Upload
quyen-luong
View
218
Download
0
Embed Size (px)
Citation preview
7/31/2019 Chde-2_Ky Thuat Tan Cong
1/58
PGS. TSKH. Hong ng Hi
Hc vin Cng ngh Bu chnh Vin thng (PTIT)
Email: [email protected]
2012
CCc kc k thuthut tt tn cng,n cng,
xm nhxm nhp hp h ththngng
7/31/2019 Chde-2_Ky Thuat Tan Cong
2/58
S pht trin ca tn cng mng
Xu th Kt hp worms, viruses
v DDoS Tng tin, Tin tc
Cc tn cng trn 10Gbps, tp on Botnetvi 150,000+ node
Thiu tr tu trong qunl mng cloud khin chiph tng nhanh
T b bng thng khigii quyt vn l qulng ph v tn km
7/31/2019 Chde-2_Ky Thuat Tan Cong
3/58
Mt s khi nim
K xm nhp (Intruder) Thng gi l tin tc (hacker), cracker /buglar (o chch) K trm/nh cp thng tin (Information Theft) Cybercrime (ti phm mng), Compromiser (k gy hi)
L hng an ninh (Security hole), im yu (Vulnerability), khim khuyt (Flaw)
Ri ro (risk)
e da (Threat), Tn cng (Attack)
Li khi thit k: khng lng trc kh nng im yu tim n: lun c trong mi h thng Li khai thc: cu hnh khng cht ch, li khi hot ng
Thng dng chcng 1 hnh vi xm hi n an ninh h thng
Bin php an ninh (Security measure), c ch an ninh (security mechanism)
Dch v an ninh (Security service)
Bin php/c ch pht hin, ngn nga, phng chng, sa cha
Dch v tng cng an ninh cho h thng x l v truyn ti thng tin thng qua
cc bin php an ninh
risk = threat x vulnerability x asset value
7/31/2019 Chde-2_Ky Thuat Tan Cong
4/58
Phn loPhn loi ti tn cng mn cng mngng
Joking Hacker: data stealing / spy / military spy
Company Competition: business plan/strategy.
Competitor destruction
Product Advertisement Avenger
Terrorism
Account hacking / Bank robber
MMc tiu tc tiu tn cngn cng
Gi mo (fabrication) - destroys authenticity of source (Sa i) modification - destroys integrity of information Ngn chn (interception) - of information (traffic), breaches confidentiality Gin on (interruption) - of service
LoLoi ti tn cngn cng
ExamplesExamples
Happy Christmas 1987: in IBM network. Email sent to everybody with addresses found
in addressbookNetwork deadlock
Internet Worm 1989: in Security Center of DoD. Unix Shell Attack.
7/31/2019 Chde-2_Ky Thuat Tan Cong
5/58
Security AttacksSecurity Attacks
y ni dung bn tinng: theo di chu k, chiu di bn tin,
on m knh truyn thng
PassivePassive
Nghe ln (Eavesdropping): ln l
Phn tch lu lk cphng Phn tch thng tin h
ActiveActive
Gi danh (Masquerade): Darth gi danh Bob Replay: bt gi, gi mo v chuyn tip bn tin
Sa i bn tin Ngn chn dch v
7/31/2019 Chde-2_Ky Thuat Tan Cong
6/58
5 giai on ca qu trnh ph hoi Trinh st (Reconnaissance)
Tin tc kho st my nn nhn v cc dch v trong mtkhong thi gian di s dng cc lu lng nh hotng bnh thng ca my.
Tm cch thit lp kt ni, khai thc thng tin my tnh, dch vD tm im yu trong h thng v cc ng dng.
Khai thc (Exploitation)Qu trnh li dng, bin i, lm sai lch hot ng ca cc dchv trn my nn nhn. Bin i dch v ko theo thay i chhot ng v iu kin truy nhp.
Tng cng (Reinforcement)Giai on tin tc ginh quyn truy nhp tri php, tng cngkh nng truy nhp, s dng cng c truy xt nn nhn,che du hnh vi...
Cng c (Consolidation)Tin tc to ra ca hu, trao i thng tin qua ca hu,ginh ton b quyn iu khin.
Tn ph (Pillage)
Giai on thc hin k hoch ph hoi: nh cp thng tin nhy cm,to bn p tin su vo mng ngi dng, thc hin cc nh
sn...
7/31/2019 Chde-2_Ky Thuat Tan Cong
7/58
PhPhn mn mm m m m c (Malicious Software)c (Malicious Software)
Cc nguy c/im yu: c khing bi 1 trigger (khng ly lan)
Cc phn mm tsinh (tto ccbn copy = ly lan)
7/31/2019 Chde-2_Ky Thuat Tan Cong
8/58
CCa sau hoa sau hoc cc ca sa sp (Backdoor or Trapdoor)p (Backdoor or Trapdoor)
XuXut pht pht it im vm vo bo b mmt tt ti mi mt chng trt chng trnhnh Cho phCho php mp mt kt k thuthut vin tht vin thnh thnh tho truy co truy cp vp vo ho h ththng mng m khng ckhng cnn
ththc hic hin cn cc thc th ttc an toc an ton thng thn thng thng.ng.
ThThng sng s ddng cho mng cho mc c ch gch grri, kii, kim thm thphphn mn mm khi phm khi pht trit trin.n. TrTrththnh nguy ckhi vnh nguy ckhi vn n ttn tn ti li li trong si trong sn phn phm phm phn mn mm.m.
BomBom logiclogic MMtt trongtrong nhnhngngphphnn mmmm cc hhii kikiuu cciinn
CodeCode cc nhnhngng trongtrong chngchng trtrnhnh hhppphphp,p,cc kkchch hohott khikhi ggppiiuu kikinn xxcc nhnh
CC mmtt hohocc vvngng mmtt mmtt ss filefile NgNgyy ththng/thng/thii giangian cc thth
NgNgii ss ddngng nnoo
KhiKhi kkchch hohott thngthng ththngng llmm hhngng hh ththng,ng, BiBinn i/xoi/xo file/file/aa,, llmmddngng mmyy,,
7/31/2019 Chde-2_Ky Thuat Tan Cong
9/58
NgNgaa ththnhnh TTroaroa (Trojan(Trojan Horse)Horse) ChngChng trtrnhnh hhuu ch, hch, hp dp dn (n (tr chitr chi, ti, tinn ch, nng cch, nng cp php phn mn mm,m,))
ChCha ca cc oc on mn m n vn vii cccc ttcc ngngphph cc dduu kknn
KhiKhi chchyy ththcc hihinn nhnhngng nhinhimm vvbb sung: Chosung: Chophphpp kk ttnn cngcng giginntitipp ddnhnh quyquynn truytruy ccpp nhnhng gng g khngkhng thth trtrcc titipp
ThThngng ss ddngng lanlan truytruynn virrus/suvirrus/su (worm)(worm) hohocc ccii tt ccaa sau, hosau, hoccnn giginnphph hohoii dd liliu.u.
ZombieZombie
LL chngchng trtrnhnhbb mmtt iiuu khikhinn mmyy ttnhnh khkhc cc caa mmngng Internet, sInternet, sddngng nn giginn titipp titinn hhnhnh cccc ttnn cng, che dcng, che du mu my ty to ra Zombie.o ra Zombie.
ThThngng c sc s ddngng ttnn cngcng tt chchii ddchch vv (DDoS).(DDoS). ThThng tng too
ththnh mnh mng gng gm hm hng trm mng trm my khng by khng b nghi vnghi vn, tn, tn cng dn cng dn dn dppwebsite mwebsite mc tiu qua vic tiu qua vic gc gi di dn dn dp yu cp yu cu lu lu lu lng.ng.
ThThng khaing khai ththcc cccc ll hhngng trongtrong cccc hh ththng nng ni mi mng.ng.
7/31/2019 Chde-2_Ky Thuat Tan Cong
10/58
VirusesViruses
LLoon m phn m phn mn mm cm c thth ly nhily nhimm sang csang cc phc phn mn mm khm khc quac quavivic sc sa a i chi chng.ng.
SSa a i phi phn mn mm khm khc bao gc bao gm vim vic copy oc copy on m virus vn m virus vo vo v lylynhinhim sang cm sang cc chng trc chng trnh khnh khc.c.
GiGing virus sinh hng virus sinh hc, virus mc, virus my ty tnh cnh c thth ss ssn sinh (replicated).n sinh (replicated). LanLan truytruyn, thn, thc hic hin mn mi chi chc nng cc nng c thth (v(v ddphph hohoii dd liliu).u).
HoHot t ng cng ca virusa virus Giai oGiai on nn nm chm ch: n: nm im chm im chss kikin kn kch hoch hot (vt (v dd ngngy,y, chngchng
trtrnh, dnh, dung lung lng ng aa).).
Giai oGiai on ly lan: sao chn ly lan: sao chp chp chnh nnh n sang csang cc chng trc chng trnh khnh khc /phc /phnn
khkhc cc ca ha h ththng.ng. Giai oGiai on kn kch hoch hot: tht: thc hic hin chn chc nng gc nng gi si sn khi cn khi c ss kikin xn xy ra.y ra.
Giai oGiai on thn thc thi: thc thi: thc hic hin hn hnh vi mong munh vi mong mun.n.a sa s khai thkhai thc cc cc c cctrngtrng,, iim ym yu chu ch yyu cu ca ha h ththng cng c ththang chang chy.y.
7/31/2019 Chde-2_Ky Thuat Tan Cong
11/58
CCu tru trc Virusesc Viruses
program V :=program V :={{gotogoto main;main;
1234567;1234567;
subroutine infectsubroutine infect--executable :=executable := {loop:{loop:
file := getfile := get--randomrandom--executableexecutable--file;file;
if (firstif (first--lineline--ofof--file = 1234567) thenfile = 1234567) then gotogoto looploop
elseelseprependprepend V to file; }V to file; }
subroutine dosubroutine do--damage := {whatever damage is to be done}damage := {whatever damage is to be done}subroutine triggersubroutine trigger--pulled := {return true if condition holds}pulled := {return true if condition holds}
main: mainmain: main--program :=program := {infect{infect--executable;executable;
if triggerif trigger--pulled then dopulled then do--damage;damage;gotogoto next;}next;}
next:next:
}}
7/31/2019 Chde-2_Ky Thuat Tan Cong
12/58
Cc hnh thi tn cng DDoS
t ph cc b theo dy chuyn Khai thc hiu hnh, ph ri hot ng server
Tiu hy ti nguyn cc b fork() bomb, fill disks, deep directory nesting
T chi cp dch v cho cc my trm Gy cc t ph hoc ngng cc dch v quan trng
To cc t ph t xa theo dy chuyn magic packets ping of death, teardrop
Tiu hy ti nguyn t xa syslog, SYN, fragment flood, UDP storm
7/31/2019 Chde-2_Ky Thuat Tan Cong
13/58
T chi dch v trn ton mng Nhm ti cc links s h hoc c s h tng thng tin trng yu
iu khin ngng mng t xa
Tn cng routers, DNS servers Li tuyn Gi mo thng tin nh tuyn
Gy nghn mng t xa
Gi danh broadcasts smurf, fraggle iu khin t xa cc my tnh gy hi my tnh ma (zombies)
phi hp gy trn - DDoS
Cc tn cng chuyn hng t tng my nl sang c s h tng mng !
Cc hnh thi tn cng DDoS (2)
7/31/2019 Chde-2_Ky Thuat Tan Cong
14/58
Cc k thut gy ri ca tn cng DDoS
Distributed attacks
iu khin t xa i qun zombies Cc th nghim mi y cho thy, mt my tnh khng c bo v
trn Internet c th b tn cng trong vng < 8 pht.
Phn x IP Gy ri trong vt kim chng mng
Gi mo/Nhi li (Forged/spoofed) a chIP gc
Thay i tn sut tn cng (on/off) Nghi binh (Decoys)
Gy ri trong du hiu tn cng
Bt chc lu lng hp php (e.g. TCP ACK flood) Ha trang vi lu lng hp php
Tt c cc k thut ny nhm b gy mi phng phptheo du vt kiu th cng v trnh cc IDS thng dng
7/31/2019 Chde-2_Ky Thuat Tan Cong
15/58
Xu th mi ca DoS Attacks
Tn cng trn da vo mng Khi cc l hng c v, kh lng tm ra cc host xung yu
Nhi cc mng con cc b
Cc b lc ingress / egress ph bin hn
Tn cng ng lu lng ln Nhm ti cc upstream routers & links
nh v chy (Hit-and-run) Gy trn sc (pulsing / short-lived floods)
S dng nhiu i qun zombie theo chu k
K thut phn tn Phn tn rng khp, cc i qun zombie rng khp
7/31/2019 Chde-2_Ky Thuat Tan Cong
16/58
Gy ri trong du vt kim chng mng Thay i c tnh mt s giao thc ng dng Ti lp cc
truy vn DNS, etc.
Bin i du hiu tn cng Dng address, protocol, port ngu nhin
Tn cng nh tuyn h tng mng Chn cp tuyn BGP route phc v khi ng tn cng
Tng tuyn m thm (automated conscription)cc i qun zombie recent Internet worms and viruses
Microsoft Outlook, IE, IIS, SMB
Xu th mi ca DoS Attacks (2)
7/31/2019 Chde-2_Ky Thuat Tan Cong
17/58
Trnh t tn cng DDoS
A. Mt lng ln my tnh b hi
B. Tin tc xc nh c cc my c th li dng vi cck thut d qut (scanners), etc.
C. Tin tc truy nhp h thng vi cc cng c t xa:
exploits, sniffers, password cracking, worms, trojans
D. Tin tc ci t cc cng c tn cng
E. Tin tc ra lnh t xa cho cc my b hi c tp hp tn cng vo mc tiu
7/31/2019 Chde-2_Ky Thuat Tan Cong
18/58
Distributed DoS Attack (DDoS)
Phi hp tn cng vo cc Links v ti nguyn trng yu
DNS Tn cng vo h tng nh tuyn
7/31/2019 Chde-2_Ky Thuat Tan Cong
19/58
Example: Smurf Attack
Reflector Network
SRC DST
3.3.3.100 2.2.2.255 SRC DST2.2.2.* 3.3.3.100
ICMP Echo Request
3.3.3.100
2.2.2.*
ICMP Echo Replies
Target1.1.1.100Attacker
M hnh n gin: gi cc gi yu cu echo gi mo ICMP ti cc a ch IP broadcast
trong mt mng tin cy.
Mi hosts ca mng ny gi 1 tr li ICMP ti a ch IP gi mo ca nn nhn
Khi hu nh mi my ca mng phn hi yu cu ICMP echo ny, mng b tc nghn
v t lit.
7/31/2019 Chde-2_Ky Thuat Tan Cong
20/58
V d: TCP SYN Flood
SYN
SYN
+ACK
ACKClient Server
CLOSED CLOSED
SYN_SENT
ESTABLISHED ESTABLISHED
SYN_RCVD
Tun t qu trnh thit lp 1 kt ni TCP (3-way handshake)
7/31/2019 Chde-2_Ky Thuat Tan Cong
21/58
V d: TCP SYN Flood (cont.)
ServerAttackerSYN
SYN
ACK
SYN
SYN
SYN
SYN
SYN
SYN
SYN
ACK
SYN
ACK
SYN_RCVD
SYN_RCVD
SYN_RCVD
SYN_RCVD
SYN_RCVDSYN_RCVD
SYN_RCVD
SYN_RCVD
Listen Queue
SYN_RCVD
Nu sau khi server gi SYN + ACK response, client khng gi ACK response half-openconnection
Server to trong b nhmt kin trc d liu cha mi kt ni m Timeout
Tin tc gy ra memory overflow, khin server crash hoc khng th chp nhn mi kt ni micho n khi xa ht bng d liu
V tr gi danh IP trong h thng b tn cng c che y, v cc a ch ngun trong cc gi tinSYN thng u khng r rng. Khi gi tin n h thng my ch nn nhn, khng c cch g
xc nh ra ngun gi thc s.
7/31/2019 Chde-2_Ky Thuat Tan Cong
22/58
Cc bin php phng chng DDoS
Ingress / Egress filtering ( anti-spoofing )
Strict / Loose RPF (Reverse Path Forwarding)
Black lists / White lists
Policy based Filter
Rate limiting
ICMP etc.. Stateful defenses ( e.g. tcp intercept )
Patch vulnerable hosts and services
Provisioning and capacity planning Packet filtering on provider side of WAN links
7/31/2019 Chde-2_Ky Thuat Tan Cong
23/58
X l, phn ng vi tn cng DDoS
Ba bc quan trng:
Pht hin
Xc nh phng php ca tin tc v cc tinguyn b tc ng.
Tm cch c lp vng ti nguyn b li dng
Truy xt du vt Xc nh ngun pht, ng i, chng
chuyn tip
Gim thiu thit hi Xc nh lu lng no cn chn, tt nht
chn u
7/31/2019 Chde-2_Ky Thuat Tan Cong
24/58
Cc chin lc gim thiu DDoS
Unicast Reverse Path Forwarding (uRPF) S dng uRPF cht ch Chng gi mo a ch IP Trnh lm dng uRPF v BGP ton bborder routers
Rate Limiting Hn ch tc lu lng tn cng: ICMP, UDP, TCP SYN
Theo di cc quy trnh giao thc khng bnh thng! m bo chnh sch QoS thng qua BGP (special community)
ACL
Lc ra cc lu lng tp trung vo mt my ch To hby, ng trnh (Blackhole / Sinkhole / Shunt) Lc tng cp, to by, truy vn iu tra
V d i thi DD S
7/31/2019 Chde-2_Ky Thuat Tan Cong
25/58
V d v gim thiu DDoS
Customer
Customer Portal
or Operator< back
V d i thi DD S
7/31/2019 Chde-2_Ky Thuat Tan Cong
26/58
Customer Portal
or Operator
Customer
V d v gim thiu DDoS
V d i thi DD S
7/31/2019 Chde-2_Ky Thuat Tan Cong
27/58
Customer
Customer Portal
or Operator
Hb
y
V d v gim thiu DDoS
V d i thi DD S
7/31/2019 Chde-2_Ky Thuat Tan Cong
28/58
Customer
Customer Portal
or Operator
Hb
y
ACL/H
nch
tc
V d v gim thiu DDoS
V d i thi DD S
7/31/2019 Chde-2_Ky Thuat Tan Cong
29/58
Customer
Customer Portal
or Operator
Blcth
ngminh
Xu th kt hp nhiu bin php ti u hn !
Hb
y
ACL/H
nch
tc
V d v gim thiu DDoS
DarkIP
7/31/2019 Chde-2_Ky Thuat Tan Cong
30/58
DarkIP Cc hnh vi s dng Dark Address Space gi thng tin n cc vng a
ch IP dnh cho vic khc, hoc cha c s dng. Vic s dng Dark Address Space xy ra do mt s nguyn nhn:
Lp sai cu hnh Router
Hnh vi bt thng ca mt ng dng Lp sai cu hnh mng
Hnh vi qut cng tri php
Hnh vi tn cng ca Worm trn mng
Lu lng tng vi Dark IP c thbiu th kh nng lan truyn Worm trnmng, hoc hnh vi qut mng tuyn mi qun Zombie
D liu to ra t Dark IP thng c s dng :
Xc nh du vt new zero day worms
Xc nh ngun pht ca worm
To ra danh dch cc my b ly nhim
ng dng DarkIP
Hnh vi bt thng nh trc v khng nh trc
7/31/2019 Chde-2_Ky Thuat Tan Cong
31/58
Hnh vi bt thng nh trc v khng nh trc
Hnh vi bt thng nh trc biu th sai lch mc lulng bnh thng. Thng do tn cng gy ra. Hnh viny cn c xem xt tip xc nh mc nguy hi.
Hnh vi bt thng khng nh trc c th xy ra khi mtmy no khng tun th cc quy c truyn thng. Li
xy ra c th do tn cng, hoc do li mng. Do cntruy xt tm ng nguyn nhn.
Cc hnh vi bt thng khng nh trc
a s tin tc s dng tn cng mt my ch no trn mng. Cc kiu gi tin thng s dng: Syn floods, ICMP floods, IP fragments
Cc gi tin thng thuc nhm:
IP Null, TCP Null, Private IP
Th di h h i bt th
7/31/2019 Chde-2_Ky Thuat Tan Cong
32/58
Theo di hnh vi bt thng
anomalies are usually
more likely to be
malicious
High severity protocol
anomalies for protocols
other than TCP
High severity incoming
anomalies towards a
single host
Graph shows a spike
in the traffic levels
Anomaly is high
severity with a very
high % of threshold
Botnets
7/31/2019 Chde-2_Ky Thuat Tan Cong
33/58
Botnets
Tin tc pht trin cc cng cpht tn tng (s dngbotnets,) cho php chng gi cc tn cng ti ccmy trung gian trong cng 1 thi gian, lm tt c ccmy trung gian gi phn hi trc tip ti 1 my nnnhn.
Tin tc pht trin cc cng c quan st cc routertrn mng khng s dng cc b lc lc broadcast
traffic, pht hin cc mng cho php nhiu my cng ckh nng tr li ng thi. Cc mng ny thng cdng lm trung gian cho cc cuc tn cng.
Dictionary Attack cracking of
7/31/2019 Chde-2_Ky Thuat Tan Cong
34/58
Dictionary Attack cracking of
authentication passwords Cc mt m xc thc c cha trong mt file (trn Unix /
Windows), thng c m ha vi mt thut ton chng ph
kha (v d MD5) (Thut ton mt chiu). Ngi dng ng nhp mt khu, mt khu c m ha v so
snh vi bn m ha ghi sn trong my.
Brute force attack: tin tc s dng phng php qut ton bcc kh nng (dictionary attack) tm kim cc kh nng gii mxut pht t mt danh sch cc t trong tin.
Ngi dng thng s dng cc mt khu thng dng dbph: S dng t, ch ci thng thng
S dng cc cm t thng dng.
Di ti Att k
7/31/2019 Chde-2_Ky Thuat Tan Cong
35/58
Dictionary attacks thng c p dng trong 2 trng hp sau: Khi phn tch mt m, phng php ny tm kim kh nng xc nhcha kha gii m cho mt cm t m cho trc.
Khi ni mng, tm cch la gt cch xc thc thc hin truy nhptri php vo my tnh bng cch on mt khu.
Tin tc c kh nng kim bn copy danh sch cc mt khu m ha tmt h thng my xa. Tin tc s s dng phng php Dictionary attacks d tm mt khu theo thi quen ca ngi dng (qua d tm mi thng
tin v ngi dng), so snh mt khu vi on m copy c.
Thc t cho thy, ngi dng thng s dng mt khu cho d nh. Nu sdng mt tp danh sch ln, xc sut tm ra mt khu l 4/10.
Dictionaries hin c trn Internet cho mi ngn ng, d dng truy cp, ddng c s dng d tm mt khu theo phng php ny.
Dictionary Attack
M ha 1 chiu cho mt khu
7/31/2019 Chde-2_Ky Thuat Tan Cong
36/58
username Encrypted password
Alix.Bergeret ADSNUYTGHLKLLL
Matthew.Green NJKFFDSHPTTDRD
Ian.Coulson VFGMNBDEQQASU
Brendan.Riordan VHGUIOUIYEDRDT
Chris.Dennett CXZAASWEWEDFD
Andy.Sloane MLOPIUYTRFFGHJ
Mary.Garvey MNJTYUUIFVCXFGBrian.Penfold REDERFGGGHYTR
M ha 1 chiu cho mt khuc ghi trong file mt khu
Alix.Bergeret
ADSNUYTGHLKLLL
Mt khu c m habi Client vi cng 1thut ton khi gi qua
mngNu cc gi tr Hash bngnhau, Client c xcthc!
Client
Password authentication server
u nhc im ca
7/31/2019 Chde-2_Ky Thuat Tan Cong
37/58
u nhc im ca
Dictionary attacks Tin tc c th m ha v lu tr danh sch cc t
m ha kiu tin, sp xp chng theo t khavalue m ha. Phng php ny tiu tn nhiu b nh, thng mt
nhiu thi gian chun b v tnh ton. Tuy nhin,phng thc ny c th to ra tn cng gn nh tcth.
Phng php ny c bit hiu qu khi cn gii mmt s lng mt khu ln cng lc.
Tin tc thng ghi danh sch cc mt khu thng c s
7/31/2019 Chde-2_Ky Thuat Tan Cong
38/58
Tin tc thng ghi danh sch cc mt khu thng c sdng v chuyn chng cho mt thut ton, sp xp chng theo
thtalphabet.
Word Hashed word
cricket ABVGTHYULPMMN
football ADSNUYTGHLKLLL
england CFTGERHTYUUUUsister QRTSNDCNCNNNN
christopher RTSGHWEREEEDM
charlie STTHHHHHERERE
louise NMZOAOWJBHEEU
Crackers sorted list of hashed words
username Encrypted password
Alix.Bergeret ADSNUYTGHLKLLL
Matthew.Green NJKFFDSHPTTDRD
Ian.Coulson VFGMNBDEQQASU
Brendan.Riordan VHGUIOUIYEDRDT
Chris.Dennett CXZAASWEWEDFD
Andy.Sloane MLOPIUYTRFFGHJ
Mary.Garvey MNJTYUUIFVCXFG
Brian.Penfold REDERFGGGHYTR
Password listEasy to determine Alix.Begeret passwordby comparing hash values
7/31/2019 Chde-2_Ky Thuat Tan Cong
39/58
RIP attacks Routing Information Protocol (RIP) attacks thng thy
trong cc b router ci t phin bn chun ca RIP. RIP c s dng phn pht thng tin nh tuyn
trong mng, v d cc tuyn ngn nht, cc tuyn qungb t mng ni b ra ngoi
Phin bn chun ca RIP khng c phn xc thc.
Thng tin cung cp trong bn tin RIP thng c sdng m khng c s kim tra xc thc li chnh n.
RIP tt k
7/31/2019 Chde-2_Ky Thuat Tan Cong
40/58
Tin tc c th gi mo 1 bn tin RIP, v d xc nh my X
c tuyn ngn nht ra ngoi mng.
Mi gi tin gi ra t mng ny sc nh tuyn qua X.My X c th kim sot, sa i gi tin.
Tin tc c th s dng RIP bt chc bt k host no, lm
mi lu lng gi n my tin tc thay v gi n host ny.
Phin bn RIPv2 ci thin hn vi thut ton xc thc mt
khu n gin, lm cho vic tn cng qua RIP kh khn hn.
Gii php IPsec VPN cng cung cp kh nng m ha thng tin
nh tuyn qua cc routers s dng IPsec VPN.
RIP attacks
Packet Sniffing
7/31/2019 Chde-2_Ky Thuat Tan Cong
41/58
Packet Sniffing
NIC cards thng ch x l cc gi tin (MAC) nhm timy cha NIC ny. Ton b lu lng trong mng khngc switch c gi ti tt c cc my tnh.
Software/hardware c thit k sn sng lm vic . Nu NIC cards c cu hnh Promiscuous th n c th
bt v x l mi gi tin i trn mng con. iu ngha l c th xem c ni dung ton b cc gi
tin truyn trn mng (1 s giao thc nh FTP, Telnet,HTTP, SMTP, POP3 gi cc mt khu di dng clear
text). Ngoi ra, cn nhiu thng tin khc c thb khaithc. Thc t, cc b switch ch cho php gi tin n ng my
ch. Tuy nhin, tin tc c nhiu cch bt c cc gitin ny
7/31/2019 Chde-2_Ky Thuat Tan Cong
42/58
Hai cch vt qua Switch
Spoof ARP v MAC Flooding
Spoof ARP l phng php "th cng". ARP l addressresolution protocol, dng "map" IP address v MACaddress. V ARP l 1 dng stateless protocol nn n c thb
la kh d dng. Phng php thng c s dng l gi mo Gateway, lmcho ton b lu lng t my A (my nn nhn) i nGateway phi i qua my B ca tin tc trc.
Cng cphbin l: Arpspoof, dsniff
ARP Spoofing
7/31/2019 Chde-2_Ky Thuat Tan Cong
43/58
Tin tc dng cc chng trnh nh arpspoof thay i danh tnh ca 1 host,
nhn ton b thng tin qua mng.
ARP spoofing steps1. Set your machine to forward packets:
Linux: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_forward
BSD: sysctl -w net.inet.ip.forwarding=1
2. Start arpspoofing (using two terminal windows)
arpspoof -t 149.160.x.x 149.160.y.y
arpspoof -t 149.160.y.y 149.160.x.x
3. Start sniffing
ngrep host 149.160.x.x | less
OR
Dsniff | less
chchng lng li: 1) Static ARP table; 2) ARPWatchi: 1) Static ARP table; 2) ARPWatch
l di
7/31/2019 Chde-2_Ky Thuat Tan Cong
44/58
MAC Flooding
MAC Flooding l mt k thut u c ARP Cache hngti tn cng cc switch trn mng.
Khi mt b switch bnh trn, n s trthnh mt Hubthun ty ! Trong ch Hub, b switch s khng th thc thi bt
k tnh nng bo mt g, sn sng qung b mi gi tin nmi my trn mng con.
Tin tc c thnh trn bng ARP ca b Switch vi ccgi tin ARP phn hi gi mo, tip t Switch vo ch
Hub bt ton b cc gi tin. Mt cng cin hnh l Macof, dsniff
Gi mo (Spoofing)
7/31/2019 Chde-2_Ky Thuat Tan Cong
45/58
Tin tc thay i danh tnh nhng ngi dng khc tin rnghn l ai trong s h:
Email, User ID, IP Address,
Tin tc khai thc qu trnh xc thc gia ngi dng v hthng/mng chim quyn iu khin.
Kiu Spoofing:1.IP Spoofing:
2.Email Spoofing
3.Web Spoofing
Gi mo (Spoofing)
Gi mo IP Thay i a ch IP gc
7/31/2019 Chde-2_Ky Thuat Tan Cong
46/58
Gi mo IP Thay i a ch IP gc
Phng phPhng php qup qut lt ln ln lt git gi mmo o a cha ch
Trc khi tn cng my nn nhn, tin tc tm cch qut h thng tm
khai thc thng tin nhiu nht v my nn nhn.
Firewall, IDS c thpht hin qu trnh qut ny, c th cnh bo v nguy
ctn cng.
Tin tc tm cch che du hnh vi qut mng bng cch s dng cc
datagrams gi mo t mt gii a chi IP (khng t mt a ch IP cnh) che mt Firewall, IDS.
IP Spoofing Flying-Blind Attack
7/31/2019 Chde-2_Ky Thuat Tan Cong
47/58
Attacker uses IP address of another computer to acquire informationor gain access
IP Spoofing Flying Blind Attack
Replies sent back to 10.10.20.30
Spoofed Address
10.10.20.30
Attacker
10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30
To Address: 10.10.5.5 Attacker changes his own IP address to
spoofed address Attacker can send messages to a
machine masquerading as spoofedmachine
Attacker can not receive messages from
that machine
IP Spoofing Source Routing
7/31/2019 Chde-2_Ky Thuat Tan Cong
48/58
Tin tc gi mo a ch IP (10.10.20.30), chn vo gia 2 my btcc gi tin tr li.
IP Spoofing Source Routing
Replies sent back
to 10.10.20.30Spoofed Address
10.10.20.30 Attacker10.10.50.50
John
10.10.5.5
From Address: 10.10.20.30To Address: 10.10.5.5
ng i ca gi tin c th thay i theo thi gian
chc chn chn vo gia trong qu trnh, tin tc s dng source
routing m bo gi tin lun i qua cc nt xc nh trc trn
mng.
Attacker intercepts packetsas they go to 10.10.20.30
Tin tc gi cc gi tin broadcast ti mng tin cy
7/31/2019 Chde-2_Ky Thuat Tan Cong
49/58
Cc trm host tr li li a ch IP b gi mo ca nn nhn
RouterPing
(broadcast address)
Victim
Email Spoofing
7/31/2019 Chde-2_Ky Thuat Tan Cong
50/58
Tin tc gi mail gi mo ai v chtin phn hi?
Cc kiu Email Spoofing:1. Create an account with similar email address
[email protected]: gi danh cc a ch quen thuc
2. Modify a mail client
Tin tc chn a ch reply tng vo mail gi i3. Telnet to port 25
Hu ht cc mail server u s dng cng 25 cho SMTP. Tin tc n gi tin n cng ny, sau thay i bn tin gi n
ngi dng.
p g
Web Spoofing
mailto:[email protected]:[email protected]7/31/2019 Chde-2_Ky Thuat Tan Cong
51/58
Basic Tin tc ng k mt a ch Web gn ging vi a ch khc gy
nhm ln cho ngi dng.
Man-in-the-Middle Attack Tin tc gi lp mt Proxy gia Web server v client.
Tin tc tn cng vo Router hoc nt mng chuyn tip lu lngtng ng gia Web server v client.
URL Rewriting Tin tc chuyn hng web traffic ti mt trang khc c chng
kim sot.
Tin tc ghi chn a ch Web ca n trc ng link hp thc.
Tracking State Khi ngi dng login vo mt trang c duy tr xc thc. Tin tc ly
cp thng tin xc thc gi mo ngi dng.
p g
Cp phin (Session Hijacking)
7/31/2019 Chde-2_Ky Thuat Tan Cong
52/58
Qu trnh chim quyn s dng phin lm vic ang tn ti.
Phng thc:
1. Ngi dng to kt ni vi Server thng qua xc thc
vi user ID and password.
2. Sau qu trnh xc thc ngi dng, h truy nhp voserver cho n khi kt thc phin lm vic.
3. Tin tc s dng DoS lm t lit phin lm vic.
4. Tin tc chim quyn iu khin phin ca ngi dng
vi vai tr gi danh ngi dng.
p p ( j g)
Session Hijacking
7/31/2019 Chde-2_Ky Thuat Tan Cong
53/58
Hnh vi ca tin tc: Gim st phin
Gi lin tip lnh chn gia cc ln gi yu cu truy nhp ca user Chn tn cng passive/active vo phin
Bob telnets to Server
Bob authenticates to Server
Bob
Attacker
Server
Die! Hi! I am Bob
Cc k thut chng gi mo a ch
7/31/2019 Chde-2_Ky Thuat Tan Cong
54/58
Cc k thut chng gi mo a ch
Cc quy tc lc gi tin ca Border routers
Quy tc 1: Khng lt cc gi tin i ra xut pht t mt a ch IP gc khng
thuc phm vi ISP (rfc2827) Quy tc 2: Khng lt cc gi tin i vo vi a ch IP gc thuc phm vi
ISP.
Quy tc 1 l quy tc cbn nht, thng c s dng chng tn cng DoS
AS for my ISP171.85.0.0
AS of neighbouring ISP204.12.15.0
Buffer Overflow Attacks
ftp://ftp.ietf.org/rfc/rfc2827.txtftp://ftp.ietf.org/rfc/rfc2827.txt7/31/2019 Chde-2_Ky Thuat Tan Cong
55/58
Tn cng li dng cch ghi v lu tr thng tin Tin tc tm cch ghi thng tin vo Stack nhiu hn dunglng b nhcho php.
How does it work?
Buffer 2Local Variable 2
Buffer 1
Local Variable 1
Return Pointer
Function Call
Arguments
Fill
Direction
Bottom of
Memory
Top of
Memory
Stack bnh thng
Buffer 2Local Variable 2Machine Code:
execve(/bin/sh)New Pointer to
Exec CodeFunction Call
Arguments
Fill
Direction
Bottom of
Memory
Top of
Memory
Stack b tn cng
Return Pointer Overwritten
Buffer 1 Space Overwritten
Password Attacks
7/31/2019 Chde-2_Ky Thuat Tan Cong
56/58
Li dng cc mt khu km v cc kt ni mng (quamodem) khng c kim sot.
Steps
Tin tc tm kim s Phone ca cng ty. Tin tc thc hin chng trnh quay s tng
V d: sin thoi 555-5532, th s thc thi quay mi s trong
khong 555-55xx tm s modem. Nu mt modem tr li tn hiu, tin tc ghi nhn s modem.
Tin tc s dng user ID v password vo mng Cty: Nhiu Cty s dng default accounts v d: temp, anonymous khng c
password.
Kh nhiu Cty s dng tn cng ty lm root account v password Tin tc s dng cc cng cpassword cracking d tm password.
Password Security
7/31/2019 Chde-2_Ky Thuat Tan Cong
57/58
Bm Password v lu tr Thm Salt to password ngu nhin v lu tr vo my.
Chy cc chng trnh ph Password crack.
y
Hash
Function
Hashed
Password
Salt
Compare
Password
Client
Password
Server
Stored Password
Hashed
Password
Allow/Deny Access
Password Attacks - Types
7/31/2019 Chde-2_Ky Thuat Tan Cong
58/58
Dictionary Attack Hacker tries all words in dictionary to crack password
70% of the people use dictionary words as passwords
Brute Force Attack
Try all permutations of the letters & symbols in the alphabet
Hybrid Attack Words from dictionary and their variations used in attack
Social Engineering People write passwords in different places
People disclose passwords naively to others
Shoulder Surfing Hackers slyly watch over peoples shoulders to steal passwords
Dumpster Diving People dump their trash papers in garbage which may contain
information to crack passwords