The second M – Misdirection

I’m a few minutes late with this, but it’s election night. I fully own up to backdating it.

Personally, I find this to be a lot of fun. Your mileage may vary.

Misdirection is the art of wasting an attacker’s time and efforts with strategically placed bits of information.
The keys to successful misdirection are to understand where someone is going to look for sensitive information, and what they would do with that information.

A quick and easy bit of misdirection is a web server’s robots.txt file.
For anyone not familiar, the robots.txt file is a simple text file that informs indexing spiders which directories they should ignore, so they do not show up in search engine results.

Unfortunately this file is visible to anyone. They just need to type it into their browser.

Here’s the one that WordPress generated for this site: https://arborealsec.com/robots.txt

If someone is looking to break into your website, checking out the robots.txt file is often the first step. Customizing your file to include bogus information can throw a would-be attacker off track. For example, adding an entry to disallow administrative directories for technologies that aren’t in use on your site. Taking it even further, you can populate those directories with fake files.

I’ll discuss fake files a bit more tomorrow.

Other areas for misdirection include custom crafting your server’s header info. The header information reports some basic information, such as which application server and version you are running. These can be crafted to report a lot of fun stuff, like, maybe your production web server is running on a PlayStation 3, or Windows 3.1.
That’s fun for the shock value, but a better strategy would be to report an older version of the platform you are actually running. Then, an attacker may try to launch known exploits that you have already patched.
You can also disorient unwanted intruders with honeypots, machines specifically set up to be hacked into. Leave an open telnet server or badly secured Windows server with RDP enabled. Fill it with interesting looking things that are actually garbage.

There’s lots of places to play with misdirection. Feel free to add your favorites in the comment section.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s