June 20, 2019

Make Reconnaissance Harder for the Bad Guys – WST

Before an attacker can attempt to gain access to a network, they must first find the resources utilized by the organization to attack. This is what we call the reconnaissance phase. During this phase public data, such as WHOIS information, domains, IP addresses, and email addresses is collected and documented to give the attacker a fingerprint of an organization and what may be available to exploit.

Let’s take a look at a few of the tools that we use during our reconnaissance phase:

  • DataSploit – Performs automated information gathering of public data such as domains, email addresses, IP information and consolidates the data.
  • DNSenum – Searches for host addresses, name servers, mail servers and subdomains that are related to a given domain.
  • Maltego – This allows for open source data to be visualized and further queried.
  • Hunter.io – A tool that scrapes a given website for email addresses.

Unfortunately, these tools (and others) greatly reduce the work time to build a comprehensive picture of just about any organization.  This also frees up time to work on other things…such as actually attacking your users and infrastructure.

Some basic things that you can do to reduce your online footprint are:

  1. Do not post a staff directory list on your website. This list can give an attacker a set of emails to target with phishing campaigns. Generally, once one email is found, the email syntax is available to create a list of emails to send phishing attacks to.
  2. Privatize WHOIS information. WHOIS information is usually correlated with IP addresses used by an organization. A quick search of the ARIN database can provide an attacker with IP ranges to scan for open ports which can in turn be scanned for vulnerabilities.
  3. Remove vendor relationships from your website. Many companies will show a list of vendors that they work with or clients they support with their products. This information can be used by an attacker for future phishing emails to pose as someone already working with the organization.

Past Weekly Security Tips – WST