Kuliah iii threat and attack 2
1 / 31

KULIAH III THREAT AND ATTACK (2) - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

KULIAH III THREAT AND ATTACK (2). Aswin Suharsono. KOM 15008 Keamanan Jaringan 2012/2013. Overview. Phase 3: Gaining Access Using Network Attacks Sniffing IP Address Spoofing Session Hijacking Netcat DOS Phase 4: Maintain Access Trojan Backdoors Phase 5 Covering Tracks and Hiding.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Aswin Suharsono

KOM 15008




  • Phase 3: Gaining Access Using Network Attacks

    • Sniffing

    • IP Address Spoofing

    • Session Hijacking

    • Netcat

    • DOS

  • Phase 4: Maintain Access

    • Trojan

    • Backdoors

  • Phase 5 Covering Tracks and Hiding


  • Allows attacker to see everything sent across the network, including userIDs and passwords

  • NIC placed in promiscuous mode

  • Tcpdump http://www.tcpdump.org

  • Windump http://netgroup-serv.polito.it/windump

  • Snort http://www.snort.org

  • Ethereal http://www.ethereal.com

  • Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

  • Dsniff http://www.monkey.org/~dugsong/dsniff

Passive Sniffers

  • Sniffers that passively wait for traffic to be sent to them

  • Well suited for hub environment

  • Snort

  • Sniffit

Figure 8.2 A LAN implemented with a hub

Bad guys can sniff packets

packet “sniffing”:

broadcast media (shared ethernet, wireless)

promiscuous network interface reads/records all packets (e.g., including passwords!) passing by

src:B dest:A payload




  • wireshark software used for end-of-chapter labs is a (free) packet-sniffer


Bad guys can use fake addresses

IP spoofing:send packet with false source address

src:B dest:A payload




… lots more on security (throughout, Chapter 8)


  • Ethereal

  • Gunakan switch, jangan hub

IP Address Spoofing

  • Changing or disguising the source IP address

  • used by Nmap in decoy mode

  • Used by Dsniff in dnsspoof attack

    • DNS response sent by Dsniff contains source address of the DNS server

  • Used in denial-of-service attacks

  • Used in undermining Unix r-commands

  • Used with source routing attacks

Simple IP Address Spoofing

  • Pros

    • Works well in hiding source of a packet flood or other denial-of-service attack

  • Cons

    • Difficult for attacker to monitor response packets

    • Any response packet will be sent to spoofed IP address

    • Difficult to IP address spoof against any TCP-based service unless machines are on same LAN and ARP spoof is used

Figure 8.13 The TCP three-way handshake inhibits simple spoofing

Figure 8.14 Bob trusts Alice

Figure 8.15 Everyone trusts Alice, the administrator’s main management system

Session Hijacking

  • Session Hijacking, Perpaduan antara Sniffing dan Spoofing

  • Pengertian Session

  • Sniff for session

  • Rekam

  • Gunakan untuk masuk

  • Dengan mencuri Session milik orang lain, maka bisa masuk tanpa perlu login

Denial of Service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic


Bad guys: attack server, network infrastructure

1. select target

2. break into hosts around the network (see botnet)

3. send packets to target from compromised hosts


SYN Flood

  • Attacker sends continuous stream of SYN packets to target

  • Target allocates memory on its connection queue to keep track of half-open connections

  • Attacker does not complete 3-way handshake, filling up all slots on connection queue of target machine

  • If target machine has a very large connection queue, attacker can alternatively send sufficient amount of SYN packets to consume target machine’s entire network bandwidth

Smurf Attacks

  • Aka directed broadcast attacks

  • Smurf attacks rely on an ICMP directed broadcast to create a flood of traffic on a victim

  • Attacker uses a spoofed source address of victim

  • Smurf attack is a DOS that consumes network bandwidth of victim

  • Smurf amplifier is a network that responds to directed broadcast messages

4. Maintaining Access

Trojan Horses

  • Software program containing a concealed malicious capability but appears to be benign, useful, or attractive to users


  • Software that allows an attacker to access a machine using an alternative entry method

  • Installed by attackers after a machine has been compromised

  • May Permit attacker to access a computer without needing to provide account names and passwords

  • Used in movie “War Games”

  • Can be sshd listening to a port other than 22

  • Can be setup using Netcat

Netcat as a Backdoor

  • A popular backdoor tool

  • Netcat must be compiled with “GAPING_SECURITY_HOLE” option

  • On victim machine, run Netcat in listener mode with –e flag to execute a specific program such as a command shell

  • On attacker’s machine run Netcat in client mode to connect to backdoor on victim

Traditional RootKits

  • A suite of tools that allow an attacker to maintain root-level access via a backdoor and hiding evidence of a system compromise

  • More powerful than application-level Trojan horse backdoors(eg. BO2K, Netcat) since the latter run as separate programs which are easily detectable

  • a more insidious form of Trojan horse backdoor than application-level counterparts since existing critical system components are replaced to let attacker have backdoor access and hide

Kernel-Level RootKits

  • More sinister, devious, and nasty than traditional RootKits

  • Operating system kernel replaced by a Trojan horse kernel that appears to be well-behaved but in actuality is rotten to the core

  • Critical system files such as ls, ps, du, ifconfig left unmodified

  • Trojanized kernel can intercept system calls and run another application chosen by atttacker

    • Execution request to run /bin/login is mapped to /bin/backdoorlogin

    • Tripwire only checks unaltered system files

  • If the kernel cannot be trusted, nothing on the system can be trusted

5. Covering Tracks

Hiding Evidence by Altering Event Logs

  • Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors

    • Login records

    • Stopped and restarted services

    • File access/update times

Covert Channels

  • Communication channels that disguises data while it moves across the network to avoid detection

  • Require a client and server

  • Can be used to remotely control a machine and to secretly transfer files or applications

Figure 11.5 A covert channel between a client and a server


  • Carrying one protocol inside another protocol

    • Eg. Tunneling AppleTalk traffic over IP

  • Any communications protocol can be used to transmit another protocol

    • SSH protocol used to carry telnet, FTP, or X-Windows session

  • Used by covert channels

    • Loki

    • Reverse WWW Shell

Terima Kasih

  • Login