legal contact

Fight against Phase 1

Countermeasures agains the phase 1 of an attack.

Information gathering before the actual attack starts

Get knowledge of of much an attacker knows about you.

Limit the information that is available of your internal network to outside.

Never expose your internal DNS information to the public Internet. So have two seperate DNS server setups. One, very specific of your internal hosts and networks and one ONLY for your external accessible services.

Do a regular check to ensure the external DNS provides no internal information to outside.

You can use below lines to check if your external DNS publishes internal information.

Find your external servers providing DNS information of internal hosts.

Create an inputfile with the ext. IP ranges you own and want to test (my-ip-ranges-to-test.txt). Doing this against an IP range you do not own or not have a writen permission, is an offense

nmap -sU -p 53 -vv -oG dns_found --append-output -iL my-ranges-to-test.txt

Use the generated findings in your outfile to test for any internal domain information.

for i in `cat dns_found | grep 53/open/udp | cut -f2 -d''`;do echo -n "$i";echo -n `host [your internal domain] $i | grep "has address"`;echo "";done | gtrep "[your internal domain] | cut -f1 -d''

Or with metasploit:

use auxiliary/gather/dns_info
set DOMAIN leafield.paulis [or whatever you internal domain is]
set NS [your DNS server]

With every check you make, keep in mind that NO external DNS server should give away information about internal hosts.

Check the available information about your internal stuff at verious search engines, I'm sure you'll find enough inspiration at below URL's.

But be carefull, even the information you are searching for can somewhere be searched and used against you. - So searching for your internal domain name might be OK, but searching for your Admin password is not. ;-)

Also use the sources at my other page for searching.