KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008...
-
Upload
louisa-sharp -
Category
Documents
-
view
224 -
download
1
Transcript of KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008...
![Page 1: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/1.jpg)
KULIAH IIITHREAT AND ATTACK (2)
Aswin Suharsono
KOM 15008Keamanan Jaringan
2012/2013
KOM 15008Keamanan Jaringan
2012/2013
![Page 2: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/2.jpg)
Overview
• Phase 3: Gaining Access Using Network Attacks– Sniffing– IP Address Spoofing– Session Hijacking– Netcat– DOS
• Phase 4: Maintain Access– Trojan– Backdoors
• Phase 5 Covering Tracks and Hiding
![Page 3: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/3.jpg)
Sniffer
• Allows attacker to see everything sent across the network, including userIDs and passwords
• NIC placed in promiscuous mode• Tcpdump http://www.tcpdump.org• Windump http://netgroup-serv.polito.it/windump• Snort http://www.snort.org• Ethereal http://www.ethereal.com• Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html• Dsniff http://www.monkey.org/~dugsong/dsniff
![Page 4: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/4.jpg)
Passive Sniffers
• Sniffers that passively wait for traffic to be sent to them• Well suited for hub environment• Snort• Sniffit
![Page 5: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/5.jpg)
Figure 8.2 A LAN implemented with a hub
![Page 6: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/6.jpg)
Introduction
Bad guys can sniff packets
packet “sniffing”: – broadcast media (shared ethernet, wireless)– promiscuous network interface reads/records all packets (e.g.,
including passwords!) passing by
A
B
C
src:B dest:A payload
wireshark software used for end-of-chapter labs is a (free) packet-sniffer
1-6
![Page 7: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/7.jpg)
Introduction
Bad guys can use fake addresses
IP spoofing: send packet with false source address
A
B
C
src:B dest:A payload
1-7
… lots more on security (throughout, Chapter 8)
![Page 8: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/8.jpg)
• Ethereal
![Page 9: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/9.jpg)
• Gunakan switch, jangan hub
![Page 10: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/10.jpg)
IP Address Spoofing
• Changing or disguising the source IP address• used by Nmap in decoy mode• Used by Dsniff in dnsspoof attack
– DNS response sent by Dsniff contains source address of the DNS server
• Used in denial-of-service attacks• Used in undermining Unix r-commands• Used with source routing attacks
![Page 11: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/11.jpg)
Simple IP Address Spoofing• Pros
– Works well in hiding source of a packet flood or other denial-of-service attack
• Cons– Difficult for attacker to monitor response packets– Any response packet will be sent to spoofed IP address– Difficult to IP address spoof against any TCP-based service unless
machines are on same LAN and ARP spoof is used
![Page 12: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/12.jpg)
Figure 8.13 The TCP three-way handshake inhibits simple spoofing
![Page 13: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/13.jpg)
Figure 8.14 Bob trusts Alice
![Page 14: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/14.jpg)
Figure 8.15 Everyone trusts Alice, the administrator’s main management system
![Page 15: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/15.jpg)
Session Hijacking
• Session Hijacking, Perpaduan antara Sniffing dan Spoofing• Pengertian Session• Sniff for session• Rekam• Gunakan untuk masuk• Dengan mencuri Session milik orang lain, maka bisa masuk
tanpa perlu login
![Page 16: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/16.jpg)
Introduction
target
Denial of Service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic
1. select target
2. break into hosts around the network (see botnet)3. send packets to target from compromised hosts
Bad guys: attack server, network infrastructure
1-16
![Page 17: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/17.jpg)
![Page 18: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/18.jpg)
SYN Flood
• Attacker sends continuous stream of SYN packets to target • Target allocates memory on its connection queue to keep track of
half-open connections• Attacker does not complete 3-way handshake, filling up all slots on
connection queue of target machine• If target machine has a very large connection queue, attacker can
alternatively send sufficient amount of SYN packets to consume target machine’s entire network bandwidth
![Page 19: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/19.jpg)
Smurf Attacks• Aka directed broadcast attacks• Smurf attacks rely on an ICMP directed broadcast to create a
flood of traffic on a victim• Attacker uses a spoofed source address of victim• Smurf attack is a DOS that consumes network bandwidth of
victim• Smurf amplifier is a network that responds to directed broadcast
messages
![Page 20: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/20.jpg)
4. Maintaining Access
![Page 21: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/21.jpg)
Trojan Horses
• Software program containing a concealed malicious capability but appears to be benign, useful, or attractive to users
![Page 22: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/22.jpg)
Backdoor
• Software that allows an attacker to access a machine using an alternative entry method
• Installed by attackers after a machine has been compromised• May Permit attacker to access a computer without needing to
provide account names and passwords• Used in movie “War Games”• Can be sshd listening to a port other than 22• Can be setup using Netcat
![Page 23: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/23.jpg)
Netcat as a Backdoor
• A popular backdoor tool• Netcat must be compiled with “GAPING_SECURITY_HOLE”
option• On victim machine, run Netcat in listener mode with –e flag
to execute a specific program such as a command shell• On attacker’s machine run Netcat in client mode to connect
to backdoor on victim
![Page 24: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/24.jpg)
Traditional RootKits
• A suite of tools that allow an attacker to maintain root-level access via a backdoor and hiding evidence of a system compromise
• More powerful than application-level Trojan horse backdoors(eg. BO2K, Netcat) since the latter run as separate programs which are easily detectable
• a more insidious form of Trojan horse backdoor than application-level counterparts since existing critical system components are replaced to let attacker have backdoor access and hide
![Page 25: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/25.jpg)
Kernel-Level RootKits
• More sinister, devious, and nasty than traditional RootKits• Operating system kernel replaced by a Trojan horse kernel that appears to
be well-behaved but in actuality is rotten to the core• Critical system files such as ls, ps, du, ifconfig left unmodified• Trojanized kernel can intercept system calls and run another application
chosen by atttacker– Execution request to run /bin/login is mapped to /bin/backdoorlogin– Tripwire only checks unaltered system files
• If the kernel cannot be trusted, nothing on the system can be trusted
![Page 26: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/26.jpg)
5. Covering Tracks
![Page 27: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/27.jpg)
Hiding Evidence by Altering Event Logs
• Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors – Login records– Stopped and restarted services– File access/update times
![Page 28: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/28.jpg)
Covert Channels
• Communication channels that disguises data while it moves across the network to avoid detection
• Require a client and server• Can be used to remotely control a machine and to secretly
transfer files or applications
![Page 29: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/29.jpg)
Figure 11.5 A covert channel between a client and a server
![Page 30: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/30.jpg)
Tunneling
• Carrying one protocol inside another protocol– Eg. Tunneling AppleTalk traffic over IP
• Any communications protocol can be used to transmit another protocol– SSH protocol used to carry telnet, FTP, or X-Windows session
• Used by covert channels– Loki– Reverse WWW Shell
![Page 31: KULIAH III THREAT AND ATTACK (2) Aswin Suharsono KOM 15008 Keamanan Jaringan 2012/2013 KOM 15008 Keamanan Jaringan 2012/2013.](https://reader035.fdocuments.in/reader035/viewer/2022062308/56649d835503460f94a689c3/html5/thumbnails/31.jpg)
Terima Kasih