fase serangan - mybogi.files.wordpress.com · •contacts at the target organization •dns server...
TRANSCRIPT
www.telkomuniversity.ac.id
Fase Serangan
Instructor : Team
Course : TTH3K3 - Network Security
As Taught In : 2nd semester 2017-2018
Level : Undergraduate
CLO : 1
Week : 4
Sub-Topic : Phases of Attack
www.telkomuniversity.ac.id
Phases of Attack
The Five Phases :
1. Reconnaissance
2. Scanning
3. Gaining access
4. Maintaining access
5. Covering the tracks
www.telkomuniversity.ac.id
Phase 1
Reconnaissance
www.telkomuniversity.ac.id
Low Technology Reconnaissance
1. Social engineering
2. Physical break in / Piggybacking
3. Dumpster Diving
www.telkomuniversity.ac.id
Computer-based Reconnaissance
Information Gathered on line through the use of tools such as “Sam Spade”. Tools available to the hacker in this program include but are not limited to: • Ping
• Traceroute
• Finger Client
• Multiple Whois databases
• DNS lookup
• DNZ Zone transfer
• IP block registration
• View web site source code
• Crawl a web site
• Notepad for taking system notes
www.telkomuniversity.ac.id
What the Hacker Hopes to Gain at This Stage of Attack?
• Domain name
• Contacts at the target organization
• DNS server IP addresses
• Other target system addresses
• A glimpse of technologies in use
• User names and passwords (or their format)
www.telkomuniversity.ac.id
Basic Defenses at This Stage
• Disabling Ping on border routers
• Split DNS
• Keep Whois database records up to date
• Do not use OS type or system function in domain names
• Create, implement, and enforce a user password policy
www.telkomuniversity.ac.id
Split DNS
www.telkomuniversity.ac.id
Phase 2
Scanning
www.telkomuniversity.ac.id
Typical Scanning Techniques
• War dialing using THC-Scan
• Network mapping using Cheops-ng
• Port Scanning using Nmap
• Vulnerability scanning using Nessus
www.telkomuniversity.ac.id
What the Hacker Hopes to Gain at This Stage of Attack?
• List of telephone #’s with active modems
• List of open ports
• Map of the network
• List of vulnerabilities
www.telkomuniversity.ac.id
Basic Defenses Against War Dialing
• Create, Implement, and enforce a Dial up policy
• Use of Call back service on server
• Removal of banner from dial up connection
www.telkomuniversity.ac.id
Basic Defenses Against Network Mapping
• Remove telnet and web server from firewall
• Implement ACL’s on all border routers
• Use ACL’s to block ICMP to internal net
• Disable unused ports / services on routers
www.telkomuniversity.ac.id
Basic Defenses Against Port Scanning
• Run a port scan against your own system to find open ports and close them
• Disable unneeded services through the services control panel
• Use software firewalls and proxy servers
www.telkomuniversity.ac.id
Basic Defenses for Vulnerability Scanning
• Routinely update servers with latest patches and service packs
• Run multiple vulnerability scanners against your network to find the “Holes” before they do
• Ensure that all software installed on firewalls and servers is from a reputable source
www.telkomuniversity.ac.id
Phase 3
Gaining Access
www.telkomuniversity.ac.id
Typical Methods of Gaining System Access
• On site Hacking
• Stolen user ID’s and Passwords
• Running “Brute force attacks”
• Trojan horses
• Cracking password files
www.telkomuniversity.ac.id
Access Methods
• Utilization of data gathered while “Sniffing” • IP spoofing and ARP cache poisoning • Exploiting buffer overflows in software
www.telkomuniversity.ac.id
What the Hacker Hopes to Gain at This Stage of the Attack?
Access!!!
Just making sure you were still awake ;)
www.telkomuniversity.ac.id
LAN Sniffing (HUB)
www.telkomuniversity.ac.id
LAN Sniffing (Switch)
www.telkomuniversity.ac.id
Basic Defenses Against Sniffing
• Use Secure Shell instead of Telnet
• Use VPN tools to encrypt data between systems
• Install Switches instead of Hubs
• Create VLANS on switches
• Hard code the ARP tables on your systems
www.telkomuniversity.ac.id
Buffer Overflow
www.telkomuniversity.ac.id
Basic Defenses Against Buffer Overflows
• Implement a non-executable stack (Ex: set noexec_user_stack=1)
• On windows 2000 use SecureStack
• Use automated code examining tools like ITS4
www.telkomuniversity.ac.id
Basic Defenses Against Password Cracking
• Create and implement a strong PW policy (at least 8 characters alphanumeric)
• Force users to change passwords regularly by using Windows Users policy
• Install PW filtering software to ensure integrity of user chosen passwords
• Conduct PW audits with their programs (L0phtCrack or John the Ripper)
www.telkomuniversity.ac.id
Phase 4
Maintaining Access
www.telkomuniversity.ac.id
Methods of maintaining access
• Trojan Horses
• Backdoors
www.telkomuniversity.ac.id
Basic Defenses against Trojans and Backdoors
• Routinely scan for Trojans on your network
• Ensure definition files for Anti-virus software are up to date
• Look for changes in the system
• Install anti-virus software on both server and client machines
• Create “fingerprints” of key files and run an integrity checker against them on a regular basis
www.telkomuniversity.ac.id
Phase 5
Covering the Tracks
www.telkomuniversity.ac.id
Methods of avoiding detection
• NTFS alternate data streams and hidden files
• Reverse WWW shell
• Altering, Replacing, or Moving log files
www.telkomuniversity.ac.id
NTFS alternate data streams and hidden files
NTFS supports file streaming (each filename is like a chest of drawers) 1. Name of file viewed in explorer 2. “Normal” Stream
(Contains the expected contents of the file) 3. Alternate Data Streams hidden under normal
file
www.telkomuniversity.ac.id
Why are Streams Stealthy?
• Streams don’t show up in windows explorer (only “Normal” streams are displayed)
• Length of file displayed in explorer only includes “Normal” stream
• When files are copied all streams follow the name if copied into an NTFS partition
www.telkomuniversity.ac.id
Basic Defenses Against File Hiding in Windows
Most commercial anti-virus packages detect malicious code:
LADS
www.telkomuniversity.ac.id
Reverse WWW Shell
• Client / server implemented in a single program
• Carries a command shell over HTTP
• Attacker uses client to access server from off site
• Software appears to be surfing the web but, is really polling client for commands to be executed on the server
www.telkomuniversity.ac.id
Reverse WWW Shell
www.telkomuniversity.ac.id
Basic defenses against Reverse WWW Shell
• Physical security of Servers
• Utilization of intrusion detection systems
• Investigate “Strange” or unknown processes (especially those running with root privileges)
www.telkomuniversity.ac.id
Basic Defenses against log file tampering
• Setup logs to track failed logons attempts (don’t just set them up ….. USE THEM!!!)
• Periodically review logs for any anomalies
• Use logs as a baseline to periodically review if new security measures need to be implemented
www.telkomuniversity.ac.id
Web Resources for Keeping Up to Date
• SANS: http://www.sans.org
• Security Focus: http://www.securityfocus.com
• Search Security: http://www.searchsecurity.com
www.telkomuniversity.ac.id
Acquisition of Software Resources
Sam Spade:
http://www.samspade.org
THC-Scan: http://www.pimmel.com/thcfiles.php3
Cheops-ng
http://cheops-ng.sourceforge.net
Nmap
http://www.insecure.org/nmap
www.telkomuniversity.ac.id
Acquisition of Software Resources
NESSUS: http://www.nessus.org SecureStack: http://www.securewave.com/products/securestack/secure_stack.html
ITS4: http://www.cigital.com/its4 John the Ripper: http://www.Openwall.com/john
www.telkomuniversity.ac.id
Acquisition of Software Resources
L0phtCrack: http://www.atstake.com/research/lc3
Sniffit: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html
Secure Shell (Open Source): http://www.openssh.com
Netcat: http://www.atstake.com/research/tools/index.html
www.telkomuniversity.ac.id
Acquisition of Software Resources
AIDE (Advanced Intrusion Detection Environment): http://www.cs.tut.fi/~rammer/aide.html
LADS (Locate Alternate Data Streams): http://www.heysoft.de/index.htm
Reverse WWW Shell: http://www.megasecurity.org/Sources/rwwwshell-1_6_perl.txt
www.telkomuniversity.ac.id
Next Chapter: Intrusion