Kuliah iii threat and attack 2
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

KULIAH III THREAT AND ATTACK (2) PowerPoint PPT Presentation


  • 113 Views
  • Uploaded on
  • Presentation posted in: General

KULIAH III THREAT AND ATTACK (2). Aswin Suharsono. KOM 15008 Keamanan Jaringan 2012/2013. Overview. Phase 3: Gaining Access Using Network Attacks Sniffing IP Address Spoofing Session Hijacking Netcat DOS Phase 4: Maintain Access Trojan Backdoors Phase 5 Covering Tracks and Hiding.

Download Presentation

KULIAH III THREAT AND ATTACK (2)

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Kuliah iii threat and attack 2

KULIAH IIITHREAT AND ATTACK (2)

Aswin Suharsono

KOM 15008

KeamananJaringan

2012/2013


Overview

Overview

  • Phase 3: Gaining Access Using Network Attacks

    • Sniffing

    • IP Address Spoofing

    • Session Hijacking

    • Netcat

    • DOS

  • Phase 4: Maintain Access

    • Trojan

    • Backdoors

  • Phase 5 Covering Tracks and Hiding


Sniffer

Sniffer

  • Allows attacker to see everything sent across the network, including userIDs and passwords

  • NIC placed in promiscuous mode

  • Tcpdump http://www.tcpdump.org

  • Windump http://netgroup-serv.polito.it/windump

  • Snort http://www.snort.org

  • Ethereal http://www.ethereal.com

  • Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

  • Dsniff http://www.monkey.org/~dugsong/dsniff


Passive sniffers

Passive Sniffers

  • Sniffers that passively wait for traffic to be sent to them

  • Well suited for hub environment

  • Snort

  • Sniffit


Figure 8 2 a lan implemented with a hub

Figure 8.2 A LAN implemented with a hub


Bad guys can sniff packets

Bad guys can sniff packets

packet “sniffing”:

broadcast media (shared ethernet, wireless)

promiscuous network interface reads/records all packets (e.g., including passwords!) passing by

src:B dest:A payload

C

A

B

  • wireshark software used for end-of-chapter labs is a (free) packet-sniffer

Introduction


Bad guys can use fake addresses

Bad guys can use fake addresses

IP spoofing:send packet with false source address

src:B dest:A payload

C

A

B

… lots more on security (throughout, Chapter 8)

Introduction


Kuliah iii threat and attack 2

  • Ethereal


Kuliah iii threat and attack 2

  • Gunakan switch, jangan hub


Ip address spoofing

IP Address Spoofing

  • Changing or disguising the source IP address

  • used by Nmap in decoy mode

  • Used by Dsniff in dnsspoof attack

    • DNS response sent by Dsniff contains source address of the DNS server

  • Used in denial-of-service attacks

  • Used in undermining Unix r-commands

  • Used with source routing attacks


Simple ip address spoofing

Simple IP Address Spoofing

  • Pros

    • Works well in hiding source of a packet flood or other denial-of-service attack

  • Cons

    • Difficult for attacker to monitor response packets

    • Any response packet will be sent to spoofed IP address

    • Difficult to IP address spoof against any TCP-based service unless machines are on same LAN and ARP spoof is used


Figure 8 13 the tcp three way handshake inhibits simple spoofing

Figure 8.13 The TCP three-way handshake inhibits simple spoofing


Figure 8 14 bob trusts alice

Figure 8.14 Bob trusts Alice


Figure 8 15 everyone trusts alice the administrator s main management system

Figure 8.15 Everyone trusts Alice, the administrator’s main management system


Session hijacking

Session Hijacking

  • Session Hijacking, Perpaduan antara Sniffing dan Spoofing

  • Pengertian Session

  • Sniff for session

  • Rekam

  • Gunakan untuk masuk

  • Dengan mencuri Session milik orang lain, maka bisa masuk tanpa perlu login


Kuliah iii threat and attack 2

Denial of Service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic

target

Bad guys: attack server, network infrastructure

1. select target

2. break into hosts around the network (see botnet)

3. send packets to target from compromised hosts

Introduction


Syn flood

SYN Flood

  • Attacker sends continuous stream of SYN packets to target

  • Target allocates memory on its connection queue to keep track of half-open connections

  • Attacker does not complete 3-way handshake, filling up all slots on connection queue of target machine

  • If target machine has a very large connection queue, attacker can alternatively send sufficient amount of SYN packets to consume target machine’s entire network bandwidth


Smurf attacks

Smurf Attacks

  • Aka directed broadcast attacks

  • Smurf attacks rely on an ICMP directed broadcast to create a flood of traffic on a victim

  • Attacker uses a spoofed source address of victim

  • Smurf attack is a DOS that consumes network bandwidth of victim

  • Smurf amplifier is a network that responds to directed broadcast messages


4 maintaining access

4. Maintaining Access


Trojan horses

Trojan Horses

  • Software program containing a concealed malicious capability but appears to be benign, useful, or attractive to users


Backdoor

Backdoor

  • Software that allows an attacker to access a machine using an alternative entry method

  • Installed by attackers after a machine has been compromised

  • May Permit attacker to access a computer without needing to provide account names and passwords

  • Used in movie “War Games”

  • Can be sshd listening to a port other than 22

  • Can be setup using Netcat


Netcat as a backdoor

Netcat as a Backdoor

  • A popular backdoor tool

  • Netcat must be compiled with “GAPING_SECURITY_HOLE” option

  • On victim machine, run Netcat in listener mode with –e flag to execute a specific program such as a command shell

  • On attacker’s machine run Netcat in client mode to connect to backdoor on victim


Traditional rootkits

Traditional RootKits

  • A suite of tools that allow an attacker to maintain root-level access via a backdoor and hiding evidence of a system compromise

  • More powerful than application-level Trojan horse backdoors(eg. BO2K, Netcat) since the latter run as separate programs which are easily detectable

  • a more insidious form of Trojan horse backdoor than application-level counterparts since existing critical system components are replaced to let attacker have backdoor access and hide


Kernel level rootkits

Kernel-Level RootKits

  • More sinister, devious, and nasty than traditional RootKits

  • Operating system kernel replaced by a Trojan horse kernel that appears to be well-behaved but in actuality is rotten to the core

  • Critical system files such as ls, ps, du, ifconfig left unmodified

  • Trojanized kernel can intercept system calls and run another application chosen by atttacker

    • Execution request to run /bin/login is mapped to /bin/backdoorlogin

    • Tripwire only checks unaltered system files

  • If the kernel cannot be trusted, nothing on the system can be trusted


5 covering tracks

5. Covering Tracks


Hiding evidence by altering event logs

Hiding Evidence by Altering Event Logs

  • Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors

    • Login records

    • Stopped and restarted services

    • File access/update times


Covert channels

Covert Channels

  • Communication channels that disguises data while it moves across the network to avoid detection

  • Require a client and server

  • Can be used to remotely control a machine and to secretly transfer files or applications


Figure 11 5 a covert channel between a client and a server

Figure 11.5 A covert channel between a client and a server


Tunneling

Tunneling

  • Carrying one protocol inside another protocol

    • Eg. Tunneling AppleTalk traffic over IP

  • Any communications protocol can be used to transmit another protocol

    • SSH protocol used to carry telnet, FTP, or X-Windows session

  • Used by covert channels

    • Loki

    • Reverse WWW Shell


Terima kasih

Terima Kasih


  • Login