Spying The Wire

download Spying The Wire

of 19

  • date post

    24-Jun-2015
  • Category

    Documents

  • view

    733
  • download

    2

Embed Size (px)

description

Common Techniques to Attack The Network and Spy The Wire

Transcript of Spying The Wire

  • 1. LOGO Workshop Attack and Defense November 2007AttackingTheLAN SpyingTheWireATIKPILIHANTO RISTITELKOMBANDUNG

2. GlobalTrendAttackinLocalNetwork1 Spoofing2 ManInTheMiddle3 Sniffing(Passive)4 TCP/IPsessionHijacking5 RemoteCodeExecution6 DenialofService(DoS) 3. Spoofing Spoofingissendingpacketwithaforgedsourcewiththepurposeofconcealingtheidentityofthesender. Spoofingexample: IPaddressspoofing ARPcachespoofing(ARPcachepoisoning) Emailspoofing Spoofinginlocalnetwork:ARPcachepoisoningandIPaddressspoofing ATIKPILIHANTO RISTITELKOM2007 4. IP Spoofing in Action 5. ManInTheMiddle(MiTM) ManinTheMiddleisanattackinwhichanattackerisabletoread,insertandmodifyatwill,messagesbetweentwopartieswithouteitherpartyknowingthatthelinkbetweenthemhasbeencompromised. ManinTheMiddletechnique Switchportstealing ARPcachepoisoning DNSspoofing DHCPspoofing ManinTheMiddleinLocalNetwork:Switchportstealing,DHCPspoofing,ARPcachepoisoning.RISTITELKOM2007 ATIKPILIHANTO 6. Man In The Middle (MiTM) 7. Sniffing (Passive) Sniffingisaprocessinterceptingandreadingnetworktraffic. Sniffingpurpose: Analyzenetworkproblems Monitornetworktraffic Spyonothernetworkusersandcollectsensitiveinformation Inswitchednetwork,sniffingprocessisusuallycombinedwithManinTheMiddle. ATIKPILIHANTO RISTITELKOM2007 8. Sniffing In Action 9. TCP/IPSessionHijacking TCP/IPSessionHijackingisanattackinwhichattackerisabletohijackortakeoveranestablishedTCPconnectionbetweentwoparties. Incaselocalnetworkattacking,TCP/IPhijackingcanbedonebycombiningMiTMandactivesniffing,insertingRSTorFIN,predictingInitialSequenceNumber(ISN),fullycompromisingestablishedTCPconnection. ATIKPILIHANTORISTITELKOM2007 10. RemoteCodeExecution Remotecodeexecutionallowsanattackertoexecuteanyarbitrarycodeinatargetvulnerablemachine. Needaflaworvulnerabilityintargetmachine,example: DCOMRPCRemoteBufferOverrun(WINDOWS) IPv6mbuffRemoteBufferOverflow(OpenBSD) Remotecodeexecutionisusuallycausedbyflawprogramminginoperatingsystem,servicedaemon,orapplication. ATIKPILIHANTORISTITELKOM2007 11. CommonProgrammingMistakes1 BufferOverflow2 IntegerOverflow3 ErrorFormatString4 SQLinjection5 FileInclussion6 CrossSiteScripting 12. Remote Buffer Overflow Exploit 13. Denial of Service (DoS) DenialofServiceisanattacktomakeacomputerresourceunavailabletoitslegitimateusers. DenialofServicecanbedonebyattacking Protocolweakness:SYNFlooding,ICMPSmurfing ServiceDaemonweakness:BufferOverflow WebApplicationweakness:WEB2XSSWorm DenialofServiceinlocalnetwork:ARPcachepoisoning,Flooding(SYN/UDP/ICMP) ATIKPILIHANTO RISTITELKOM2007 14. DoS in Vulnerable Daemon 15. Defense DefendingspoofingattackinLANisreallydifficult,butwecanminimizetherisk. IPspoofingcanbeusedforTCPSYNDenialofService EnablingSYNcookiessysctlnet.ipv4.tcp_syncookies=1 ARPcachespoofingcanbeusedforMiTM StaticARPentries Passivemonitoringarpwatch Activemonitoringethercap SwitchportstealingcanbeusedforMiTM PortsecurityontheswitchATIKPILIHANTORISTITELKOM2007 16. Defense ManageriskofsniffingandTCP/IPsessionhijacking UsingSWITCHratherthanHUB DefendingMiTMattack VLANsegmentation Encryptedtraffic(SSH,SSL,IPsec) Manageriskofremotecodeexecution Enablingkernelexecshieldandrandomvirtualaddress sysctlkernel.execshield=1 sysctlkernel.randomize_va_space=1 Goodfirewallpolicy RegularauditingandpatchingATIKPILIHANTORISTITELKOM2007 17. Defense ManageriskofDenialofService Goodfirewallpolicy RegularauditingandpatchingATIKPILIHANTORISTITELKOM2007 18. Discussion Discussion?? Question?? Suggestion?? ATIKPILIHANTORISTITELKOM2007 19. LOGOATIKPILIHANTO RISTITELKOM2007