Professional Documents
Culture Documents
Instructor : Team
Course : TTH3K3 - Network Security
As Taught In : 2nd semester 2017-2018
Level : Undergraduate
CLO :1
Week :3
Sub-Topic : Types of Attack
www.telkomuniversity.ac.id
Social Engineering
www.telkomuniversity.ac.id
Introduction to Social Engineering
www.telkomuniversity.ac.id
Tactics
– Persuasion
– Intimidation
– Coercion
– Extortion/blackmailing
www.telkomuniversity.ac.id
Introduction to Social Engineering (continued)
www.telkomuniversity.ac.id
Studies human behavior
www.telkomuniversity.ac.id
Types of Social Engineering
1. Phishing
2. Pretexting
3. Baiting
4. Quid Pro Quo
5. Tailgating
source: tripwire.com/state-of-security/security-awareness/5-social-engineering-attacks-to-watch-out-for/
www.telkomuniversity.ac.id
Types of Social Engineering: Phising
1. Phishing
Phishing scams might be the most common types of social engineering
attacks used today. Most phishing scams demonstrate the following
characteristics:
• Seek to obtain personal information, such as names, addresses and social
security numbers.
• Use link shorteners or embed links that redirect users to suspicious
websites in URLs that appear legitimate.
• Incorporates threats, fear and a sense of urgency in an attempt to
manipulate the user into acting promptly.
• Some phishing emails are more poorly crafted than others to the extent
that their messages oftentimes exhibit spelling and grammar errors but
these emails are no less focused on directing victims to a fake website or
form where they can steal user login credentials and other personal
information. www.telkomuniversity.ac.id
Types of Social Engineering: Pretexting
2. Pretexting
Pretexting is another form of social engineering where attackers focus on
creating a good pretext, or a fabricated scenario, that they can use to try and
steal their victims’ personal information. These types of attacks commonly
take the form of a scammer who pretends that they need certain bits of
information from their target in order to confirm their identity.
More advanced attacks will also try to manipulate their targets into
performing an action that enables them to exploit the structural weaknesses
of an organization or company. A good example of this would be an attacker
who impersonates an external IT services auditor and manipulates a
company’s physical security staff into letting them into the building.
Unlike phishing emails, which use fear and urgency to their advantage,
pretexting attacks rely on building a false sense of trust with the victim. This
requires the attacker to build a credible story that leaves little room for doubt
on the part of their target.
www.telkomuniversity.ac.id
Types of Social Engineering: Baiting
3. Baiting
Baiting is in many ways similar to phishing attacks. However, what
distinguishes them from other types of social engineering is the promise of an
item or good that hackers use to entice victims. Baiters may offer users free
music or movie downloads, if they surrender their login credentials to a
certain site.
Baiting attacks are not restricted to online schemes, either. Attackers can also
focus on exploiting human curiosity via the use of physical media.
www.telkomuniversity.ac.id
Types of Social Engineering: Quid pro Quo
5. Tailgaiting
Another social engineering attack type is known as tailgating or
“piggybacking.” These types of attacks involve someone who lacks the proper
authentication following an employee into a restricted area.
In a common type of tailgating attack, a person impersonates a delivery driver
and waits outside a building. When an employee gains security’s approval and
opens their door, the attacker asks that the employee hold the door, thereby
gaining access off of someone who is authorized to enter the company.
Tailgating does not work in all corporate settings, such as in larger companies
where all persons entering a building are required to swipe a card. However,
in mid-size enterprises, attackers can strike up conversations with employees
and use this show of familiarity to successfully get past the front desk.
www.telkomuniversity.ac.id
Preventing Social Engineering
www.telkomuniversity.ac.id
Social Engineering: Other Techniques
• Urgency
• Status quo
• Kindness
• Position
• Shoulder Surfing
• Dumpster Diving
www.telkomuniversity.ac.id
The Art of Shoulder Surfing
• Shoulder
surfer
– Reads what
users enter
on keyboards
• Logon
names
• Passwords
• PINs
www.telkomuniversity.ac.id
Tools for Shoulder Surfing
www.telkomuniversity.ac.id
The Art of Shoulder Surfing (continued)
• Prevention
– Avoid typing when someone is nearby
– Avoid typing when someone nearby is talking on
cell phone
– Computer monitors should face away from door
or cubicle entryway
– Immediately change password if you suspect
someone is observing you
www.telkomuniversity.ac.id
Dumpster Diving
www.telkomuniversity.ac.id
The Art of Dumpster Diving (continued)
• Prevention
– Educate your users about
dumpster diving
– Proper trash disposal
– Use “disk shredder” software
to erase disks before
discarding them
• Software writes random bits
• Done at least seven times
– Discard computer manuals
offsite
– Shred documents before
disposal
19
www.telkomuniversity.ac.id
The Art of Piggybacking
www.telkomuniversity.ac.id
The Art of Piggybacking (continued)
• Prevention
– Use turnstiles
– Train personnel to notify the
presence of strangers
– Do not hold secured doors
for anyone
• Even for people you know
– All employees must use secure cards
www.telkomuniversity.ac.id
Sample Phishing
www.telkomuniversity.ac.id
Network Attack
Theoretical Perspective
www.telkomuniversity.ac.id
Tipe Network Attack
1. Eavesdropping
2. Data Modification
3. Identity Spoofing (IP Address Spoofing)
4. Password-Based Attacks
5. Denial-of-Service Attack
6. Man-in-the-Middle Attack
7. Compromised-Key Attack
8. Sniffer Attack
9. Application-Layer Attack
source: technet.microsoft.com/en-us/library/cc959354.aspx www.telkomuniversity.ac.id
Tipe Network Attack: Eavesdropping
1. Eavesdropping
In general, the majority of network communications occur in an
unsecured or "cleartext" format, which allows an attacker who
has gained access to data paths in your network to "listen in" or
interpret (read) the traffic. When an attacker is eavesdropping
on your communications, it is referred to as sniffing or snooping.
The ability of an eavesdropper to monitor the network is
generally the biggest security problem that administrators face in
an enterprise. Without strong encryption services that are based
on cryptography, your data can be read by others as it traverses
the network.
www.telkomuniversity.ac.id
Tipe Network Attack: Data Modification
2. Data Modification
After an attacker has read your data, the next logical step is to
alter it. An attacker can modify the data in the packet without
the knowledge of the sender or receiver. Even if you do not
require confidentiality for all communications, you do not want
any of your messages to be modified in transit. For example, if
you are exchanging purchase requisitions, you do not want the
items, amounts, or billing information to be modified.
www.telkomuniversity.ac.id
Tipe Network Attack: Identity Spoofing
www.telkomuniversity.ac.id
Tipe Network Attack: Password-based Attacks
4. Password-Based Attacks
A common denominator of most operating system and network
security plans is password-based access control. This means your
access are determined using user name and password.
When an attacker finds a valid user account, the attacker has the
same rights as the real user, even an administrator-level rights.
After gaining access to your network with a valid account, an
attacker can do any of the following:
• Obtain lists of valid user and computer names and network information.
• Modify server and network configurations, including access controls and
routing tables.
• Modify, reroute, or delete your data.
www.telkomuniversity.ac.id
Tipe Network Attack: Denial-of-Service Attack
5. Denial-of-Service Attack
Unlike a password-based attack, the denial-of-service attack
prevents normal use of your computer or network by valid users.
After gaining access to your network, the attacker can do any of
the following:
• Randomize the attention of your internal Information Systems staff so that
they do not see the intrusion immediately, which allows the attacker to
make more attacks during the diversion.
• Send invalid data to applications or network services, which causes
abnormal termination or behavior of the applications or services.
• Flood a computer or the entire network with traffic until a shutdown
occurs because of the overload.
• Block traffic, which results in a loss of access to network resources by
authorized users. www.telkomuniversity.ac.id
Tipe Network Attack: Man-in-the-Middle Attack
6. Man-in-the-Middle Attack
As the name indicates, a man-in-the-middle attack occurs when
someone between you and the person with whom you are
communicating is actively monitoring, capturing, and controlling
your communication transparently. For example, the attacker
can re-route a data exchange.
Man-in-the-middle attacks are like someone assuming your
identity in order to read your message. The person on the other
end might believe it is you because the attacker might be actively
replying as you to keep the exchange going and gain more
information. This attack is capable of the same damage as an
application-layer attack, described later in this section.
www.telkomuniversity.ac.id
Tipe Network Attack: Compromised-key Attack
7. Compromised-Key Attack
A key is a secret code or number necessary to interpret secured
information. Although obtaining a key is a difficult and resource-
intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a
secured communication without the sender or receiver being
aware of the attack.With the compromised key, the attacker can
decrypt or modify data, and try to use the compromised key to
compute additional keys, which might allow the attacker access
to other secured communications.
www.telkomuniversity.ac.id
Tipe Network Attack: Sniffer Attack
8. Sniffer Attack
A sniffer is an application or device that can read, monitor, and
capture network data exchanges and read network packets. If
the packets are not encrypted, a sniffer provides a full view of
the data inside the packet. Even encapsulated (tunneled) packets
can be broken open and read unless they are encrypted and the
attacker does not have access to the key.
Using a sniffer, an attacker can do any of the following:
• Analyze your network and gain information to eventually cause your
network to crash or to become corrupted.
• Read your communications.
www.telkomuniversity.ac.id
Tipe Network Attack: Application-layer Attack
9. Application-Layer Attack
An application-layer attack targets application servers by
deliberately causing a fault in a server's operating system or
applications. This results in the attacker gaining the ability to
bypass normal access controls. The attacker takes advantage of
this situation, gaining control of your application, system, or
network, and can do any of the following:
• Read, add, delete, or modify your data or operating system.
• Introduce a virus program that uses your computers and software
applications to copy viruses throughout your network.
• Introduce a sniffer program to analyze your network and gain information
that can be used to crash or to corrupt your systems and network.
• Abnormally terminate your data applications or operating systems.
• Disable other security controls to enable future attacks.
www.telkomuniversity.ac.id
Distributed Denial of Service
www.telkomuniversity.ac.id
Denial-of-service
www.telkomuniversity.ac.id
Classic DoS attacks
www.telkomuniversity.ac.id
Classic DoS attacks
www.telkomuniversity.ac.id
Internet Control Message Protocol (ICMP)
www.telkomuniversity.ac.id
Source address spoofing
www.telkomuniversity.ac.id
Backscatter traffic
www.telkomuniversity.ac.id
SYN spoofing
syn/ack pkts
y= server seq#
x= client seq#
www.telkomuniversity.ac.id
SYN spoofing attack
www.telkomuniversity.ac.id
SYN spoofing attack: attacker’s source
www.telkomuniversity.ac.id
Types of flooding attacks
www.telkomuniversity.ac.id
Distributed DoS attacks
www.telkomuniversity.ac.id
DDoS control hierarchy
www.telkomuniversity.ac.id
Application-based bandwidth attacks
www.telkomuniversity.ac.id
HTTP-based attacks
www.telkomuniversity.ac.id
Reflection attacks
www.telkomuniversity.ac.id
Reflection attacks
www.telkomuniversity.ac.id
Reflection attacks
www.telkomuniversity.ac.id
DNS amplification attacks
www.telkomuniversity.ac.id
Amplification attacks
www.telkomuniversity.ac.id
Four lines of defense against DDoS attacks
www.telkomuniversity.ac.id
DoS attack prevention
www.telkomuniversity.ac.id
Attack prevention
www.telkomuniversity.ac.id
Responding to attacks
timed wait
– Enters “timed wait” - will
respond with ACK to closed
received FINs
www.telkomuniversity.ac.id
Detection Methods (I)
www.telkomuniversity.ac.id
SYN – FIN Behavior
• Generally every SYN has a FIN
• We can’t tell if RST is active or passive
• Consider 75% active
www.telkomuniversity.ac.id
Detection Method (II)
www.telkomuniversity.ac.id
Password Management
www.telkomuniversity.ac.id
Password Management
www.telkomuniversity.ac.id
Managing Password
www.telkomuniversity.ac.id
Managing Password
www.telkomuniversity.ac.id
Attack Strategies and Countermeasures (1)
Workstation hijacking
• The attacker waits until a logged-in workstation is unattended
• The standard countermeasure is automatically logging the workstation out
after a period of inactivity
Exploiting user mistakes
• Attackers are frequently successful in obtaining passwords by using social
engineering tactics that trick the user or an account manager into
revealing a password; a user may intentionally share a password to enable
a colleague to share files; users tend to write passwords down because it
is difficult to remember them
• Countermeasures include user training, intrusion detection, and simpler
passwords combined with another authentication mechanism
www.telkomuniversity.ac.id
Attack Strategies and Countermeasures (2)
www.telkomuniversity.ac.id
Attack Strategies and Countermeasures (3)
Electronic Monitoring
• sniffing/eavesdropping
• (advanced) encryptions
Password guessing against single user
• User awareness, password policies
Exploiting multiple password use
• Similar password for given user @ diff network
• User awareness, password policie
Popular password attack
• User awareness, password policies,
www.telkomuniversity.ac.id
UNIX Password Scheme
www.telkomuniversity.ac.id
Password Selection Strategies
• The goal is to eliminate guessable passwords while allowing the user to select a password
•–
that is memorable
Four basic techniques are in use:
User education
• Users can be told the importance of using hard-to-guess passwords and can be
–• guessable passwords
Proactive password checking
A user is allowed to select his or her own password, however, at the time of selection,
the system checks to see if the password is allowable and, if not, rejects it
www.telkomuniversity.ac.id
Passwords…… New Ways
www.telkomuniversity.ac.id
Exercise
•–
Use wireshark to monitor your network traffic
–
second.
Assuming no feedback to the adversary until each attempt has been completed, what
www.telkomuniversity.ac.id
Sertifikat Server: SSL
www.telkomuniversity.ac.id
Virtual Communication between Layers
Application Data
Application layer Application layer
Transport payload
Transport layer Transport layer
Network
Network layer Network layer Network layer Network layer
Payload
Data Link layer Data Link Data Link layer Data Link layer Data Link layer
Payload
76
www.telkomuniversity.ac.id
TCP/IP Secutiry Protocol
77
www.telkomuniversity.ac.id
Security in what layer?
www.telkomuniversity.ac.id
Security in what layer?
www.telkomuniversity.ac.id
Security in what layer?
www.telkomuniversity.ac.id
Generally…
www.telkomuniversity.ac.id
Example: PGP vs. SSL vs. IPsec
www.telkomuniversity.ac.id
Example: PGP vs. SSL vs. IPsec
www.telkomuniversity.ac.id
Example: PGP vs. SSL vs. IPsec
86
www.telkomuniversity.ac.id
Application Layer Security
Advantages:
• Most flexible
• Executing in the context of the user easy access to user’s credentials
• Complete access to data easier to ensure nonrepudation and small
security granularity
• Application-based security
Disadvantages:
• Most intrusive
• Implemented in end hosts
• Need for each application
• Expensive
• Greated probability of making mistake
87
www.telkomuniversity.ac.id
Providing Security
88
www.telkomuniversity.ac.id
Web Security
www.telkomuniversity.ac.id
HTTPS
www.telkomuniversity.ac.id
HTTPS Connection Initiation
www.telkomuniversity.ac.id
HTTPS Connection Closure
• connection closure
– have “Connection: close” in HTTP headers
• which normally causes to close the TCP connection
• but there is SSL/TLS protocols between HTTP and TCP
• thus, SSL/TLS should control connection closure at TCP
level
– SSL/TLS level exchange close_notify alerts
– can then close TCP connection
www.telkomuniversity.ac.id
Sample HTTPS
www.telkomuniversity.ac.id
EXPERIMENTS
www.telkomuniversity.ac.id
Experiment 1
• Objective:
• Sniffing password using wireshark
• https://www.wireshark.org/download.html
www.telkomuniversity.ac.id
What to do
1.Launch Wireshark
2.From the
wireshark menu
bar, select capture
interfaces
(Ctrl+I)
www.telkomuniversity.ac.id
3. In the Wireshark capture interfaces dialog
box, find and select the Ethernet Driver
Interface that is connected to the system, and
then click start.
4. Switch to virtual machine and login to your
email.
5. You may save the captured
packets from file save as.
6. In Find by...
www.telkomuniversity.ac.id
QUESTION
www.telkomuniversity.ac.id
Experiment 2
• Objective:
• Scan, detect, protect and attack computer on
LANs
www.telkomuniversity.ac.id
What you need :
www.telkomuniversity.ac.id
What to do
www.telkomuniversity.ac.id
3. Click the scan option from toolbar menu,
select Scan LAN. The scan the active host on the
LAN.
4. Select a victim host (window server 2008)
from the display list. Select attack -> flood.
Scanning acts as another gateway or IP-
forwarder without other user recognition on the
LAN, while spoofing ARP tables.
www.telkomuniversity.ac.id
• 5. All data sniffed by spoofing and
forwarded by WinArpAttackerIP-
forward functions are counted, as
shown in the main interface. The
BanGateway option tells the
gateway wrong MACaddresses of
target computer, so the target can’t
receive packets from the internet.
www.telkomuniversity.ac.id
6. Click save to save the report
www.telkomuniversity.ac.id
QUESTION
www.telkomuniversity.ac.id
Experiment 3
• Install nessus
• Then use nessus to scan your home network (or other
network appropriate) and report the vulnerabilities
discovered. You can use the standard policy defined in
Nessus 4.2 or modify the policies are you like. Everyone
should try this and may get different output from their own
machines. So I expect this group exercises will have reports
from every one (i.e., 4 to 5 reports depending on the size of
the group)
www.telkomuniversity.ac.id
Experiment 3
John Smith
Number of vulnerabilities
Open ports : 21
High : 0
Medium : 4
Low : 44
www.telkomuniversity.ac.id
Experiment 3
www.telkomuniversity.ac.id
Soal
www.telkomuniversity.ac.id
Soal
• The Internet is, slowly, transitioning from the version of the TCP/IP
protocol suite currently in use IPv4 to a new version, IPv6. Unlike
IPv4 IP addresses, which are 32 bits long (e.g., 192.168.10.1), IPv6
IP addresses are 128 bits long (e.g.,
2001:1890:1112:0001:0000:0000:0000:0020).
• a. Consider random-scanning Internet worms. These worms
spread by choosing a random IP address, connecting to any host
answering to that address, and attempting to infect it. Is the
random-scanning strategy feasible if the Internet switches from
IPv4 to IPv6? Why or why not?
• b. On the IPv6 Internet, try to give three different ways that a
worm, executing on a compromised computer, can discover IP
addresses of other hosts to try to infect.
www.telkomuniversity.ac.id
Next Chapter: Attack Phase
www.telkomuniversity.ac.id