View
745
Download
2
Category
Tags:
Preview:
DESCRIPTION
Common Techniques to Attack The Network and Spy The Wire
Citation preview
LOGO
Attacking The LAN Spying The Wire
ATIK PILIHANTORISTI TELKOM BANDUNG
Workshop Attack and Defense – November 2007
Global Trend Attack in Local Network
Spoofing1
Man In The Middle2
Sniffing (Passive)3
TCP/IP session Hijacking4
5 Remote Code Execution
6 Denial of Service (DoS)
Spoofing
Spoofing is sending packet with a forged source with the purpose of concealing the identity of the sender.
Spoofing example : • IP address spoofing • ARP cache spoofing (ARP cache poisoning) • Email spoofing
Spoofing in local network : ARP cache poisoning and IP address spoofing
RISTI TELKOM 2007ATIK PILIHANTO
IP Spoofing in Action
Man In The Middle (MiTM)
Man in The Middle is an attack in which an attacker is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised.
Man in The Middle technique• Switch port stealing• ARP cache poisoning• DNS spoofing• DHCP spoofing
Man in The Middle in Local Network : Switch port stealing, DHCP spoofing, ARP cache poisoning.
RISTI TELKOM 2007ATIK PILIHANTO
Man In The Middle (MiTM)
Sniffing (Passive)
Sniffing is a process intercepting and reading network traffic. Sniffing purpose :
• Analyze network problems• Monitor network traffic• Spy on other network users and collect sensitive information
In switched network, sniffing process is usually combined with Man in The Middle.
RISTI TELKOM 2007ATIK PILIHANTO
Sniffing In Action
TCP/IP Session Hijacking
TCP/IP Session Hijacking is an attack in which attacker is able to hijack or take over an established TCP connection between two parties.
In case local network attacking, TCP/IP hijacking can be done by combining MiTM and active sniffing, inserting RST or FIN, predicting Initial Sequence Number (ISN), fully compromising established TCP connection.
RISTI TELKOM 2007ATIK PILIHANTO
Remote Code Execution
Remote code execution allows an attacker to execute any arbitrary code in a target vulnerable machine.
Need a flaw or vulnerability in target machine, example : • DCOM RPC Remote Buffer Overrun ( WINDOWS )• IPv6 mbuff Remote Buffer Overflow (OpenBSD)
Remote code execution is usually caused by flaw programming in operating system, service daemon, or application.
RISTI TELKOM 2007ATIK PILIHANTO
Common Programming Mistakes
Buffer Overflow1
Integer Overflow2
Error Format String3
SQL injection4
5 File Inclussion
6 Cross Site Scripting
Remote Buffer Overflow Exploit
Denial of Service (DoS)
Denial of Service is an attack to make a computer resource unavailable to its legitimate users.
Denial of Service can be done by attacking• Protocol weakness : SYN Flooding, ICMP Smurfing• Service Daemon weakness : Buffer Overflow• Web Application weakness : WEB2 XSS Worm
Denial of Service in local network : ARP cache poisoning, Flooding (SYN/UDP/ICMP)
RISTI TELKOM 2007ATIK PILIHANTO
DoS in Vulnerable Daemon
Defense
Defending spoofing attack in LAN is really difficult, but we can minimize the risk.
IP spoofing can be used for TCP SYN Denial of Service• Enabling SYN cookies “sysctl net.ipv4.tcp_syncookies=1”
ARP cache spoofing can be used for MiTM• Static ARP entries• Passive monitoring arpwatch• Active monitoring ethercap
Switch port stealing can be used for MiTM• Port security on the switch
ATIK PILIHANTO RISTI TELKOM 2007
Defense
Manage risk of sniffing and TCP/IP session hijacking• Using SWITCH rather than HUB• Defending MiTM attack• VLAN segmentation• Encrypted traffic (SSH, SSL, IPsec)
Manage risk of remote code execution• Enabling kernel exec shield and random virtual address
• sysctl kernel.execshield=1• sysctl kernel.randomize_va_space=1
• Good firewall policy• Regular auditing and patching
ATIK PILIHANTO RISTI TELKOM 2007
Defense
Manage risk of Denial of Service• Good firewall policy• Regular auditing and patching
ATIK PILIHANTO RISTI TELKOM 2007
Discussion
Discussion ?? Question ?? Suggestion ??
RISTI TELKOM 2007ATIK PILIHANTO
LOGO
RISTI TELKOM 2007ATIK PILIHANTO
Recommended