Chde-2_Ky Thuat Tan Cong

7/31/2019 Chde-2_Ky Thuat Tan Cong

1/58

PGS. TSKH. Hong ng Hi

Hc vin Cng ngh Bu chnh Vin thng (PTIT)

Email: [email protected]

2012

CCc kc k thuthut tt tn cng,n cng,

xm nhxm nhp hp h ththngng


2/58

S pht trin ca tn cng mng

Xu th Kt hp worms, viruses

v DDoS Tng tin, Tin tc

Cc tn cng trn 10Gbps, tp on Botnetvi 150,000+ node

Thiu tr tu trong qunl mng cloud khin chiph tng nhanh

T b bng thng khigii quyt vn l qulng ph v tn km


3/58

Mt s khi nim

K xm nhp (Intruder) Thng gi l tin tc (hacker), cracker /buglar (o chch) K trm/nh cp thng tin (Information Theft) Cybercrime (ti phm mng), Compromiser (k gy hi)

L hng an ninh (Security hole), im yu (Vulnerability), khim khuyt (Flaw)

Ri ro (risk)

e da (Threat), Tn cng (Attack)

Li khi thit k: khng lng trc kh nng im yu tim n: lun c trong mi h thng Li khai thc: cu hnh khng cht ch, li khi hot ng

Thng dng chcng 1 hnh vi xm hi n an ninh h thng

Bin php an ninh (Security measure), c ch an ninh (security mechanism)

Dch v an ninh (Security service)

Bin php/c ch pht hin, ngn nga, phng chng, sa cha

Dch v tng cng an ninh cho h thng x l v truyn ti thng tin thng qua

cc bin php an ninh

risk = threat x vulnerability x asset value


4/58

Phn loPhn loi ti tn cng mn cng mngng

Joking Hacker: data stealing / spy / military spy

Company Competition: business plan/strategy.

Competitor destruction

Product Advertisement Avenger

Terrorism

Account hacking / Bank robber

MMc tiu tc tiu tn cngn cng

Gi mo (fabrication) - destroys authenticity of source (Sa i) modification - destroys integrity of information Ngn chn (interception) - of information (traffic), breaches confidentiality Gin on (interruption) - of service

LoLoi ti tn cngn cng

ExamplesExamples

Happy Christmas 1987: in IBM network. Email sent to everybody with addresses found

in addressbookNetwork deadlock

Internet Worm 1989: in Security Center of DoD. Unix Shell Attack.


5/58

Security AttacksSecurity Attacks

y ni dung bn tinng: theo di chu k, chiu di bn tin,

on m knh truyn thng

PassivePassive

Nghe ln (Eavesdropping): ln l

Phn tch lu lk cphng Phn tch thng tin h

ActiveActive

Gi danh (Masquerade): Darth gi danh Bob Replay: bt gi, gi mo v chuyn tip bn tin

Sa i bn tin Ngn chn dch v


6/58

5 giai on ca qu trnh ph hoi Trinh st (Reconnaissance)

Tin tc kho st my nn nhn v cc dch v trong mtkhong thi gian di s dng cc lu lng nh hotng bnh thng ca my.

Tm cch thit lp kt ni, khai thc thng tin my tnh, dch vD tm im yu trong h thng v cc ng dng.

Khai thc (Exploitation)Qu trnh li dng, bin i, lm sai lch hot ng ca cc dchv trn my nn nhn. Bin i dch v ko theo thay i chhot ng v iu kin truy nhp.

Tng cng (Reinforcement)Giai on tin tc ginh quyn truy nhp tri php, tng cngkh nng truy nhp, s dng cng c truy xt nn nhn,che du hnh vi...

Cng c (Consolidation)Tin tc to ra ca hu, trao i thng tin qua ca hu,ginh ton b quyn iu khin.

Tn ph (Pillage)

Giai on thc hin k hoch ph hoi: nh cp thng tin nhy cm,to bn p tin su vo mng ngi dng, thc hin cc nh

sn...


7/58

PhPhn mn mm m m m c (Malicious Software)c (Malicious Software)

Cc nguy c/im yu: c khing bi 1 trigger (khng ly lan)

Cc phn mm tsinh (tto ccbn copy = ly lan)


8/58

CCa sau hoa sau hoc cc ca sa sp (Backdoor or Trapdoor)p (Backdoor or Trapdoor)

XuXut pht pht it im vm vo bo b mmt tt ti mi mt chng trt chng trnhnh Cho phCho php mp mt kt k thuthut vin tht vin thnh thnh tho truy co truy cp vp vo ho h ththng mng m khng ckhng cnn

ththc hic hin cn cc thc th ttc an toc an ton thng thn thng thng.ng.

ThThng sng s ddng cho mng cho mc c ch gch grri, kii, kim thm thphphn mn mm khi phm khi pht trit trin.n. TrTrththnh nguy ckhi vnh nguy ckhi vn n ttn tn ti li li trong si trong sn phn phm phm phn mn mm.m.

BomBom logiclogic MMtt trongtrong nhnhngngphphnn mmmm cc hhii kikiuu cciinn

CodeCode cc nhnhngng trongtrong chngchng trtrnhnh hhppphphp,p,cc kkchch hohott khikhi ggppiiuu kikinn xxcc nhnh

CC mmtt hohocc vvngng mmtt mmtt ss filefile NgNgyy ththng/thng/thii giangian cc thth

NgNgii ss ddngng nnoo

KhiKhi kkchch hohott thngthng ththngng llmm hhngng hh ththng,ng, BiBinn i/xoi/xo file/file/aa,, llmmddngng mmyy,,


9/58

NgNgaa ththnhnh TTroaroa (Trojan(Trojan Horse)Horse) ChngChng trtrnhnh hhuu ch, hch, hp dp dn (n (tr chitr chi, ti, tinn ch, nng cch, nng cp php phn mn mm,m,))

ChCha ca cc oc on mn m n vn vii cccc ttcc ngngphph cc dduu kknn

KhiKhi chchyy ththcc hihinn nhnhngng nhinhimm vvbb sung: Chosung: Chophphpp kk ttnn cngcng giginntitipp ddnhnh quyquynn truytruy ccpp nhnhng gng g khngkhng thth trtrcc titipp

ThThngng ss ddngng lanlan truytruynn virrus/suvirrus/su (worm)(worm) hohocc ccii tt ccaa sau, hosau, hoccnn giginnphph hohoii dd liliu.u.

ZombieZombie

LL chngchng trtrnhnhbb mmtt iiuu khikhinn mmyy ttnhnh khkhc cc caa mmngng Internet, sInternet, sddngng nn giginn titipp titinn hhnhnh cccc ttnn cng, che dcng, che du mu my ty to ra Zombie.o ra Zombie.

ThThngng c sc s ddngng ttnn cngcng tt chchii ddchch vv (DDoS).(DDoS). ThThng tng too

ththnh mnh mng gng gm hm hng trm mng trm my khng by khng b nghi vnghi vn, tn, tn cng dn cng dn dn dppwebsite mwebsite mc tiu qua vic tiu qua vic gc gi di dn dn dp yu cp yu cu lu lu lu lng.ng.

ThThng khaing khai ththcc cccc ll hhngng trongtrong cccc hh ththng nng ni mi mng.ng.


10/58

VirusesViruses

LLoon m phn m phn mn mm cm c thth ly nhily nhimm sang csang cc phc phn mn mm khm khc quac quavivic sc sa a i chi chng.ng.

SSa a i phi phn mn mm khm khc bao gc bao gm vim vic copy oc copy on m virus vn m virus vo vo v lylynhinhim sang cm sang cc chng trc chng trnh khnh khc.c.

GiGing virus sinh hng virus sinh hc, virus mc, virus my ty tnh cnh c thth ss ssn sinh (replicated).n sinh (replicated). LanLan truytruyn, thn, thc hic hin mn mi chi chc nng cc nng c thth (v(v ddphph hohoii dd liliu).u).

HoHot t ng cng ca virusa virus Giai oGiai on nn nm chm ch: n: nm im chm im chss kikin kn kch hoch hot (vt (v dd ngngy,y, chngchng

trtrnh, dnh, dung lung lng ng aa).).

Giai oGiai on ly lan: sao chn ly lan: sao chp chp chnh nnh n sang csang cc chng trc chng trnh khnh khc /phc /phnn

khkhc cc ca ha h ththng.ng. Giai oGiai on kn kch hoch hot: tht: thc hic hin chn chc nng gc nng gi si sn khi cn khi c ss kikin xn xy ra.y ra.

Giai oGiai on thn thc thi: thc thi: thc hic hin hn hnh vi mong munh vi mong mun.n.a sa s khai thkhai thc cc cc c cctrngtrng,, iim ym yu chu ch yyu cu ca ha h ththng cng c ththang chang chy.y.


11/58

CCu tru trc Virusesc Viruses

program V :=program V :={{gotogoto main;main;

1234567;1234567;

subroutine infectsubroutine infect--executable :=executable := {loop:{loop:

file := getfile := get--randomrandom--executableexecutable--file;file;

if (firstif (first--lineline--ofof--file = 1234567) thenfile = 1234567) then gotogoto looploop

elseelseprependprepend V to file; }V to file; }

subroutine dosubroutine do--damage := {whatever damage is to be done}damage := {whatever damage is to be done}subroutine triggersubroutine trigger--pulled := {return true if condition holds}pulled := {return true if condition holds}

main: mainmain: main--program :=program := {infect{infect--executable;executable;

if triggerif trigger--pulled then dopulled then do--damage;damage;gotogoto next;}next;}

next:next:

}}


12/58

Cc hnh thi tn cng DDoS

t ph cc b theo dy chuyn Khai thc hiu hnh, ph ri hot ng server

Tiu hy ti nguyn cc b fork() bomb, fill disks, deep directory nesting

T chi cp dch v cho cc my trm Gy cc t ph hoc ngng cc dch v quan trng

To cc t ph t xa theo dy chuyn magic packets ping of death, teardrop

Tiu hy ti nguyn t xa syslog, SYN, fragment flood, UDP storm


13/58

T chi dch v trn ton mng Nhm ti cc links s h hoc c s h tng thng tin trng yu

iu khin ngng mng t xa

Tn cng routers, DNS servers Li tuyn Gi mo thng tin nh tuyn

Gy nghn mng t xa

Gi danh broadcasts smurf, fraggle iu khin t xa cc my tnh gy hi my tnh ma (zombies)

phi hp gy trn - DDoS

Cc tn cng chuyn hng t tng my nl sang c s h tng mng !

Cc hnh thi tn cng DDoS (2)


14/58

Cc k thut gy ri ca tn cng DDoS

Distributed attacks

iu khin t xa i qun zombies Cc th nghim mi y cho thy, mt my tnh khng c bo v

trn Internet c th b tn cng trong vng < 8 pht.

Phn x IP Gy ri trong vt kim chng mng

Gi mo/Nhi li (Forged/spoofed) a chIP gc

Thay i tn sut tn cng (on/off) Nghi binh (Decoys)

Gy ri trong du hiu tn cng

Bt chc lu lng hp php (e.g. TCP ACK flood) Ha trang vi lu lng hp php

Tt c cc k thut ny nhm b gy mi phng phptheo du vt kiu th cng v trnh cc IDS thng dng


15/58

Xu th mi ca DoS Attacks

Tn cng trn da vo mng Khi cc l hng c v, kh lng tm ra cc host xung yu

Nhi cc mng con cc b

Cc b lc ingress / egress ph bin hn

Tn cng ng lu lng ln Nhm ti cc upstream routers & links

nh v chy (Hit-and-run) Gy trn sc (pulsing / short-lived floods)

S dng nhiu i qun zombie theo chu k

K thut phn tn Phn tn rng khp, cc i qun zombie rng khp


16/58

Gy ri trong du vt kim chng mng Thay i c tnh mt s giao thc ng dng Ti lp cc

truy vn DNS, etc.

Bin i du hiu tn cng Dng address, protocol, port ngu nhin

Tn cng nh tuyn h tng mng Chn cp tuyn BGP route phc v khi ng tn cng

Tng tuyn m thm (automated conscription)cc i qun zombie recent Internet worms and viruses

Microsoft Outlook, IE, IIS, SMB

Xu th mi ca DoS Attacks (2)


17/58

Trnh t tn cng DDoS

A. Mt lng ln my tnh b hi

B. Tin tc xc nh c cc my c th li dng vi cck thut d qut (scanners), etc.

C. Tin tc truy nhp h thng vi cc cng c t xa:

exploits, sniffers, password cracking, worms, trojans

D. Tin tc ci t cc cng c tn cng

E. Tin tc ra lnh t xa cho cc my b hi c tp hp tn cng vo mc tiu


18/58

Distributed DoS Attack (DDoS)

Phi hp tn cng vo cc Links v ti nguyn trng yu

DNS Tn cng vo h tng nh tuyn


19/58

Example: Smurf Attack

Reflector Network

SRC DST

3.3.3.100 2.2.2.255 SRC DST2.2.2.* 3.3.3.100

ICMP Echo Request

3.3.3.100

2.2.2.*

ICMP Echo Replies

Target1.1.1.100Attacker

M hnh n gin: gi cc gi yu cu echo gi mo ICMP ti cc a ch IP broadcast

trong mt mng tin cy.

Mi hosts ca mng ny gi 1 tr li ICMP ti a ch IP gi mo ca nn nhn

Khi hu nh mi my ca mng phn hi yu cu ICMP echo ny, mng b tc nghn

v t lit.


20/58

V d: TCP SYN Flood

SYN

SYN

+ACK

ACKClient Server

CLOSED CLOSED

SYN_SENT

ESTABLISHED ESTABLISHED

SYN_RCVD

Tun t qu trnh thit lp 1 kt ni TCP (3-way handshake)


21/58

V d: TCP SYN Flood (cont.)

ServerAttackerSYN

SYN

ACK

SYN

SYN

SYN

SYN

SYN

SYN

SYN

ACK

SYN

ACK

SYN_RCVD

SYN_RCVD

SYN_RCVD

SYN_RCVD

SYN_RCVDSYN_RCVD

SYN_RCVD

SYN_RCVD

Listen Queue

SYN_RCVD

Nu sau khi server gi SYN + ACK response, client khng gi ACK response half-openconnection

Server to trong b nhmt kin trc d liu cha mi kt ni m Timeout

Tin tc gy ra memory overflow, khin server crash hoc khng th chp nhn mi kt ni micho n khi xa ht bng d liu

V tr gi danh IP trong h thng b tn cng c che y, v cc a ch ngun trong cc gi tinSYN thng u khng r rng. Khi gi tin n h thng my ch nn nhn, khng c cch g

xc nh ra ngun gi thc s.


22/58

Cc bin php phng chng DDoS

Ingress / Egress filtering ( anti-spoofing )

Strict / Loose RPF (Reverse Path Forwarding)

Black lists / White lists

Policy based Filter

Rate limiting

ICMP etc.. Stateful defenses ( e.g. tcp intercept )

Patch vulnerable hosts and services

Provisioning and capacity planning Packet filtering on provider side of WAN links


23/58

X l, phn ng vi tn cng DDoS

Ba bc quan trng:

Pht hin

Xc nh phng php ca tin tc v cc tinguyn b tc ng.

Tm cch c lp vng ti nguyn b li dng

Truy xt du vt Xc nh ngun pht, ng i, chng

chuyn tip

Gim thiu thit hi Xc nh lu lng no cn chn, tt nht

chn u


24/58

Cc chin lc gim thiu DDoS

Unicast Reverse Path Forwarding (uRPF) S dng uRPF cht ch Chng gi mo a ch IP Trnh lm dng uRPF v BGP ton bborder routers

Rate Limiting Hn ch tc lu lng tn cng: ICMP, UDP, TCP SYN

Theo di cc quy trnh giao thc khng bnh thng! m bo chnh sch QoS thng qua BGP (special community)

ACL

Lc ra cc lu lng tp trung vo mt my ch To hby, ng trnh (Blackhole / Sinkhole / Shunt) Lc tng cp, to by, truy vn iu tra

V d i thi DD S


25/58

V d v gim thiu DDoS

Customer

Customer Portal

or Operator< back

V d i thi DD S


26/58

Customer Portal

or Operator

Customer

V d v gim thiu DDoS

V d i thi DD S


27/58

Customer

Customer Portal

or Operator

Hb

y

V d v gim thiu DDoS

V d i thi DD S


28/58

Customer

Customer Portal

or Operator

Hb

y

ACL/H

nch

tc

V d v gim thiu DDoS

V d i thi DD S


29/58

Customer

Customer Portal

or Operator

Blcth

ngminh

Xu th kt hp nhiu bin php ti u hn !

Hb

y

ACL/H

nch

tc

V d v gim thiu DDoS

DarkIP


30/58

DarkIP Cc hnh vi s dng Dark Address Space gi thng tin n cc vng a

ch IP dnh cho vic khc, hoc cha c s dng. Vic s dng Dark Address Space xy ra do mt s nguyn nhn:

Lp sai cu hnh Router

Hnh vi bt thng ca mt ng dng Lp sai cu hnh mng

Hnh vi qut cng tri php

Hnh vi tn cng ca Worm trn mng

Lu lng tng vi Dark IP c thbiu th kh nng lan truyn Worm trnmng, hoc hnh vi qut mng tuyn mi qun Zombie

D liu to ra t Dark IP thng c s dng :

Xc nh du vt new zero day worms

Xc nh ngun pht ca worm

To ra danh dch cc my b ly nhim

ng dng DarkIP

Hnh vi bt thng nh trc v khng nh trc


31/58

Hnh vi bt thng nh trc v khng nh trc

Hnh vi bt thng nh trc biu th sai lch mc lulng bnh thng. Thng do tn cng gy ra. Hnh viny cn c xem xt tip xc nh mc nguy hi.

Hnh vi bt thng khng nh trc c th xy ra khi mtmy no khng tun th cc quy c truyn thng. Li

xy ra c th do tn cng, hoc do li mng. Do cntruy xt tm ng nguyn nhn.

Cc hnh vi bt thng khng nh trc

a s tin tc s dng tn cng mt my ch no trn mng. Cc kiu gi tin thng s dng: Syn floods, ICMP floods, IP fragments

Cc gi tin thng thuc nhm:

IP Null, TCP Null, Private IP

Th di h h i bt th


32/58

Theo di hnh vi bt thng

anomalies are usually

more likely to be

malicious

High severity protocol

anomalies for protocols

other than TCP

High severity incoming

anomalies towards a

single host

Graph shows a spike

in the traffic levels

Anomaly is high

severity with a very

high % of threshold

Botnets


33/58

Botnets

Tin tc pht trin cc cng cpht tn tng (s dngbotnets,) cho php chng gi cc tn cng ti ccmy trung gian trong cng 1 thi gian, lm tt c ccmy trung gian gi phn hi trc tip ti 1 my nnnhn.

Tin tc pht trin cc cng c quan st cc routertrn mng khng s dng cc b lc lc broadcast

traffic, pht hin cc mng cho php nhiu my cng ckh nng tr li ng thi. Cc mng ny thng cdng lm trung gian cho cc cuc tn cng.

Dictionary Attack cracking of


34/58

Dictionary Attack cracking of

authentication passwords Cc mt m xc thc c cha trong mt file (trn Unix /

Windows), thng c m ha vi mt thut ton chng ph

kha (v d MD5) (Thut ton mt chiu). Ngi dng ng nhp mt khu, mt khu c m ha v so

snh vi bn m ha ghi sn trong my.

Brute force attack: tin tc s dng phng php qut ton bcc kh nng (dictionary attack) tm kim cc kh nng gii mxut pht t mt danh sch cc t trong tin.

Ngi dng thng s dng cc mt khu thng dng dbph: S dng t, ch ci thng thng

S dng cc cm t thng dng.

Di ti Att k


35/58

Dictionary attacks thng c p dng trong 2 trng hp sau: Khi phn tch mt m, phng php ny tm kim kh nng xc nhcha kha gii m cho mt cm t m cho trc.

Khi ni mng, tm cch la gt cch xc thc thc hin truy nhptri php vo my tnh bng cch on mt khu.

Tin tc c kh nng kim bn copy danh sch cc mt khu m ha tmt h thng my xa. Tin tc s s dng phng php Dictionary attacks d tm mt khu theo thi quen ca ngi dng (qua d tm mi thng

tin v ngi dng), so snh mt khu vi on m copy c.

Thc t cho thy, ngi dng thng s dng mt khu cho d nh. Nu sdng mt tp danh sch ln, xc sut tm ra mt khu l 4/10.

Dictionaries hin c trn Internet cho mi ngn ng, d dng truy cp, ddng c s dng d tm mt khu theo phng php ny.

Dictionary Attack

M ha 1 chiu cho mt khu


36/58

username Encrypted password

Alix.Bergeret ADSNUYTGHLKLLL

Matthew.Green NJKFFDSHPTTDRD

Ian.Coulson VFGMNBDEQQASU

Brendan.Riordan VHGUIOUIYEDRDT

Chris.Dennett CXZAASWEWEDFD

Andy.Sloane MLOPIUYTRFFGHJ

Mary.Garvey MNJTYUUIFVCXFGBrian.Penfold REDERFGGGHYTR

M ha 1 chiu cho mt khuc ghi trong file mt khu

Alix.Bergeret

ADSNUYTGHLKLLL

Mt khu c m habi Client vi cng 1thut ton khi gi qua

mngNu cc gi tr Hash bngnhau, Client c xcthc!

Client

Password authentication server

u nhc im ca


37/58

u nhc im ca

Dictionary attacks Tin tc c th m ha v lu tr danh sch cc t

m ha kiu tin, sp xp chng theo t khavalue m ha. Phng php ny tiu tn nhiu b nh, thng mt

nhiu thi gian chun b v tnh ton. Tuy nhin,phng thc ny c th to ra tn cng gn nh tcth.

Phng php ny c bit hiu qu khi cn gii mmt s lng mt khu ln cng lc.

Tin tc thng ghi danh sch cc mt khu thng c s


38/58

Tin tc thng ghi danh sch cc mt khu thng c sdng v chuyn chng cho mt thut ton, sp xp chng theo

thtalphabet.

Word Hashed word

cricket ABVGTHYULPMMN

football ADSNUYTGHLKLLL

england CFTGERHTYUUUUsister QRTSNDCNCNNNN

christopher RTSGHWEREEEDM

charlie STTHHHHHERERE

louise NMZOAOWJBHEEU

Crackers sorted list of hashed words

username Encrypted password

Alix.Bergeret ADSNUYTGHLKLLL

Matthew.Green NJKFFDSHPTTDRD

Ian.Coulson VFGMNBDEQQASU

Brendan.Riordan VHGUIOUIYEDRDT

Chris.Dennett CXZAASWEWEDFD

Andy.Sloane MLOPIUYTRFFGHJ

Mary.Garvey MNJTYUUIFVCXFG

Brian.Penfold REDERFGGGHYTR

Password listEasy to determine Alix.Begeret passwordby comparing hash values


39/58

RIP attacks Routing Information Protocol (RIP) attacks thng thy

trong cc b router ci t phin bn chun ca RIP. RIP c s dng phn pht thng tin nh tuyn

trong mng, v d cc tuyn ngn nht, cc tuyn qungb t mng ni b ra ngoi

Phin bn chun ca RIP khng c phn xc thc.

Thng tin cung cp trong bn tin RIP thng c sdng m khng c s kim tra xc thc li chnh n.

RIP tt k


40/58

Tin tc c th gi mo 1 bn tin RIP, v d xc nh my X

c tuyn ngn nht ra ngoi mng.

Mi gi tin gi ra t mng ny sc nh tuyn qua X.My X c th kim sot, sa i gi tin.

Tin tc c th s dng RIP bt chc bt k host no, lm

mi lu lng gi n my tin tc thay v gi n host ny.

Phin bn RIPv2 ci thin hn vi thut ton xc thc mt

khu n gin, lm cho vic tn cng qua RIP kh khn hn.

Gii php IPsec VPN cng cung cp kh nng m ha thng tin

nh tuyn qua cc routers s dng IPsec VPN.

RIP attacks

Packet Sniffing


41/58

Packet Sniffing

NIC cards thng ch x l cc gi tin (MAC) nhm timy cha NIC ny. Ton b lu lng trong mng khngc switch c gi ti tt c cc my tnh.

Software/hardware c thit k sn sng lm vic . Nu NIC cards c cu hnh Promiscuous th n c th

bt v x l mi gi tin i trn mng con. iu ngha l c th xem c ni dung ton b cc gi

tin truyn trn mng (1 s giao thc nh FTP, Telnet,HTTP, SMTP, POP3 gi cc mt khu di dng clear

text). Ngoi ra, cn nhiu thng tin khc c thb khaithc. Thc t, cc b switch ch cho php gi tin n ng my

ch. Tuy nhin, tin tc c nhiu cch bt c cc gitin ny


42/58

Hai cch vt qua Switch

Spoof ARP v MAC Flooding

Spoof ARP l phng php "th cng". ARP l addressresolution protocol, dng "map" IP address v MACaddress. V ARP l 1 dng stateless protocol nn n c thb

la kh d dng. Phng php thng c s dng l gi mo Gateway, lmcho ton b lu lng t my A (my nn nhn) i nGateway phi i qua my B ca tin tc trc.

Cng cphbin l: Arpspoof, dsniff

ARP Spoofing


43/58

Tin tc dng cc chng trnh nh arpspoof thay i danh tnh ca 1 host,

nhn ton b thng tin qua mng.

ARP spoofing steps1. Set your machine to forward packets:

Linux: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_forward

BSD: sysctl -w net.inet.ip.forwarding=1

2. Start arpspoofing (using two terminal windows)

arpspoof -t 149.160.x.x 149.160.y.y

arpspoof -t 149.160.y.y 149.160.x.x

3. Start sniffing

ngrep host 149.160.x.x | less

OR

Dsniff | less

chchng lng li: 1) Static ARP table; 2) ARPWatchi: 1) Static ARP table; 2) ARPWatch

l di


44/58

MAC Flooding

MAC Flooding l mt k thut u c ARP Cache hngti tn cng cc switch trn mng.

Khi mt b switch bnh trn, n s trthnh mt Hubthun ty ! Trong ch Hub, b switch s khng th thc thi bt

k tnh nng bo mt g, sn sng qung b mi gi tin nmi my trn mng con.

Tin tc c thnh trn bng ARP ca b Switch vi ccgi tin ARP phn hi gi mo, tip t Switch vo ch

Hub bt ton b cc gi tin. Mt cng cin hnh l Macof, dsniff

Gi mo (Spoofing)


45/58

Tin tc thay i danh tnh nhng ngi dng khc tin rnghn l ai trong s h:

Email, User ID, IP Address,

Tin tc khai thc qu trnh xc thc gia ngi dng v hthng/mng chim quyn iu khin.

Kiu Spoofing:1.IP Spoofing:

2.Email Spoofing

3.Web Spoofing

Gi mo (Spoofing)

Gi mo IP Thay i a ch IP gc


46/58

Gi mo IP Thay i a ch IP gc

Phng phPhng php qup qut lt ln ln lt git gi mmo o a cha ch

Trc khi tn cng my nn nhn, tin tc tm cch qut h thng tm

khai thc thng tin nhiu nht v my nn nhn.

Firewall, IDS c thpht hin qu trnh qut ny, c th cnh bo v nguy

ctn cng.

Tin tc tm cch che du hnh vi qut mng bng cch s dng cc

datagrams gi mo t mt gii a chi IP (khng t mt a ch IP cnh) che mt Firewall, IDS.

IP Spoofing Flying-Blind Attack


47/58

Attacker uses IP address of another computer to acquire informationor gain access

IP Spoofing Flying Blind Attack

Replies sent back to 10.10.20.30

Spoofed Address

10.10.20.30

Attacker

10.10.50.50

John

10.10.5.5

From Address: 10.10.20.30

To Address: 10.10.5.5 Attacker changes his own IP address to

spoofed address Attacker can send messages to a

machine masquerading as spoofedmachine

Attacker can not receive messages from

that machine

IP Spoofing Source Routing


48/58

Tin tc gi mo a ch IP (10.10.20.30), chn vo gia 2 my btcc gi tin tr li.

IP Spoofing Source Routing

Replies sent back

to 10.10.20.30Spoofed Address

10.10.20.30 Attacker10.10.50.50

John

10.10.5.5

From Address: 10.10.20.30To Address: 10.10.5.5

ng i ca gi tin c th thay i theo thi gian

chc chn chn vo gia trong qu trnh, tin tc s dng source

routing m bo gi tin lun i qua cc nt xc nh trc trn

mng.

Attacker intercepts packetsas they go to 10.10.20.30

Tin tc gi cc gi tin broadcast ti mng tin cy


49/58

Cc trm host tr li li a ch IP b gi mo ca nn nhn

RouterPing

(broadcast address)

Victim

Email Spoofing


50/58

Tin tc gi mail gi mo ai v chtin phn hi?

Cc kiu Email Spoofing:1. Create an account with similar email address

[email protected]: gi danh cc a ch quen thuc

2. Modify a mail client

Tin tc chn a ch reply tng vo mail gi i3. Telnet to port 25

Hu ht cc mail server u s dng cng 25 cho SMTP. Tin tc n gi tin n cng ny, sau thay i bn tin gi n

ngi dng.

p g

Web Spoofing
mailto:[email protected]:[email protected]


51/58

Basic Tin tc ng k mt a ch Web gn ging vi a ch khc gy

nhm ln cho ngi dng.

Man-in-the-Middle Attack Tin tc gi lp mt Proxy gia Web server v client.

Tin tc tn cng vo Router hoc nt mng chuyn tip lu lngtng ng gia Web server v client.

URL Rewriting Tin tc chuyn hng web traffic ti mt trang khc c chng

kim sot.

Tin tc ghi chn a ch Web ca n trc ng link hp thc.

Tracking State Khi ngi dng login vo mt trang c duy tr xc thc. Tin tc ly

cp thng tin xc thc gi mo ngi dng.

p g

Cp phin (Session Hijacking)


52/58

Qu trnh chim quyn s dng phin lm vic ang tn ti.

Phng thc:

1. Ngi dng to kt ni vi Server thng qua xc thc

vi user ID and password.

2. Sau qu trnh xc thc ngi dng, h truy nhp voserver cho n khi kt thc phin lm vic.

3. Tin tc s dng DoS lm t lit phin lm vic.

4. Tin tc chim quyn iu khin phin ca ngi dng

vi vai tr gi danh ngi dng.

p p ( j g)

Session Hijacking


53/58

Hnh vi ca tin tc: Gim st phin

Gi lin tip lnh chn gia cc ln gi yu cu truy nhp ca user Chn tn cng passive/active vo phin

Bob telnets to Server

Bob authenticates to Server

Bob

Attacker

Server

Die! Hi! I am Bob

Cc k thut chng gi mo a ch


54/58

Cc k thut chng gi mo a ch

Cc quy tc lc gi tin ca Border routers

Quy tc 1: Khng lt cc gi tin i ra xut pht t mt a ch IP gc khng

thuc phm vi ISP (rfc2827) Quy tc 2: Khng lt cc gi tin i vo vi a ch IP gc thuc phm vi

ISP.

Quy tc 1 l quy tc cbn nht, thng c s dng chng tn cng DoS

AS for my ISP171.85.0.0

AS of neighbouring ISP204.12.15.0

Buffer Overflow Attacks
ftp://ftp.ietf.org/rfc/rfc2827.txtftp://ftp.ietf.org/rfc/rfc2827.txt


55/58

Tn cng li dng cch ghi v lu tr thng tin Tin tc tm cch ghi thng tin vo Stack nhiu hn dunglng b nhcho php.

How does it work?

Buffer 2Local Variable 2

Buffer 1

Local Variable 1

Return Pointer

Function Call

Arguments

Fill

Direction

Bottom of

Memory

Top of

Memory

Stack bnh thng

Buffer 2Local Variable 2Machine Code:

execve(/bin/sh)New Pointer to

Exec CodeFunction Call

Arguments

Fill

Direction

Bottom of

Memory

Top of

Memory

Stack b tn cng

Return Pointer Overwritten

Buffer 1 Space Overwritten

Password Attacks


56/58

Li dng cc mt khu km v cc kt ni mng (quamodem) khng c kim sot.

Steps

Tin tc tm kim s Phone ca cng ty. Tin tc thc hin chng trnh quay s tng

V d: sin thoi 555-5532, th s thc thi quay mi s trong

khong 555-55xx tm s modem. Nu mt modem tr li tn hiu, tin tc ghi nhn s modem.

Tin tc s dng user ID v password vo mng Cty: Nhiu Cty s dng default accounts v d: temp, anonymous khng c

password.

Kh nhiu Cty s dng tn cng ty lm root account v password Tin tc s dng cc cng cpassword cracking d tm password.

Password Security


57/58

Bm Password v lu tr Thm Salt to password ngu nhin v lu tr vo my.

Chy cc chng trnh ph Password crack.

y

Hash

Function

Hashed

Password

Salt

Compare

Password

Client

Password

Server

Stored Password

Hashed

Password

Allow/Deny Access

Password Attacks - Types


58/58

Dictionary Attack Hacker tries all words in dictionary to crack password

70% of the people use dictionary words as passwords

Brute Force Attack

Try all permutations of the letters & symbols in the alphabet

Hybrid Attack Words from dictionary and their variations used in attack

Social Engineering People write passwords in different places

People disclose passwords naively to others

Shoulder Surfing Hackers slyly watch over peoples shoulders to steal passwords

Dumpster Diving People dump their trash papers in garbage which may contain

information to crack passwords

Chde-2_Ky Thuat Tan Cong

Documents

Transcript of Chde-2_Ky Thuat Tan Cong