320 likes | 504 Views
KULIAH III THREAT AND ATTACK (2). Aswin Suharsono. KOM 15008 Keamanan Jaringan 2012/2013. Overview. Phase 3: Gaining Access Using Network Attacks Sniffing IP Address Spoofing Session Hijacking Netcat DOS Phase 4: Maintain Access Trojan Backdoors Phase 5 Covering Tracks and Hiding.
E N D
KULIAH IIITHREAT AND ATTACK (2) Aswin Suharsono KOM 15008 KeamananJaringan 2012/2013
Overview • Phase 3: Gaining Access Using Network Attacks • Sniffing • IP Address Spoofing • Session Hijacking • Netcat • DOS • Phase 4: Maintain Access • Trojan • Backdoors • Phase 5 Covering Tracks and Hiding
Sniffer • Allows attacker to see everything sent across the network, including userIDs and passwords • NIC placed in promiscuous mode • Tcpdump http://www.tcpdump.org • Windump http://netgroup-serv.polito.it/windump • Snort http://www.snort.org • Ethereal http://www.ethereal.com • Sniffit http://reptile.rug.ac.be/~coder/sniffit/sniffit.html • Dsniff http://www.monkey.org/~dugsong/dsniff
Passive Sniffers • Sniffers that passively wait for traffic to be sent to them • Well suited for hub environment • Snort • Sniffit
Bad guys can sniff packets packet “sniffing”: broadcast media (shared ethernet, wireless) promiscuous network interface reads/records all packets (e.g., including passwords!) passing by src:B dest:A payload C A B • wireshark software used for end-of-chapter labs is a (free) packet-sniffer Introduction
Bad guys can use fake addresses IP spoofing:send packet with false source address src:B dest:A payload C A B … lots more on security (throughout, Chapter 8) Introduction
IP Address Spoofing • Changing or disguising the source IP address • used by Nmap in decoy mode • Used by Dsniff in dnsspoof attack • DNS response sent by Dsniff contains source address of the DNS server • Used in denial-of-service attacks • Used in undermining Unix r-commands • Used with source routing attacks
Simple IP Address Spoofing • Pros • Works well in hiding source of a packet flood or other denial-of-service attack • Cons • Difficult for attacker to monitor response packets • Any response packet will be sent to spoofed IP address • Difficult to IP address spoof against any TCP-based service unless machines are on same LAN and ARP spoof is used
Figure 8.13 The TCP three-way handshake inhibits simple spoofing
Figure 8.15 Everyone trusts Alice, the administrator’s main management system
Session Hijacking • Session Hijacking, Perpaduan antara Sniffing dan Spoofing • Pengertian Session • Sniff for session • Rekam • Gunakan untuk masuk • Dengan mencuri Session milik orang lain, maka bisa masuk tanpa perlu login
Denial of Service (DoS): attackers make resources (server, bandwidth) unavailable to legitimate traffic by overwhelming resource with bogus traffic target Bad guys: attack server, network infrastructure 1. select target 2. break into hosts around the network (see botnet) 3. send packets to target from compromised hosts Introduction
SYN Flood • Attacker sends continuous stream of SYN packets to target • Target allocates memory on its connection queue to keep track of half-open connections • Attacker does not complete 3-way handshake, filling up all slots on connection queue of target machine • If target machine has a very large connection queue, attacker can alternatively send sufficient amount of SYN packets to consume target machine’s entire network bandwidth
Smurf Attacks • Aka directed broadcast attacks • Smurf attacks rely on an ICMP directed broadcast to create a flood of traffic on a victim • Attacker uses a spoofed source address of victim • Smurf attack is a DOS that consumes network bandwidth of victim • Smurf amplifier is a network that responds to directed broadcast messages
Trojan Horses • Software program containing a concealed malicious capability but appears to be benign, useful, or attractive to users
Backdoor • Software that allows an attacker to access a machine using an alternative entry method • Installed by attackers after a machine has been compromised • May Permit attacker to access a computer without needing to provide account names and passwords • Used in movie “War Games” • Can be sshd listening to a port other than 22 • Can be setup using Netcat
Netcat as a Backdoor • A popular backdoor tool • Netcat must be compiled with “GAPING_SECURITY_HOLE” option • On victim machine, run Netcat in listener mode with –e flag to execute a specific program such as a command shell • On attacker’s machine run Netcat in client mode to connect to backdoor on victim
Traditional RootKits • A suite of tools that allow an attacker to maintain root-level access via a backdoor and hiding evidence of a system compromise • More powerful than application-level Trojan horse backdoors(eg. BO2K, Netcat) since the latter run as separate programs which are easily detectable • a more insidious form of Trojan horse backdoor than application-level counterparts since existing critical system components are replaced to let attacker have backdoor access and hide
Kernel-Level RootKits • More sinister, devious, and nasty than traditional RootKits • Operating system kernel replaced by a Trojan horse kernel that appears to be well-behaved but in actuality is rotten to the core • Critical system files such as ls, ps, du, ifconfig left unmodified • Trojanized kernel can intercept system calls and run another application chosen by atttacker • Execution request to run /bin/login is mapped to /bin/backdoorlogin • Tripwire only checks unaltered system files • If the kernel cannot be trusted, nothing on the system can be trusted
Hiding Evidence by Altering Event Logs • Attackers like to remove evidence from logs associated with attacker’s gaining access, elevating privileges,and installing RootKits and backdoors • Login records • Stopped and restarted services • File access/update times
Covert Channels • Communication channels that disguises data while it moves across the network to avoid detection • Require a client and server • Can be used to remotely control a machine and to secretly transfer files or applications
Tunneling • Carrying one protocol inside another protocol • Eg. Tunneling AppleTalk traffic over IP • Any communications protocol can be used to transmit another protocol • SSH protocol used to carry telnet, FTP, or X-Windows session • Used by covert channels • Loki • Reverse WWW Shell