomment line to customize the login banner and setup new text message:


Save and close the file. Restart vsftpd:

Test your new banner

Anti-Hacking Tip: It is recommended that root login should be disabled. By default root is disabled for ftp. But if it is enabled then disable root login by following the mentioned steps:

1. Open vsftpd user list configuration file /etc/vsftpd/user_list using a text editor.

2. Check for the below entry.


• Objective:– Changing the SSH server login banner



Change The SSH Server Login BannerBy default, no banner is displayed if you are using latest version of Linux/UNIX then you do not have to worry about version issue. But Pre login banner is used for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. Following steps are use to change OpenSSH pre login banner:

Create your login banner file:

Append text:

Open sshd configuration file /etc/ssh/sshd_config using a text editor:


Add/edit the following line:

Save file and restart the sshd server:

Test your new banner

Anti-Hacking Tip: root login should be disabled. To disable root login follow the mentioned steps:

1. Open sshd configuration file /etc/ssh/sshd_config using a text editor

2. Add/edit the following line:

3. Save file and restart the sshd server.


Hiding OS detection

Perhaps you are wondering why do you want to spend your precious time changing your Linux kernel to hide your real OS version against ‘bad purposes’ users. Maybe the following reasons can convince you:

Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.

Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won’t trust you any longer! In addition, these kind of ‘bad’ news are always sent to the public opinion.

Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference)

what’s the Big Deal

THANKS

linuxender.blogspot.comwww.whitehatGuru.netTwitter.com/linuxender

http://www.whitehatguru.net/

linux- anti reconnaissance

Technology

reconnaissance attempts

term reconnaissance

financial information

information security

contact information

internal information

important information

critical information