bài giảng các phương thức tấn công mạng - cao hoàng nam

Những vụ tấn công mạng "đình đám" thời gian qua• Tin tặc Trung Quốc tấn công website Philippines • Theo hãng tin ABS-CBN News, vào ngày 11/5, đã có tất cả 7 website của Philippines-trong

CỤC ỨNG DỤNG CÔNG NGHỆ THÔNG TIN

TRUNG TÂM CHÍNH PHỦ ĐIỆN TỬ

Các phương thức tấn công

Cao Hoàng Nam

Các phương thức tấn công

• Các phương pháp trinh sát, dò quét, thu thập thông tin

• Các loại hình tấn công phổ biến

• Đánh giá an toàn thông tin

• Đánh giá lỗ hổng an toàn thông tin

• Kiểm tra khả năng thâm nhập

• Quản lý bản vá

Những vụ tấn công mạng "đình đám" thời gian qua

• Tin tặc Trung Quốc tấn công website Philippines

• Theo hãng tin ABS-CBN News, vào ngày 11/5, đã có tất cả 7 website của Philippines-trong đó có 2 website của Chính phủ nước này-đã bị tin tặc đánh sập và thay đổi giao diện Tin tặc đã thay đổi giao diện các website bằng dòng chữ “HACKED BY CHINESE”

Những vụ tấn công mạng "đình đám" thời gian qua

• Ngày 9/5, chỉ hai ngày sau khi Tổng thống Nga Vladimir Putin tuyên thệ nhậm chức, nhóm tin tặc nổi tiếng Anonymous tuyên bố trên Twitter đã đánh sập cổng thông tin Chính phủ nước Nga (tại địa chỉ www.kremlin.ru), đồng thời khẳng định sẽ tiến hành thêm nhiều đợt tấn công tương tự khác vào các website của Chính phủ nước này.

• rước đó một ngày, vào ngày 8/5, nhóm tin tặc giấu mặt đã sử dụng phương pháp DDos (tấn công từ chối dịch vụ) để tấn công vào website của Virgin Media - một trong những nhà cung cấp dịch vụ Internet lớn nhất tại Anh.

• Hai hacker người Na Uy đã bị cơ quan đặc trách về tội ác tại Anh (SOCA) - vốn có vai trò tương đương FBI (Cục điều tra Liên bang Mỹ) tóm gọn sau khi tấn công vào website của cơ quan này Webiste của SOCA đã bị tê liệt trong vòng vài tiếng đồng hồ, khiến nhiều công việc của cơ quan này bị gián đoạn và đặt các tài liệu mật của SOCA vào nguy cơ bị "rò rỉ" cao.

Những vụ tấn cộng mạng đình đám internet Việt trong năm qua

• Diễn đàn chuyên về hack và bảo mật HVA đã trở thành nạn nhân của 2 vụ tấn công từ chối dịch vụ (DDOS) trong tháng 6/2011 Rạng sáng ngày 5/6/2011, nhiều thành viên diễn đàn này thông báo tình trạng truy cập khó khăn hoặc hoàn toàn không truy cập được Cùng ngày, ban quản trị HVA có thông báo chính thức về sự cố trên, theo đó HVA đã có một lượng truy cập tăng đột biến (lên đến 2.5Gbps), gây nghẽn toàn bộ đường truyền tới máy chủ.

• Tháng 6/2011 cũng là thời điểm hàng loạt website có tên miền gov.vn (website của cơ quan bộ ngành) bị hack Theo thống kê từ

Bộ Thông tin Truyền thông, có 329 trang web tên miền gov.vntrở thành nạn nhân của các vụ tấn công tính đến tháng 12/2011 Bên cạnh đó, hàng loạt website có tên miền org.vn cũng trở thành đối tượng của các vụ tấn công tương tự.

• Website Vietnamnet đã trải qua nhiều sự cố trong năm qua Vào đầu năm (4/1/2011), một đợt tấn công từ chối dịch vụ nhắm vào Vietnamnet khiến trang web bị tắc nghẽn nhiều giờ đồng hồ, gây khó khăn cho hàng triệu độc giả.

Những vụ tấn cộng mạng đình đám internet Việt trong năm qua

Các phương pháp trinh sát, dò quét, thu thập thông tin

What is Footprinting

Why Footprinting

• Know Security Posture: Performing footprinting on the target organization in a systematic and methodical manner gives the complete profile of the organization’s security posture.

• Reduce Attack Area: by using a combination of tools and techniques, attackers can take an unknown entity (for example XYZ organization) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet, as well as many other details pertaining

to its security posture

Why Footprinting

• Build information database: a detailed footprint provides maximum information about the target

organization Attackers can build their own information database about security weakness of the target organization This database can then be analyzed to find the easiest way to break into the organization’s security perimeter

• Draw network map: combining footprinting techniques with tools such as Tracert allows the attacker to create network diagrams of the target organization’s network presence This network map represents their understanding of the target’s Internet footprint These network diagrams can guide the attack

Objectives of Footprinting

Footprinting Methodology

Overview of Network Scanning

Types of Scanning

• Port scanning: open ports and services

• Network scanning: IP addresses

• Vulnerability scanning: Presence of known weaknesses

Objectives of Network Scanning

• Discovering live hosts, IP address, and open ports of live hosts running on network

• Discovering open ports: open ports are the best means to break into a system or network, you can find easy ways to break into the target organization’s network by discovering open ports on its network

Objectives of Network Scanning

• Discovering operating systems and system architecture of the targeted system: this is also referred to as fingerprinting Here the attacker will try to launch the attack based on the operating system’s vulnerabilities

• Identifying the vulnerabilities and threats: vulnerabilities and threats are the security risks present in any system You can compromise the system or network by exploiting these vulnerabilities and threats

• Detecting the associated network service of each port

Scanning Methodology

What is Enumeration

• Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system

• In the enumeration phase, the attacker creates active connections to the system and performs directed

queries to gain more information about the target

• The attacker uses the gathered information to identify the vulnerabilities or weak points in system security and then tries to exploit them

What is Enumeration

Techniques for Enumeration

Technique for Enumeration

• Extract user names using email Ids: every email ID contains two parts; one is user name and the other is domain name For example: abc@gmail.com, abc is user name and gmail.com is the domain name

• Extract information using the default passwords: many online resources provide lists of default passwords assigned by the manufacturer for their products Often users forgot to change the default passwords provided

by the manufacturer or developer of the product If users don’t change their passwords for a long time, then attackers can easily enumerate their data

Techniques for enumeration

• Brute force Active Directory: Microsoft Active Directory is susceptible to a user name enumeration weakness at the time of user-supplied input verification This is the consequence of design error in the application If the “logon hours” feature is enabled, the attemps to the service authentication result in varying error messages Attackers take this advantage and exploit the weakness to enumerate valid user names If succeed, then the attackers can conduct a brute force attack to reveal respective passwords

• Extract user names using SNMP: attackers can easily guess the “strings” using this SNMP API through which they can extract required user names

Techniques for enumeration

• Extract user groups from Windows: these extract user accounts from specified groups and store the results and also verify if the session accounts are in the group or not

• Extract information using DNS Zone Transfer: DNS zone transfer reveals a lot of valuable information about the particular zone you request When a DNS zone transfer request is sent to the DNS server, the server transfers its DNS records containing information such as DNS zone transfer An attacker can get valuable topological information about a target’s internal network using DNS zone transfer

Services and Ports to Enumeration

Packet Sniffing

Sniffing Threats

How a Sniffer works

Types of Sniffing Attacks

• MAC Flooding: sniffing attack that floods the network switch with data packets that interrupt the usual sender to recipient data flow that is common with MAC address The data , instead of passing from sender to recipient, blasts out across all the ports Thus, attackers can monitor the data across the network.

• DNS Poisoning: is a process in which the user is misdirected to a fake website by providing fake data to the DNS server The website looks similar to the genuine site but it is controlled by the attacker

• ARP Poisoning: is an attack in which the attacker tries to associate his/her own MAC address with the victim’s IP address so that the traffic meant for that IP address is sent to the attacker

Types of Sniffing Attacks

• DHCP attacks: -DHCP starvation: attacking a DHCP server by sending a large amount of requests to it

-Rogue DHCP server attack: attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server on the LAN; the rogue server can start issuing leases to the network’s DHCP clients Information provided to the clients by this rogue server can disrupt their network access, causing DoS

 Password Sniffing: method used to steal passwords by monitoring the traffic that moves across the network and pulling out data including the data containing passwords After obtaining passwords, attackers can gain control over the network, access user accounts, sensitive meterial

Types of Sniffing Attacks

• Spoofing Attacks: attacker successfully pretends to be someone else by falsifying data and thereby gains access to restricted resources or steals personal information Attacker can use victim’s IP address illegally to access their accounts, to send fraudulent emails, to set up fake website for acquiring sensitive information or set up fake wireless access points and simulate legitimate users to connect through the illegitimate connection

What is Social Engineering

Behaviors vulnerable to Attack

Factors that make companies vulnerable to attack

Why is Social Engineering effective?

Phases in Social Engineering attack

Các loại hình tấn công phổ biến

What is a Denial of Service attack?

What are Distributed Denial of Service attacks?

How Distributed Denial of Service attacks work

Symtoms of Denial of Service attack

DoS attack Techniques

What is Session Hijacking?

Dangers posed by Hijacking

Why Session Hijacking successful

Key Session Hijacking Techniques

Key Session Hijacking Techniques

• Brute forcing: involves making thousands of requests using all the available session IDs until the attacker gets

succeeded This technique is comprehensive but a time-consuming process

• Stealing: attacker uses various techniques to steal session IDs The techniques maybe installing trojans on client PCs, sniffing network traffic…

• Calculating: using non-randomly generated IDs, attacker tries to calculate the session IDs The number of attempts that need to be carried out for retrieving the session ID of the user or client depends on the key space of session IDs Therefore, the probability of success of this type of attack can be calculated based on the size and key space of session IDs

Why Webservers are compromised

Impact of Webserver attacks

Webserver attack methodology

• Information gathering: every attacker tries to collect as much information as possible about the target web server Once the information is gathered, attacker analyzes the gathered information in order to find the security lapses in the current mechanism over the web server

• Web server footprinting: gather more information about security aspects of a web server with the help of tools or footprinting techniques The main purpose is to know about its remote access capabilities, its ports and services, and the aspects of its security

• Mirroring website: method of copying a website and its content onto another server for offline browsing

Webserver attack methodology

• Vulnerability scanning: method of finding various vulnerabilities and misconfigurations of a web server It is done with the help of various automated tools known as vulnerable scanners

• Session hijacking: is possible once the current session of the client is identified Complete control of the user session

is taken over by the attacker by means of session hijacking

• Hacking web server passwords: attackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc and crack web server passwords

What is SQL Injection

SQL Injection attacks

Types of SQL Injection

Types of SQL Injection

• Blind SQL injection: wherever there is web application vulnerability, blind SQL injection can be used either to access the sensitive data or to destroy the data Attacker can steal the data by asking a series of true or false questions

through SQL statements

Buffer Overflow

Why are programs and applications vulnerable to Buffer overflow

An example of Buffer overflow

An example of Buffer overflow

Đánh giá an toàn thông tin

Security Audits

• IT security audit focus on people and processes used to design, implement and manage security on a network

• This is a baseline involved for processes and policies within an organization

• IT management usually initiates IT security audits

• In a computer, the security audit technical assessment of a system or application is done manually or automatic

Security Audits

• Perform a manual assessment by using the following techniques:

– Interviewing the staff

– Reviewing application and operationg systems access controls

– Analyzing physical access to the systems

• Perform an automatic assessment by uing the following techniques:

– Generating audit reports

– Monitoring and reporting the changes in the files

Vulnerability Assessment

• Vulnerability assessment is a basic type of security

• Helps you in finding known security weaknesses by scanning a network

• Using scanning tools search network segments for IP-enabled devices and enumeration systems, operating systems and applications

• Using vulnerability scanners also identify common security mistakes such as accounts have weak passwords, files and folders with weak permissions, default services and application need to be uninstalled, mistakes in security

configuration

Vulnerability Assessment

Limitations of Vulnerability Assessment

Penetration Testing

Why Penetration Testing

Comparing Security Audits, Vulnerability Assessment and Penetration Testing

What should be tested

What makes a good penetration testing

External Penetration Testing

Internal Penetration Testing

Automated Testing

Manual Testing

Penetration Testing Techniques

Phases of Penetration Testing

• Pre-attack Phase: focus on gathering as much information as possible about the target organization or network to be attacked.

• Attack Phase: information gathered in the pre-attack phase forms the basis of the attack strategy

• Post-attack Phase: tester needs to restore the network to its original state This involves cleanup of testing processes and removal of vulnerabilities created (not those that existed originally)

Patch Management

• According to statistics published by CERT/CC, the number of annual vulnerabilities catalogued has continued to rise, from 345 in 1996, to 8,064 in 2006 Put another way, identifiable software vulnerabilities have increased more than 20 times over the last decade

• Attackers are able to take advantage of newly discovered vulnerabilities in less time than ever

• It has been shown that the amount of time between the discovery of a software vulnerability and corresponding

attacks has been steadily decreasing

• There is also an increasing trend towards attack tools that exploit newly discovered vulnerabilities appearing well before any corresponding patch is released by the software vendor to fix a problem This situation is generally known

as a “zero-day attack”