Fase Serangan - mybogi.files.wordpress.com · •Contacts at the target organization •DNS server...

www.telkomuniversity.ac.id

Fase Serangan

Instructor : Team

Course : TTH3K3 - Network Security

As Taught In : 2nd semester 2017-2018

Level : Undergraduate

CLO : 1

Week : 4

Sub-Topic : Phases of Attack

http://www.telkomuniversity.ac.id/






Phases of Attack

The Five Phases :

1. Reconnaissance

2. Scanning

3. Gaining access

4. Maintaining access

5. Covering the tracks







Phase 1

Reconnaissance







Low Technology Reconnaissance

1. Social engineering

2. Physical break in / Piggybacking

3. Dumpster Diving







Computer-based Reconnaissance

Information Gathered on line through the use of tools such as “Sam Spade”. Tools available to the hacker in this program include but are not limited to: • Ping

• Traceroute

• Finger Client

• Multiple Whois databases

• DNS lookup

• DNZ Zone transfer

• IP block registration

• View web site source code

• Crawl a web site

• Notepad for taking system notes







What the Hacker Hopes to Gain at This Stage of Attack?

• Domain name

• Contacts at the target organization

• DNS server IP addresses

• Other target system addresses

• A glimpse of technologies in use

• User names and passwords (or their format)







Basic Defenses at This Stage

• Disabling Ping on border routers

• Split DNS

• Keep Whois database records up to date

• Do not use OS type or system function in domain names

• Create, implement, and enforce a user password policy







Split DNS







Phase 2

Scanning







Typical Scanning Techniques

• War dialing using THC-Scan

• Network mapping using Cheops-ng

• Port Scanning using Nmap

• Vulnerability scanning using Nessus







What the Hacker Hopes to Gain at This Stage of Attack?

• List of telephone #’s with active modems

• List of open ports

• Map of the network

• List of vulnerabilities







Basic Defenses Against War Dialing

• Create, Implement, and enforce a Dial up policy

• Use of Call back service on server

• Removal of banner from dial up connection







Basic Defenses Against Network Mapping

• Remove telnet and web server from firewall

• Implement ACL’s on all border routers

• Use ACL’s to block ICMP to internal net

• Disable unused ports / services on routers







Basic Defenses Against Port Scanning

• Run a port scan against your own system to find open ports and close them

• Disable unneeded services through the services control panel

• Use software firewalls and proxy servers







Basic Defenses for Vulnerability Scanning

• Routinely update servers with latest patches and service packs

• Run multiple vulnerability scanners against your network to find the “Holes” before they do

• Ensure that all software installed on firewalls and servers is from a reputable source







Phase 3

Gaining Access







Typical Methods of Gaining System Access

• On site Hacking

• Stolen user ID’s and Passwords

• Running “Brute force attacks”

• Trojan horses

• Cracking password files







Access Methods

• Utilization of data gathered while “Sniffing” • IP spoofing and ARP cache poisoning • Exploiting buffer overflows in software







What the Hacker Hopes to Gain at This Stage of the Attack?

Access!!!

Just making sure you were still awake ;)







LAN Sniffing (HUB)







LAN Sniffing (Switch)







Basic Defenses Against Sniffing

• Use Secure Shell instead of Telnet

• Use VPN tools to encrypt data between systems

• Install Switches instead of Hubs

• Create VLANS on switches

• Hard code the ARP tables on your systems







Buffer Overflow







Basic Defenses Against Buffer Overflows

• Implement a non-executable stack (Ex: set noexec_user_stack=1)

• On windows 2000 use SecureStack

• Use automated code examining tools like ITS4







Basic Defenses Against Password Cracking

• Create and implement a strong PW policy (at least 8 characters alphanumeric)

• Force users to change passwords regularly by using Windows Users policy

• Install PW filtering software to ensure integrity of user chosen passwords

• Conduct PW audits with their programs (L0phtCrack or John the Ripper)







Phase 4

Maintaining Access







Methods of maintaining access

• Trojan Horses

• Backdoors







Basic Defenses against Trojans and Backdoors

• Routinely scan for Trojans on your network

• Ensure definition files for Anti-virus software are up to date

• Look for changes in the system

• Install anti-virus software on both server and client machines

• Create “fingerprints” of key files and run an integrity checker against them on a regular basis







Phase 5

Covering the Tracks







Methods of avoiding detection

• NTFS alternate data streams and hidden files

• Reverse WWW shell

• Altering, Replacing, or Moving log files







NTFS alternate data streams and hidden files

NTFS supports file streaming (each filename is like a chest of drawers) 1. Name of file viewed in explorer 2. “Normal” Stream

(Contains the expected contents of the file) 3. Alternate Data Streams hidden under normal

file







Why are Streams Stealthy?

• Streams don’t show up in windows explorer (only “Normal” streams are displayed)

• Length of file displayed in explorer only includes “Normal” stream

• When files are copied all streams follow the name if copied into an NTFS partition







Basic Defenses Against File Hiding in Windows

Most commercial anti-virus packages detect malicious code:

LADS







Reverse WWW Shell

• Client / server implemented in a single program

• Carries a command shell over HTTP

• Attacker uses client to access server from off site

• Software appears to be surfing the web but, is really polling client for commands to be executed on the server







Reverse WWW Shell







Basic defenses against Reverse WWW Shell

• Physical security of Servers

• Utilization of intrusion detection systems

• Investigate “Strange” or unknown processes (especially those running with root privileges)







Basic Defenses against log file tampering

• Setup logs to track failed logons attempts (don’t just set them up ….. USE THEM!!!)

• Periodically review logs for any anomalies

• Use logs as a baseline to periodically review if new security measures need to be implemented







Web Resources for Keeping Up to Date

• SANS: http://www.sans.org

• Security Focus: http://www.securityfocus.com

• Search Security: http://www.searchsecurity.com






http://www.sans.org/

http://www.securityfocus.com/

http://www.searchsecurity.com/


Acquisition of Software Resources

Sam Spade:

http://www.samspade.org

THC-Scan: http://www.pimmel.com/thcfiles.php3

Cheops-ng

http://cheops-ng.sourceforge.net

Nmap

http://www.insecure.org/nmap






http://www.samspade.org/

http://www.pimmel.com/thcfiles.php3

http://cheops-ng.sourceforge.net/





NESSUS: http://www.nessus.org SecureStack: http://www.securewave.com/products/securestack/secure_stack.html

ITS4: http://www.cigital.com/its4 John the Ripper: http://www.Openwall.com/john






http://www.nessus.org/

http://www.securewave.com/products/securestack/secure_stack.html

http://www.cigital.com/its4

http://www.openwall.com/john



L0phtCrack: http://www.atstake.com/research/lc3

Sniffit: http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

Secure Shell (Open Source): http://www.openssh.com

Netcat: http://www.atstake.com/research/tools/index.html






http://www.atstake.com/research/lc3

http://reptile.rug.ac.be/~coder/sniffit/sniffit.html

http://www.openssh.com/

http://www.atstake.com/research/tools/index.html



AIDE (Advanced Intrusion Detection Environment): http://www.cs.tut.fi/~rammer/aide.html

LADS (Locate Alternate Data Streams): http://www.heysoft.de/index.htm

Reverse WWW Shell: http://www.megasecurity.org/Sources/rwwwshell-1_6_perl.txt






http://www.cs.tut.fi/~rammer/aide.html

http://www.heysoft.de/index.htm

http://www.megasecurity.org/Sources/rwwwshell-1_6_perl.txt




Next Chapter: Intrusion






Fase Serangan - mybogi.files.wordpress.com · •Contacts at the target organization •DNS server...

Documents

Transcript of Fase Serangan - mybogi.files.wordpress.com · •Contacts at the target organization •DNS server...