Fight against Phase 1
Countermeasures agains the phase 1 of an attack.
Information gathering before the actual attack starts
Get knowledge of of much an attacker knows about you.
Limit the information that is available of your internal network to outside.
Never expose your internal DNS information to the public Internet. So have two seperate DNS server setups. One, very specific of your internal hosts and networks and one ONLY for your external accessible services.
Do a regular check to ensure the external DNS provides no internal information to outside.
You can use below lines to check if your external DNS publishes internal information.
Find your external servers providing DNS information of internal hosts.
Create an inputfile with the ext. IP ranges you own and want to test (my-ip-ranges-to-test.txt). Doing this against an IP range you do not own or not have a writen permission, is an offense
nmap -sU -p 53 -vv -oG dns_found --append-output -iL my-ranges-to-test.txt
Use the generated findings in your outfile to test for any internal domain information.
for i in `cat dns_found | grep 53/open/udp | cut -f2 -d''`;do echo -n "$i";echo -n `host [your internal domain] $i | grep "has address"`;echo "";done | gtrep "[your internal domain] | cut -f1 -d''
Or with metasploit:
use auxiliary/gather/dns_info
set DOMAIN leafield.paulis [or whatever you internal domain is]
set NS [your DNS server]
run
With every check you make, keep in mind that NO external DNS server should give away information about internal hosts.
Neue TLD .zip bietet gutes Phishing
Google bietet seit kurzem die Möglichkeit sie Domains mit der Endung .zip zu registrieren.
Das wird nicht nur von legitimen Akteuren genutzt. Wie bei solchen Toplevel Domains üblich gibt es auch jede Menge Schattengestalten die dies für ihre Geschäfte (meist Phising) nutzen.
Einen kleinen Einblick bietet dieser Link der einen Auszug aus den aktuell registrierten TLDs zeigt.