Presentasi sedang didownload. Silahkan tunggu

Presentasi sedang didownload. Silahkan tunggu

Network Security for Fun and Profit Presented by Dani Firman Syah EDUCATION PURPOSE ONLY.

Presentasi serupa


Presentasi berjudul: "Network Security for Fun and Profit Presented by Dani Firman Syah EDUCATION PURPOSE ONLY."— Transcript presentasi:

1 Network Security for Fun and Profit Presented by Dani Firman Syah EDUCATION PURPOSE ONLY

2 Overview TCP-IP Three Way Handshake ARP (The Address Resolution Protocol) DNS Transactions Sniffing (Passsively & Actively) Spoofing (Mechanism) ARP Spoofing Smurf Attack/SYN Flood DNS Attack Sniffing HTTPS (MITM) Session Hijacking

3 TCP-IP Three Way Handshake SYN with ISN A COMPUTER A COMPUTER B ACK ISN A with SYN ISN B ACK ISN B Connection establish (ACK, Data)

4 ARP (The Address Resolution Protocol) ARP Query: Broadcast “Who has ?” LA N IP Addr = MAC = F2:53:BC:4F IP Addr = MAC = A5:75:EF:3C IP Addr = MAC = C2:72:B7:3C ARP Response: Unicast “my MAC C2:72:B7:3C”

5 HUB (Concentrator) HUB HELLO, HELLO

6 Switch (Concentrator) SWITCH HELLO, HELLO A Destination MAC Address is C and only sent out on interface with C B C D

7 DNS Transaction Local DNS Server Root DNS Server COM DNS Server Authority DNS Server domainexample.co m Referral to COM Referral to Authority The Answer! The Answer

8 Sniffing Gathering traffic data TCP-IP di LAN melalui network devices (NIC, HUB, SWITCH). Tools: Tcpdump, Ethereal, Windump, Snort, Dsniff, Sniffit.

9 Sniffing Mechanism LA N Sniffer gathering traffic from this machine A B

10 Passive & Active Sniffing Passive Sniffing: proses sniffing di LAN yang menggunakan HUB sebagai concentrator. HUB broadcast ke seluruh NIC client, seluruh traffic connection di LAN termonitor sniffer. Active Sniffing: proses sniffing di LAN yang menggunakan Switch sebagai concentrator. Switch hanya broadcast ke NIC dari client yang di tuju sehingga sniffer hanya bisa melihat satu koneksi yang aktif.

11 Tcpdump

12 Ethereal

13 Windump

14 Snort

15 Dsniff

16 Sniffit

17 Spoofing Spoofing = Poisoning ARP message. MAC berkomunikasi dengan menggunakan routing dari ARP table. ARP table yang ter-poisoning menyebabkan traffic dapat dibelokan ke MAC attacker. Tools: arpspoof, arp-sk, arp-fillup etc.

18 Spoofing Example

19 Spoofing Mechanism SWIT CH DEFAULT ROUTER for LAN THE OUTSIDE or INTERNET Configure IP for forwarding to send packets to default router. Sniff the traffic. Packets forwarded from attacker’s machine to the actual default router for delivery to the outside. Send fake ARP response to remap default router IP address to attacker’s MAC address. Victim sends traffic destined for the outside world. Based on poisoned ARP table entry, traffic is really sent to the attackers MAC address ATTACKER hello, hello, hello VICTI M

20 Arpspoof (1)

21 Arpspoof (2)

22 Arpspoof (3)

23 TCP-IP Injection with Ettercap

24 Demo ARP Spoofing Demo TCP Injection

25 THE OUTSIDE Spoofing & DNS Attack SWITC H DEFAULT ROUTER for LAN Attacker activates dnsspoof program. Victim tries to resolve a name using DNS. ATTACKER VICTI M Victim now surfs to attacker’s site instead of desired destination. Attacker sniffs DNS request from the line. ATTACKER’S SITE Attacker quickly sends fake DNS response with any IP address the attacker wants the victim to use: = Attacker’s machine at m m IP =

26 Sniffing HTTPS with DNS Spoofing THE OUTSIDE LAN DEFAULT ROUTER for LAN Attacker activates dnsspoof and webmitm programs. Victim establishes SSL connection, not knowing attacker is proxying connection. ATTACKER VICTI M Victim now access the desired server, but all traffic is viewable by attacker using webmitm as a proxy Webmitm proxies the https connection, establishing an https connection to the server and sending the attacker’s own certificate to the client. Dnsspoof sends fake DNS response with the IP address of the machine running webmitm ( ) Website with HTTPS services at SECURE SITE

27 Webmitm’s log

28 Spoofing & DoS Computer A Computer B Attacke r SYN (A, ISN A ) ACK (A, ISN A SYN (B, ISN B ) RESET!! !

29 SYN Flood/Smurf Attack (Spoofing Act) Computer AComputer B Attacke r SYN (A, ISN A ) ACK (A, ISN A SYN (B, ISN B ) ACK (B, ISN B ) DIE!!! (SYN FLOOD)

30 Session Hijacking Take over session koneksi yang mengakibatkan teraksesnya koneksi antara dua komputer yang sedang berkomunikasi melalui TCP-IP. Menggabungkan teknik spoofing (posion ARP) dan sniffing. Possible hijack session connection untuk services telnet, ftp, rlogin dsb. Tools: Hunt, Juggernaut, IP Watcher, TTYWatcher, TTYSnoop, Sniffit.

31 Session Hijacking Scenario NETWO RK ANTO BUDI ATTACKER Anto establishing telnet connection. Using sniffing technique, attacker sees all packet going from ANTO to BUDI also monitor the TCP sequence numbers of these packets while observing the session Attacker hijack the connection with a source IP address of ANTO, using the proper TCP sequence numbers on all packets. 4 After hijack, session connection disappears, The users often just assume it’s network trouble.

32 Demo Telnet Session Hijacking

33 Sniffer Detections a.CPM (Check Promiscous Mode) b.NEPED (Promiscous Scanner) c.SniffDet, d.AntiSniff (L0pht), e.Sentinel, f.PromiscDetect, g.ProDetect,

34 Counter-measures Gunakan ARPWatch untuk memonitor ARP dan alamat di ethernet (MAC). Konfigurasikan network dengan static ARP Table ( Suitable for DMZ area ). arp -s aa c6-09 Gunakan koneksi yang terenkripsi seperti HTTPS dengan trusted CERT, IPSec/VPN, SSH, telnet dengan kerberos, S/MIME atau dengan PGP dan ftp yang terencrypt ( secure ftp ). Konfigurasikan di setiap port switch dengan menggunakan MAC address yang spesifik, bila perlu untuk DMZ area di pasang firewall dengan filtering MAC. iptables -A FORWARD -m state --state NEW \ -m mac --mac-source 00:DE:AD:BE:EF:00 -j ACCEPT

35 WinARP Watch WinARP Watch mampu mendeteksi perubahan-perubahan di ARP Table

36 Questions


Download ppt "Network Security for Fun and Profit Presented by Dani Firman Syah EDUCATION PURPOSE ONLY."

Presentasi serupa


Iklan oleh Google