In previous article, we discussed about the major challenges posed to the Data Security of an organization. In global landscape, Hackers utilizes their skills, different tools, vulnerabilities and exploits to perform attacks. In this series, we will discuss about how an attacker performs the attacks.
Hacking any system is comprised of five phases:
- Gaining Access
- Maintaining Access
- Clearing Tracks
Each phase requires high level of computing skills and resources to perform the attacks. Each phase will be discuss in detail to understand how these are performed and how can they be controlled to avoid the attack.
Reconnaissance: can be understood as a phase where one tries to gather as much information about victim as possible before launching an attack. It is also referred as Foot printing. Multiple foot printing method are available such as:
- Passive Foot printing
- Active Foot printing
- Anonymous Foot printing
- Pseudo Anonymous Foot printing
- Private Foot printing
- Internet Foot printing
Basic objective of foot printing is to collect the basic information about the victim’s network, OS platforms, web servers used. Once these basic information are gathered, attackers tries to find open vulnerabilities and their exploits to launch attack.
To perform Foot Printing, attacker can use multiple methods of Internet crawling, URL scanning, and information extraction from company’s website, Network lookup using DNS Lookup, Whois Lookup, TraceRT lookup. For all these lookups, automated tools are available. Another great ways to do the foot printing is Website Mirroring, Email Tracking and Google Hacking.
Countermeasures: Controlling the foot printing might come across as a little bit tough since there is not actually any attack happening. Passive foot printing among them is hardest to detect. There are certain best practices which can be applied to counter the reconnaissance in your organization.
First and foremost would be to configure routers in such a way so that they do not respond to the foot printing requests. Foot printing request can be identified as frequent or sequential requests of routes and routers can be configured to deny such requests.
If web servers are being used in the organization, we servers should be configured in such a way that they do not reveal so much of unnecessary information. Information leakage can be avoided by disabling unwanted protocols in a web server.
In Firewall, administrators should remove unwanted rules to avoid any rule conflict and complexity. Unnecessary ports must be blocked to control the use of those ports by anonymous hackers.
IDS and IPS have the signatures to detect a foot printing patterns, have these devices deployed to detect and refuse any such suspicious traffic.
Any information which is being shared on public website must be scrutinized before publishing it. The Information which can reveal any details about the backend server should be screened before making public. For example, in a HTML query one should preferably use POST method which does not reveal the string of HTML, cannot be cached in browser history and cannot be blocked instead of GET method which can be cached in browser history and reveal the string.
One can use several mechanisms to prevent different search engines from caching the webpages and use anonymous registration services.
To avoid the back-end information leakage and exposure of directories, disable Directory Listing and encourage the use of split-DNS.
Foot printing Penetration Testing can be used to determine organization’s public data which is available on open internet and once identified, remove it quickly to avoid any leakage.
At last, organizations’ security group should use the foot printing techniques on their own environment and should try to find out the sensitive information being leaked. Once such information is found, it should be removed from public access.
This summarizes the reconnaissance phase of hacking and it’s countermeasures. The objective of this article is that the security experts should identify the loopholes in their network and close them before it can be exploited by anyone else.
I would like to quote an ancient Chinese philosopher Sun Tzu when he said, “If you know your enemy and know yourself, you need not fear the results of hundred battles”
Authored by Punit Dwivedi