Các phương thức tấn công

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level 11/26/2013 ‹#› Các phương thức tấn công Cao Hoàng Nam Các phương thức tấn công Các phương pháp trinh sát, dò quét, thu thập thông tin Các loại hình tấn công phổ biến Đánh giá an toàn thông tin Đánh giá lỗ hổng an toàn thông tin Kiểm tra khả năng thâm nhập Quản lý bản vá Những vụ tấn công mạng "đình đám" thời gian qua Tin tặc Trung Quốc tấn công website Philippines Theo hãng tin ABS-CBN News, vào ngày 11/5, đã có tất cả 7 website của Philippines-trong đó có 2 website của Chính phủ nước này-đã bị tin tặc đánh sập và thay đổi giao diện. Tin tặc đã thay đổi giao diện các website bằng dòng chữ “HACKED BY CHINESE” Những vụ tấn công mạng "đình đám" thời gian qua Ngày 9/5, chỉ hai ngày sau khi Tổng thống Nga Vladimir Putin tuyên thệ nhậm chức, nhóm tin tặc nổi tiếng Anonymous tuyên bố trên Twitter đã đánh sập cổng thông tin Chính phủ nước Nga (tại địa chỉ www.kremlin.ru), đồng thời khẳng định sẽ tiến hành thêm nhiều đợt tấn công tương tự khác vào các website của Chính phủ nước này. rước đó một ngày, vào ngày 8/5, nhóm tin tặc giấu mặt đã sử dụng phương pháp DDos (tấn công từ chối dịch vụ) để tấn công vào website của Virgin Media - một trong những nhà cung cấp dịch vụ Internet lớn nhất tại Anh. Hai hacker người Na Uy đã bị cơ quan đặc trách về tội ác tại Anh (SOCA) - vốn có vai trò tương đương FBI (Cục điều tra Liên bang Mỹ) tóm gọn sau khi tấn công vào website của cơ quan này. Webiste của SOCA đã bị tê liệt trong vòng vài tiếng đồng hồ, khiến nhiều công việc của cơ quan này bị gián đoạn và đặt các tài liệu mật của SOCA vào nguy cơ bị "rò rỉ" cao. Những vụ tấn cộng mạng đình đám internet Việt trong năm qua Diễn đàn chuyên về hack và bảo mật HVA đã trở thành nạn nhân của 2 vụ tấn công từ chối dịch vụ (DDOS) trong tháng 6/2011. Rạng sáng ngày 5/6/2011, nhiều thành viên diễn đàn này thông báo tình trạng truy cập khó khăn hoặc hoàn toàn không truy cập được. Cùng ngày, ban quản trị HVA có thông báo chính thức về sự cố trên, theo đó HVA đã có một lượng truy cập tăng đột biến (lên đến 2.5Gbps), gây nghẽn toàn bộ đường truyền tới máy chủ. Tháng 6/2011 cũng là thời điểm hàng loạt website có tên miền .gov.vn (website của cơ quan bộ ngành) bị hack. Theo thống kê từ Bộ Thông tin Truyền thông, có 329 trang web tên miền .gov.vntrở thành nạn nhân của các vụ tấn công tính đến tháng 12/2011. Bên cạnh đó, hàng loạt website có tên miền .org.vn cũng trở thành đối tượng của các vụ tấn công tương tự. Website Vietnamnet đã trải qua nhiều sự cố trong năm qua. Vào đầu năm (4/1/2011), một đợt tấn công từ chối dịch vụ nhắm vào Vietnamnet khiến trang web bị tắc nghẽn nhiều giờ đồng hồ, gây khó khăn cho hàng triệu độc giả. Những vụ tấn cộng mạng đình đám internet Việt trong năm qua Các phương pháp trinh sát, dò quét, thu thập thông tin Footprinting Scanning Networks Enumeration Sniffing Social Engineering What is Footprinting Why Footprinting Why Footprinting Know Security Posture: Performing footprinting on the target organization in a systematic and methodical manner gives the complete profile of the organization’s security posture. Reduce Attack Area: by using a combination of tools and techniques, attackers can take an unknown entity (for example XYZ organization) and reduce it to a specific range of domain names, network blocks, and individual IP addresses of systems directly connected to the Internet, as well as many other details pertaining to its security posture Why Footprinting Build information database: a detailed footprint provides maximum information about the target organization. Attackers can build their own information database about security weakness of the target organization. This database can then be analyzed to find the easiest way to break into the organization’s security perimeter. Draw network map: combining footprinting techniques with tools such as Tracert allows the attacker to create network diagrams of the target organization’s network presence. This network map represents their understanding of the target’s Internet footprint. These network diagrams can guide the attack. Objectives of Footprinting Footprinting Methodology Overview of Network Scanning Types of Scanning Port scanning: open ports and services Network scanning: IP addresses Vulnerability scanning: Presence of known weaknesses Objectives of Network Scanning Objectives of Network Scanning Discovering live hosts, IP address, and open ports of live hosts running on network Discovering open ports: open ports are the best means to break into a system or network, you can find easy ways to break into the target organization’s network by discovering open ports on its network Objectives of Network Scanning Discovering operating systems and system architecture of the targeted system: this is also referred to as fingerprinting. Here the attacker will try to launch the attack based on the operating system’s vulnerabilities. Identifying the vulnerabilities and threats: vulnerabilities and threats are the security risks present in any system. You can compromise the system or network by exploiting these vulnerabilities and threats Detecting the associated network service of each port Scanning Methodology What is Enumeration Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system. In the enumeration phase, the attacker creates active connections to the system and performs directed queries to gain more information about the target. The attacker uses the gathered information to identify the vulnerabilities or weak points in system security and then tries to exploit them. What is Enumeration Techniques for Enumeration Technique for Enumeration Extract user names using email Ids: every email ID contains two parts; one is user name and the other is domain name. For example: abc@gmail.com, abc is user name and gmail.com is the domain name. Extract information using the default passwords: many online resources provide lists of default passwords assigned by the manufacturer for their products. Often users forgot to change the default passwords provided by the manufacturer or developer of the product. If users don’t change their passwords for a long time, then attackers can easily enumerate their data Techniques for enumeration Brute force Active Directory: Microsoft Active Directory is susceptible to a user name enumeration weakness at the time of user-supplied input verification. This is the consequence of design error in the application. If the “logon hours” feature is enabled, the attemps to the service authentication result in varying error messages. Attackers take this advantage and exploit the weakness to enumerate valid user names. If succeed, then the attackers can conduct a brute force attack to reveal respective passwords. Extract user names using SNMP: attackers can easily guess the “strings” using this SNMP API through which they can extract required user names. Techniques for enumeration Extract user groups from Windows: these extract user accounts from specified groups and store the results and also verify if the session accounts are in the group or not. Extract information using DNS Zone Transfer: DNS zone transfer reveals a lot of valuable information about the particular zone you request. When a DNS zone transfer request is sent to the DNS server, the server transfers its DNS records containing information such as DNS zone transfer. An attacker can get valuable topological information about a target’s internal network using DNS zone transfer. Services and Ports to Enumeration Packet Sniffing Sniffing Threats How a Sniffer works Types of Sniffing Attacks Types of Sniffing Attacks MAC Flooding: sniffing attack that floods the network switch with data packets that interrupt the usual sender to recipient data flow that is common with MAC address. The data , instead of passing from sender to recipient, blasts out across all the ports. Thus, attackers can monitor the data across the network. DNS Poisoning: is a process in which the user is misdirected to a fake website by providing fake data to the DNS server. The website looks similar to the genuine site but it is controlled by the attacker. ARP Poisoning: is an attack in which the attacker tries to associate his/her own MAC address with the victim’s IP address so that the traffic meant for that IP address is sent to the attacker. Types of Sniffing Attacks DHCP attacks: -DHCP starvation: attacking a DHCP server by sending a large amount of requests to it -Rogue DHCP server attack: attacker sets up a rogue DHCP server to impersonate a legitimate DHCP server on the LAN; the rogue server can start issuing leases to the network’s DHCP clients. Information provided to the clients by this rogue server can disrupt their network access, causing DoS. Password Sniffing: method used to steal passwords by monitoring the traffic that moves across the network and pulling out data including the data containing passwords. After obtaining passwords, attackers can gain control over the network, access user accounts, sensitive meterial. Types of Sniffing Attacks Spoofing Attacks: attacker successfully pretends to be someone else by falsifying data and thereby gains access to restricted resources or steals personal information. Attacker can use victim’s IP address illegally to access their accounts, to send fraudulent emails, to set up fake website for acquiring sensitive information or set up fake wireless access points and simulate legitimate users to connect through the illegitimate connection. What is Social Engineering Behaviors vulnerable to Attack Factors that make companies vulnerable to attack Why is Social Engineering effective? Phases in Social Engineering attack Các loại hình tấn công phổ biến Denial of Service Session Hijacking Hacking Webservers SQL Injection Buffer Overflow What is a Denial of Service attack? What are Distributed Denial of Service attacks? How Distributed Denial of Service attacks work Symtoms of Denial of Service attack DoS attack Techniques What is Session Hijacking? Dangers posed by Hijacking Why Session Hijacking successful Key Session Hijacking Techniques Key Session Hijacking Techniques Brute forcing: involves making thousands of requests using all the available session IDs until the attacker gets succeeded. This technique is comprehensive but a time-consuming process Stealing: attacker uses various techniques to steal session IDs. The techniques maybe installing trojans on client PCs, sniffing network traffic… Calculating: using non-randomly generated IDs, attacker tries to calculate the session IDs. The number of attempts that need to be carried out for retrieving the session ID of the user or client depends on the key space of session IDs. Therefore, the probability of success of this type of attack can be calculated based on the size and key space of session IDs Why Webservers are compromised Impact of Webserver attacks Webserver attack methodology Webserver attack methodology Information gathering: every attacker tries to collect as much information as possible about the target web server. Once the information is gathered, attacker analyzes the gathered information in order to find the security lapses in the current mechanism over the web server Web server footprinting: gather more information about security aspects of a web server with the help of tools or footprinting techniques. The main purpose is to know about its remote access capabilities, its ports and services, and the aspects of its security. Mirroring website: method of copying a website and its content onto another server for offline browsing Webserver attack methodology Vulnerability scanning: method of finding various vulnerabilities and misconfigurations of a web server. It is done with the help of various automated tools known as vulnerable scanners. Session hijacking: is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking. Hacking web server passwords: attackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc and crack web server passwords. What is SQL Injection SQL Injection attacks Types of SQL Injection Types of SQL Injection Blind SQL injection: wherever there is web application vulnerability, blind SQL injection can be used either to access the sensitive data or to destroy the data. Attacker can steal the data by asking a series of true or false questions through SQL statements. Types of SQL Injection Simple SQL injection script builds a SQL query by concatenating hard-coded strings together with a string entered by the user. There are two types: UNION SQL injection: used when the user uses the UNION command. Attacker checks for the vulnerability by adding a tick to the end of a “,php?id=“ file. Error Based SQL injection: attacker makes use of the database-level error messages disclosed by an application. This is very useful to build a vulnerability exploit request. Buffer Overflow Why are programs and applications vulnerable to Buffer overflow An example of Buffer overflow In C program #include int main (int argc, char **argv) { char target[5] = “TTTT”; char attacker[11]=“AAAAAAAAAA”; strcpy( attacker, “ DDDDDDDDDDDDD”); printf (“% \n”, target); return 0; } An example of Buffer overflow Đánh giá an toàn thông tin Security Assessment Security assessment categories: Security audits Vulnerability assessments Penetration testing Security Audits IT security audit focus on people and processes used to design, implement and manage security on a network This is a baseline involved for processes and policies within an organization IT management usually initiates IT security audits In a computer, the security audit technical assessment of a system or application is done manually or automatic Security Audits Security Audits Perform a manual assessment by using the following techniques: Interviewing the staff Reviewing application and operationg systems access controls Analyzing physical access to the systems. Perform an automatic assessment by uing the following techniques: Generating audit reports Monitoring and reporting the changes in the files Vulnerability Assessment Vulnerability assessment is a basic type of security. Helps you in finding known security weaknesses by scanning a network Using scanning tools search network segments for IP-enabled devices and enumeration systems, operating systems and applications. Using vulnerability scanners also identify common security mistakes such as accounts have weak passwords, files and folders with weak permissions, default services and application need to be uninstalled, mistakes in security configuration Vulnerability Assessment Limitations of Vulnerability Assessment Penetration Testing Penetration Testing Why Penetration Testing Comparing Security Audits, Vulnerability Assessment and Penetration Testing What should be tested What makes a good penetration testing External Penetration Testing Internal Penetration Testing Automated Testing Manual Testing Penetration Testing Techniques Phases of Penetration Testing Phases of Penetration Testing Pre-attack Phase: focus on gathering as much information as possible about the target organization or network to be attacked. Attack Phase: information gathered in the pre-attack phase forms the basis of the attack strategy. Post-attack Phase: tester needs to restore the network to its original state. This involves cleanup of testing processes and removal of vulnerabilities created (not those that existed originally). Patch Management According to the CERT Coordination Center (Computer Emergency Response Team/CC), thousands of software vulnerabilities are discovered and reported every year. A flexible and responsive security patch management process has become a critical component in the maintenance of security on any information system. As more and more software vulnerabilities are discovered and therefore need updates and patches, it is essential that system administrators manage the patching process in a systematic and controlled way. Patch Management According to statistics published by CERT/CC, the number of annual vulnerabilities catalogued has continued to rise, from 345 in 1996, to 8,064 in 2006. Put another way, identifiable software vulnerabilities have increased more than 20 times over the last decade. Attackers are able to take advantage of newly discovered vulnerabilities in less time than ever. It has been shown that the amount of time between the discovery of a software vulnerability and corresponding attacks has been steadily decreasing. There is also an increasing trend towards attack tools that exploit newly discovered vulnerabilities appearing well before any corresponding patch is released by the software vendor to fix a problem. This situation is generally known as a “zero-day attack”. Patch Management To avoid attacks through known issues or vulnerabilities, organisations should make sure all IT system administrators are fully up to date with the latest security patch/hot-fix releases from their software vendors. Patches and updates should be reviewed regularly and applied to the operating system and/or applications that make up the organisation’s information systems. To accomplish this, the patching process should be managed in a systematic and controlled way. Patch management Successful Patch Management requires a robust and systematic process. This process, the Patch Management Lifecycle, involves a number of key steps: preparation, vulnerability identification and patch acquisition risk assessment and prioritisation, patch testing patch deployment and verification. Preparation Create and maintain an hardware and software inventory: System administrators should create and maintain a clear inventory record of all hardware equipment and software packages, along with version numbers of those software packages most used within the organisation. This inventory will help system administrators better monitor and identify vulnerabilities and patches that are applicable across the organisation. Standardise configurations: Standard configurations should be created and maintained for every major group of IT resources, such as user workstations and file servers. Standardised configurations can simplify the patch testing and application updating process, and will reduce the amount of time/labour devoted to patch management. Preparation Educate users: Information security is everybody’s business and an effective patching process cannot be implemented without the cooperation and participation of end-users across the organisation. Users should be made aware of the importance of IT security and patch management as part of their daily work process. If sufficient training is provided to end-users, they can often perform lightweight patching on their own workstations, which will reduce the workload on system administrators around basic patch management. Vulnerability identification and patch acquisition There are a number of information resources available to system administrators in order to monitor vulnerabilities and patches that may be applicable to their installed hardware and software systems. Product vendor websites and mailing lists: Direct and reliable resources for system administrators on vulnerability and patch related information for specific products. Many large vendors also maintain support mailing lists that enable them to broadcast notifications of vulnerabilities, patches and updates to subscribers via email. However, vendors sometimes do not report new vulnerabilities straight away, as they may not wish to report a specific vulnerability until a patch is available. Vulnerability identification and patch acquisition Third-party security advisory websites: A third-party security advisory website is one that is not affiliated with any one vendor, and may sometimes provide more detailed information about vulnerabilities that have been discovered. These websites may cover a large number of products and report new vulnerabilities ahead of the product vendors because, as mentioned, some vendors may choose to hold a vulnerability notification until a patch is available. Not all websites are reliable, system administrators should carefully chose the best one. Risk assessment and prioritisation Timely response is critical to effective patch management. With limited resources, system administrators may need to prioritise the deployment of new patches, performing a risk assessment to determine which systems should be patched first. In general, this prioritisation should be based on the following criteria: Threat: A threat is any potential direct danger to information systems. Vulnerability: It could be a flawed software service running on a server, or unnecessary open ports, and so on. Criticality: This is a measure of how important or valuable a system is to business operations. Patch testing Patch testing is vital to ascertain whether or not a new patch will affect the normal operation of any existing software. It is important that this testing is performed on a mirror system that has an identical or very similar configuration to the target production system. In addition to identifying any unintended problems, patches themselves should be tested to ensure that they have fully patched the vulnerability. Patch deployment and verification Patching vulnerabilities in a system may be as simple as modifying a configuration setting, or it may require the installation of a completely new version of the software. No single patch method can apply across all software applications and operating systems. Product or application vendors may provide specific instructions for applying security patches and updating their products, and it is recommended that system administrators read all the relevant documentation provided by vendors before proceeding with patch installation. Patch deployment and verification In addition, security patches should be deployed through an established change control process. Before applying a new patch, administrators may want to conduct a full backup of the system to be patched. This enables a quick and easy restoration of the system to a previous state if the patch has an unintended or unexpected impact on the system. After the patch is deployed, system administrators and users should verify that all systems and applications are functioning normally, and that they comply with laid down security policies and guidelines. Thank you for your attention