linux- anti reconnaissance
DESCRIPTION
This module is for Linux Administrators. This module will familier you with the term reconnaissance and how to be secure from it.TRANSCRIPT
Linuxender
ANTIReconnaissance
whitehatGuru.net
twitter.com/linuxender
linuxender.blogspot.com
Understanding Reconnaissance
Types of Reconnaissance
Why is anti-reconnaissance effective?
How To Be Secure From Reconnaissance (Following Anti-Reconnaissance)
Service Detection
DOMAIN 1: ANTI RECONNAISSANCE
Module ObjectiveThis module will familiarize you with the following
The term reconnaissance refers to the first pre-attack phase of the hacking process: it involves information-gathering behaviors that aim to profile the target organization or network for the efficient attack tactics.
DOMAIN 1: ANTI RECONNAISSANCE
Understanding Reconnaissance
Generally, hacking-relevant reconnaissance activities are carried out before a malicious attack for the following two purposes:
The reconnaissance target range may include the target organization's clients, employees, operations, network and systems.
DOMAIN 1: ANTI RECONNAISSANCE
To improve the probability of successful operation against the target.
To improve the probability of successful anonymization ( e. g., hiding the attacker's identity).
Types Of Reconnaissance
Social Engineering Site (Physical) Reconnaissance Dumpster Diving Internet Reconnaissance
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
Social EngineeringAn attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretend to be a new employee, customer, system administrator, or business partner.
DOMAIN 1: ANTI RECONNAISSANCE
Site (Physical) ReconnaissancePhysically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employee or being hired as an employee or temp.
DOMAIN 1: ANTI RECONNAISSANCE
Dumpster DivingGoing through an organization’s discarded documents to find sensitive information. Often, employees throws out papers that reveal critical information, sometimes it may contains notes with user ID’s and password.
DOMAIN 1: ANTI RECONNAISSANCE
Internet ReconnaissanceOrganization’s Website: Can reveal important information, such as the employee’s contact information, clues about the corporate culture and language, business partners, and what technologies the organization uses.
Search Engines: Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use.
Usenet: Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses.
Whois Database: It contains information about the assignment of Internet addresses, domain names, registrars, and individual contacts.
Why is anti-reconnaissance effective?Cyber criminals lay the groundwork for any attack by scanning networks to identify valid IP addresses, domain name system (DNS) names, operating systems, applications, and open IP ports. These reconnaissance attempts may come in the form of hard-to-detect, "slow and low" single-packet probes, complex bounce or idle scans, or self-propagating worms looking for the next victim. Each of these probes looks for a reply from the intended target, which provides the attacker with critical information about the target server and the services it is presently running.
The logical step is to prevent reconnaissance attempts from providing any useful information to the attacker. The best way to do this is to thwart all reconnaissance attempts with both active and passive is anti-reconnaissance.
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
TrainingAn efficient training program should consist of all security policies and methods to increase awareness on Information Security.
If the organization does not have good media control policies, many types of sensitive information will probably go directly in the trash like phone bills, Contact Information, Financial Information, Operations related information, etc.
Organizations should inform employees to shred sensitive information or dispose of it in an approved way.
Don’t think that you are secure if you take adequate precautions with paper documents.
How To Be Secure From Reconnaissance
DOMAIN 1: ANTI RECONNAISSANCE
Avoid Over-publicizing the Internal Information
If the hacker is still struggling for information, he can turn to what many consider the hacker’s most valuable reconnaissance tool, the Internet. Internet offers the hacker a multitude of possibilities for gathering information. For example, www.whois.net is one of the online information resources which is used by hackers.
Let’s start with the company website. The company website might have key employees listed, technologies used, job listings probably detailing software and hardware types used, and some sites even have databases with employee names and email addresses.
For example: If wipro is looking for an administrator with Expert skills in Redhat Means Company’s backbone is based on Redhat Enterprise Linux 5, so indirectly attacker came to know about Operating System without scanning.
DOMAIN 1: ANTI RECONNAISSANCE
whois.net example
DOMAIN 1: ANTI RECONNAISSANCE
Job opening example
DOMAIN 1: ANTI RECONNAISSANCE
Job opening example cont’d
DOMAIN 1: ANTI RECONNAISSANCE
Anti-Social Engineering Training to Employee
A social engineer is a person who can smooth talk other individuals into revealing sensitive information or by sending an email to an insider telling him he needs to reset an account.
Social engineering can be done in many ways. To be secure from this, Organization should be having good policies, and educating employees to follow them. Training should include the following key points:
For example: Categorizing the information as top secret, proprietary, for internal use only, for public use, and s on.
Administrator, user and guest accounts with proper authorization and access
Employee should not reply to the emails, that offers free gifts such as money on the condition that to end personal details including contact number, company name, designation, etc.
example cont’d: While surfing the Internet, a Windows that suddenly popped up, asking for user’s information to login or sign-in. So employee should not give his personal information in any of the unauthorized sites.
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
Sending spam mail that involves nearly identical messages sent to numerous recipients by email.
Spam is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations. This is known as phishing.
Spam filters, anti-phishing tools should be integrated with web browsers which can be used to protect from Phishers.
Phishing Example:
Links might lead you to a fake page from where an attacker can grab your personal details including your account number, password, etc.
DOMAIN 1: ANTI RECONNAISSANCE
Phishing Example (cont’d):
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
Anytime a web page asks you for sensitive information, you need to be able to identify if the page is secure or not. The ability to recognize a secure web connection is extremely important as online fraud cases have increased substantially from year to year.
How can you identify if a web page is secured?There are two general indications of a secured web page:
1) Check the web page URLNormally, when browsing the web, the URLs (web page addresses) begin with the letters "http". However, over a secure connection the address displayed should begin with "https“, s stands for secure.
2) Check for the "Lock" iconThere is a de facto standard among web browsers to display a "lock" icon somewhere in the window of the browser.
DOMAIN 1: ANTI RECONNAISSANCE
Secure connection indicators in Chrome
Secure connection indicators in Firefox
DOMAIN 1: ANTI RECONNAISSANCE
Hiding Banner
Do not disclose un-needed information
It will make it harder for an attacker to identify the version or status of running services on the target
Anti-Reconnaissance – Service Detection
• Objective:– Modifying webserver banner– Hiding Apache Version detection from attacker
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
Hiding OS and Apache version numberExample:• In the below banner you can simply see the name of Operating System
and running Services.• It can help out the attacker to filter out the specific attack designed
specially for the target running these services.
DOMAIN 1: ANTI RECONNAISSANCE
This information can be hidden by changing these two lines in /etc/httpd/conf/httpd.conf.
ServerTokens controls whether Server response header field which is sent back to clients includes a description of the generic OS-type of the server as well as information about compiled-in modules.
Possible values:
ServerTokens Setting Server Banner HeaderProductOnly Server: Apache
Major Server: Apache/2
Minor Server: Apache/2.0
Minimal Server: Apache/2.0.55
OS Server: Apache/2.0.55 (Red Hat)
Full Server: Apache/2.0.55 (Red Hat) PHP/5.1.2 mod_ssl/2.0.55 OpenSSL/0.9.8
Anti-Reconnaissance – Service Detection
• Objective:– Modifying PHP information file to hide the PHP
Version detection
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
To hide the PHP information you have to edit /etc/php.ini and modify the following options.
Search for below line:
Modify it to:
Now you need to restart your apache server
After making this change PHP will no longer add it’s signature to the web server header.
Anti-Reconnaissance – Service Detection
• Objective:– Modifying FTP information file to hide the FTP
Version detection
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
Hiding FTP BannerFollowing steps are used to change FTP banner
In order to improve security you may need to change default banner message. To change banner message open configuration file /etc/ vsftpd/vsftpd.conf file:
Locate line which is read as follows:
Uncomment line to customize the login banner and setup new text message:
DOMAIN 1: ANTI RECONNAISSANCE
Save and close the file. Restart vsftpd:
Test your new banner
Anti-Hacking Tip: It is recommended that root login should be disabled. By default root is disabled for ftp. But if it is enabled then disable root login by following the mentioned steps:
1. Open vsftpd user list configuration file /etc/vsftpd/user_list using a text editor.
2. Check for the below entry.
Anti-Reconnaissance – Service Detection
• Objective:– Changing the SSH server login banner
DOMAIN 1: ANTI RECONNAISSANCE
DOMAIN 1: ANTI RECONNAISSANCE
Change The SSH Server Login BannerBy default, no banner is displayed if you are using latest version of Linux/UNIX then you do not have to worry about version issue. But Pre login banner is used for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. Following steps are use to change OpenSSH pre login banner:
Create your login banner file:
Append text:
Open sshd configuration file /etc/ssh/sshd_config using a text editor:
DOMAIN 1: ANTI RECONNAISSANCE
Add/edit the following line:
Save file and restart the sshd server:
Test your new banner
Anti-Hacking Tip: root login should be disabled. To disable root login follow the mentioned steps:
1. Open sshd configuration file /etc/ssh/sshd_config using a text editor
2. Add/edit the following line:
3. Save file and restart the sshd server.
DOMAIN 1: ANTI RECONNAISSANCE
Hiding OS detection
Perhaps you are wondering why do you want to spend your precious time changing your Linux kernel to hide your real OS version against ‘bad purposes’ users. Maybe the following reasons can convince you:
Revealing your OS makes things easier to find and successfully run an exploit against any of your devices.
Having and unpatched or antique OS version is not very convenient for your company prestige. Imagine that your company is a bank and some users notice that you are running an unpatched box. They won’t trust you any longer! In addition, these kind of ‘bad’ news are always sent to the public opinion.
Knowing your OS can also become more dangerous, because people can guess which applications are you running in that OS (data inference)
what’s the Big Deal
THANKS
linuxender.blogspot.comwww.whitehatGuru.netTwitter.com/linuxender