Often when we find vulnerabilities in the system or missconfiguration own, we will consider it a small thing, because we respond not as a security hole. Tools and techniques used by crackers is a variation of many attacks before they do.
Often when we find vulnerabilities in the system or missconfiguration own, we will consider it a small thing, because we respond not as a security hole. Tools and techniques used by crackers is a variation of many attacks before they do. As a good administrator and a network system or end user, you must be a lot to learn from the experience of the attack which happened before (although the attacks happen to other people) to avoid the attack would happen next. Knowing the type of attack is very important to maintain system stability, so you do not have to bother to install a new system to make it more secure, you just need a little mempatch or even configure your system for some people perhaps this paper is written are very basic, but it would not hurt if you as a professional to review the basic things from time to time. This article is not intended to attack but instead is to survive, because I think to survive you must know how to attack. In this article there are frequent attacks by crackers and every attack has its own methods, for example just to do IP spoofing method which has many of them man in the middle attack. With the reasons above I will try to scratch raise public seranganserangan cracker frequent and should be known by an administrator or end user, while the methods may be more specific I pour in my next writing whether or method of attack is to survive. I know the following notes are far from complete, for the suggestions and criticisms so I hoped.
1. IP Spoofing
IP spoofing is also known as the Source Address Spoofing, namely forgery IP address that the attacker considers the target IP address of the attacker is the IP address of hosts on the network rather than from outside the network. Suppose the attacker has the IP address 66.25.xx.xx type A when the attacker to attack the network of this type of attack the attacker will assume IP is part of the networknya eg IP 192.xx.xx.xx type C. IP spoofing occurs when an attacker 'outsmart' packet routing to change the direction of the data or transmission to different destinations. Packet for routing usually transmitted in a transparent and clear so that makes easy for the attacker to modify the data origin or destination of the data. This technique is not only used by the attacker but also used by security professionals to tracing the identity of the attacker. Protocol that handles the communication between computers most successful in the spoof. ICMP (Internet Control Message Protocol) is one of them (vulnerable) because the protocol is bypassed by the information
and error messages between two nodes in the network. Internet Group Message Protocol (IGMP) can be exploited by using this type of attack because IGMP report an error condition on the level of user datagram, but this protocol also contains routing information and the Information Network. (UDP) User Datagram Protocol can also be 'asked' to display the identity of the target host. Solution to prevent IP spoofing is a way of securing the packet-packet is transmitted and installing screening policies. Encryption Point-to-point can also prevent users who do not have the right to read the data / packet. Authentication can also be used to filter a legal source and not the source who was in the spoof by the attacker. In another prevention, Admininistrator can use the signature for packages that communicate in networknya so convincing that the package is not modified in transit. Anti-spoofing rules (anti-spoof rules) which basically tells the server to reject the packet is coming from outside the visible coming from the inside, generally this will break any spoofing attacks.
2. FTP Attack
One of the attacks carried out against the File Transfer Protocol is a buffer overflow attack caused by malformed command. destination FTP server to attack this average is to get a command shell or to conduct Denial Of Service. Denial Of Service attacks can eventually cause a user or attacker to retrieve the resource in the network without authorization, while the command shell can make an attacker to gain access to the server system and data files that eventually an anonymous attacker could create a root-acces who has the right management of the system network even attacked. Never or rarely update the server version and mempatchnya is a mistake often made by an admin, and this is what makes a vulnerable FTP server to be entered. An example is the popular FTP servers on the UNIX family of wu-ftpd that is always on the upgrading of two times a day to improve the conditions that allow the FTP bufferoverflow Mengexploitasi also useful to know the password contained in the system, FTP Bounce attack (using another ftp server to conduct attacks), and knowing or mensniff information in the system.
3. Unix Finger Exploits
In the early days of the Internet, Unix OS finger efficient utility used to sharing informasidiantara users. Because the demand for information on this finger information not blame the rules, most system administrators leave this utility (finger) with a very minimal security, even without any security at all. For an attacker is very valuable utility to make information on footprinting, including login names and contact information. This utility also provides excellent information about user activity within the system, how long the user is in the system and how much users care system. The information generated from this finger to minimize the efforts of crackers to penetrate a system. Personal information about the user finger raised by this daemon is enough for a atacker to do social engineering by using social skillnya users to take advantage of that 'tells' passwords and access codes to the system.
4. Flooding & Broadcasting
An attacker could menguarangi speed network and hosts who were in them significantly by continuing to request / demand for an information from servers that can handle the classic attack Denial Of Service (Dos), send requests to a port called excessive flooding, this is also sometimes called spraying. When a request is sent to the flood all
station is located in this attack dinamakn network broadcasting. The second objective of this attack is the same: create a network resource that provides information becomes weak and finally gave up. Flooding attacks by depending on two factors namely: the size and / or volume (size and / or volume). An attacker can cause Denial Of Service in a way to throw a large-capacity files or large volumes of small package to a system. In such circumstances a network server will face congestion: too much information requested and not enough power to push the data to run. Basically a big package requires a big process, but abnormally small package and the same in a large volume of resources will be spent in vain, and the resulting congestion. Attackers often use these flooding attacks to gain access to the system used to attack other networks in a single attack called Distributed Denial Of Service (DDOS). This attack is often called smurf if sent melaluli ICMP and called these attacks fraggles when dijalakan through UDP. A node (used as tools) that strengthens broadcast traffic is often referred to as Smurf Amplifiers, are very effective tools to perform flooding attacks. By doing spoofing the target network, an attacker can send a request to the smurf amplifier, which in amplifiying Network (amplified) will send a response within kesetiap host's own network, which means a request made by the attacker will produce the same job and repetitive and over the target network, the result of this attack is a denial of service that leaves no trace. These attacks can be anticipated by refusing to broadcast directed to the router. Flooding-level TCP (SYN ATTACK mostly) have been used in the month of February in 2000 to attack Yahoo!, EBay etc. using DDOS attack (Distributed Denial Of Service). Network that does not use a firewall to check the TCP packets can usually be attacked in this way. Several filtering functions on the firewall (Firewall Filtering Function) will usually be able to withstand a flooding attack from an IP address, but the attacks made via DDOS would be difficult in preventing these attacks as we know it came from different IP addresses on a regular basis. Actually one way to stop DDOS attacks is to return the package to the address of origin, or also with how to turn off the network (usually performed by a system that has suffered a very severe).
5. Fragmented Packet Attacks
Internet data is transmitted via the TCP / IP can be divided into packages that contain only the first packet whose contents form the main part of information (head) of the TCP. Some firewalls will allow to process part of packages that do not contain information on the packet source address first, this will result in some type system to crash. For example, the server will be NT crash if packages are split (fragmented packet) is to rewrite the first packet of information from a protocol. Also split the package atmosphere can cause flooding attacks. Because of the split package will remain stored until the end of the form back to the complete data, the server will store the packages had been broken in kernel memory. And finally the server will be a crash if too many packages that have been broken down and stored in memory without reunited. Through network topographi enumeration of goals, an attacker can have many options to crash packet either by testing the contents of firewalls, load balancers or content - based routers. By not using this defense system, the network much more vulnerable target for vandalism and burglary. Because the package is broken (fragmented packet) is not recorded in the log file before it put back together into one piece of data, a split packet provides a way for hackers to enter the network without detection. There have been many Intrusion Detection System (IDS) and the filter firewall (firewall filters) which fix this problem, but still many systems are still vulnerable in this way.
6. E-mail Exploits
Peng, e-mail exploitasian occur in five forms namely: mail floods, manipulation commands (command manipulation), the attack transport level (transport level attacks), include various kinds of code (inserting malicious code) and social engineering (use physically socialize). Email attack could create a system crash, open and execute even rewrite files also make an application or access to command functions (command function).
Mail attacks flood (flood = flood) happens when a lot of e-mail sent by the attacker to the target resulting overwhelmed transfer agent to handle, resulting in communication between different program becomes unstable and can create a system to crash. Doing flooding is a very rough way, but effective, means to create a mail server to be down. One interesting way of doing mail-flood attack is a function mengexploitasi auto-responder (auto-responder function) contained in most email applications, when an attacker to find auto-responder who was active in two different systems, the attacker can it directs one to the other, because both are set to automatically merespond are sacara for each message, then both will continue mengenarate more e-mail loop (return) and finally both be exhausted and down.
Manipulating attack command (command manipulation attack) can cause a system to crash with a way to overthrow the mail transfer agent with a buffer overflow caused by a command (function) with disabilities (eg, VRFY or EXPN). The difference between flood and mail command manipulation: manipulation command to sendmail exploit the power of allowing the attacker to access information systems without authorization (as a network admin with no known) and make modifications to penjalanan other programs. Enabling the disabled command as above can also cause an attacker to access mendapatlan modify, rewrite, and of course it makes trojan horses on the mail server. Assault transport level (transport level attack) is done by perute-an/pemetaan protocol mengexploit e-mail across the Internet: Simple Mail Tranport Protocol (SMTP). An attacker
can cause temporary error condition (temporary error) in the target system mengoverload way more data on the SMTP SMTP buffer so the buffer can not handle it, this can result in an attacker was thrown from the sendmail program and enter into the shell with the power adminitsrasi can even take root . Some attacks are also common exploitation of the POP and IMAP. At the moment it is difficult to SMTP vulnerability exploitable, the attacker may move to tranport level attacks if he was not able to attack the way the command manipulation or mail-flood. This attack is more used to making noise rather than to penetrate a system. An attacker typically will use the attacks to floods of Exchange Server and cut traffic e-mail (e-mail traffic). This attack can also be used to create the reputation of an organization to be bad by sending spam or offensive e-mail to other organizations with the resources and address of the organization.
Mail relaying, falsifying the origin / source meroutekannya by email at the machine to be lied to, is another type of transport-level attacks. This technique is very useful to make broadcasting spam anonymously. Various kinds of content (content) is often sent via e-maildengan this technique is usually content-content that damage. Some Viruses and Worms will be included in the e-mail as legitimate file attachments, such as Melissa variant that appears as Ms Word Macro or loveletter worm that infects the system and mengemailkan himself to users who are in outlook booknya address. Most antivirus scanners will pick up an attachment like this, but the new visrus and worm and its variants are still dangerous. The last attack committed by an attacker other than the above attack is to make social enginering, sometimes the attacker sends an e-mail by using the source address so that users send admin password to upgrade the system.
7. DNS and BIND Vulnerabilities
The news recently about the vulnerabilities (vulnerabilities) of the application Berkeley Internet Name Domain (BIND) in various versions illustrate the fragility of the Domain Name System (DNS), which is directed at the crisis the basic operation of the Internet (Internet basic operation). Errors in BIND is not something new. Since permulaanya, standard BIND is the most favorite target for attack by the community because some kerawanannya crackers. Four vulnerability to buffer overflow that occurs in January and only a few parts of the susceptibility to diexploitasi by the cracker to gain access to the
system and perform the command with full rights (command execution priviledge). Vulnerability in BIND is a very serious problem because more than 80 percent control of the Internet universe was built using BIND. Without such control in the modern Internet environment, perhaps an e-mail transmission will be difficult, navigate to the web sites was complex and there may be no other easy thing about the internet. BIND vulnerabilities not only lies in the DNS. System address translator (number-address translator) is the subject of many exploits, including an attack on the level of information, Denial Of Service attacks, the takeover of power by hijacking. The assault on the level of information aims to create a server answering something other than the correct answer. One way to do this type of attack is through cache poisoning, which will fool the remote name server to store the answers from third-party domain name by providing various kinds of information to the domain name server that has the authorization. All of the implementation of the attack on the control will have a great chance to succeed is if the answer to a question that can be fooled spesisfik (spoof). DOS or a server can not operate, can be done by making a DNS attack themselves or also by sending traffic, excessive flooding from the outside, for example using the "Smurf" ICMP flood. If an organization or company's name servers authoritathive installed in a segment that lies behind a link or behind the physical one area, then this will lead to a possibility to do Denial Of Service attacks. Cracker will try to attack the system through the control by buffer overflow, which exploits one of the pair potential in BIND vulnerabilities. Exploit interference occurs because of weaknesses in the coding / programming BIND which allows an attacker to take advantage of code-code that can be executed to enter the system. Some operating systems have provided a patch for the stack that can not be executed, as well as the compiler does (providing patches) that protects the stack from the overflow. This protective mechanism at least make a cracker would be difficult to use exploits. It is clear that updating the system regularly and use a patch is one of the
must be done to build effective security, if the vendor of your control does not provide patches regularly, you better change your DNS software that provides patches regularly, of course, to maintain system security.
On a Unix system, BIND should be run as root to set a lower port (kodekode machine). If the control software can be fooled to run code-malicious code, or open the files belong to root, local user might be able to increase his own power in the engine. Organization or company that changed the authoritative server should also be aware that replacing their servers at the same time will result in the hijack their domain name through the cache
poisoning. Change the server should be done as a process of transition. To prevent domain name hijacking should be a network admin first menambahkn new servers into the network infrastucture before replacing the old server.
8. Password Attacks
Password is something common when we talk about security. Sometimes a user does not care a pin number they have, such as online transaction in the cafe, even transact online at home is also very dangerous if not equipped with security software such as SSL and PGP. Password is one of security procedures are very difficult to attack, an attacker may have many tools (in engineering and in social life) only to open something that is protected by a password. When an attacker managed to get a password that is owned by a user, then he will have the same power user. Train employees / users to remain vigilant in maintaining the password from the social engineering can at least minimize the risk, except in case of Sen. social practices must also be wary of the organization of this technical way. Kebnayakan seranagn made to guess the password is (guessing), brute force, cracking and sniffing.
Penebakan (guessing) password can be done by entering a password each one manually or with bantuin programmed script. Most users use the things common to their passwords including date of birth, and usually the user does not menghawatirkan of rules that apply to the company to use a combination of alphanumeric and at least 7 characters. If a user using his date of birth as the password then this attack will be very easy to do, because the cracker does not need a long time just to break down the 6 digit birth date numbers. A few users or even administrators can create easy-cracker job if only they forgot to change the default password of a software. In fact, password guessing is something that is not effective, and can spend time. Network admin mendetect can easily attack if an attacker tries to guess the password login multiple times. Brute-force attack that uses the same logic but with a password guessing brute-force attack much faster and more powerful. In this type of attack an attacker using a script (usually free cracking programs) that will try common passwords passwords (usually found in the dictionary). The purpose of this type of attack is to accelerate the discovery of the network admin password before aware of the attack. Although the Brute-force attack is more efficient than guessing passwords, the two techniques are basically the same. Attacker is generally more difficult to succeed with both these methods. Furthermore, both techniques are very easy on the opponent by using blacklisting features, which will lock a user account if a person (the attacker) many times to enter the password incorrectly. For example, the default blacklist in unix system is three times (the opportunity to enter the password).
The weakness of the protection blacklist blacklists is that this feature can be used to attack the system by the attacker. For example, if an attacker can identify who login name for the network admin, the attacker could have menngunakan login name and enter the wrong password repeatedly, and finally lock up an admin account?. When the admin was trying to get access back, an attacker is able to connect to the system. Password cracking is a method for protection against the encrypted passwords that are in the system. With the assumption that atacker has entered into the system, he could have turned his power within the system in a way to crack the password file using brute-force method. dictionary attack (match the words in the dictionary with words in a file encrypted passwords). Success using this method depends on processor speed and
programs owned by the attacker. The best way to avoid this type of attack is to monitor the file access authority.
By the way peer traffic on port telnet (23) or HTTPD (80), an attacker can get the password used to connect the internet and remotely through a process called snifing password. The way this is the most easy to do because the connection does not use encryption, except for connections that use SSL (secure socket layer) to the HTTPD (usually a sign under the browser locked padlock, indicating secure transactions) or also using SSH (Secure Shell) to connect to another machine remotely.
9.Proxy Server Attacks
One of the Proxy server function is to speed up response time by unifying the process of some hosts in a trusted network. In most cases, each host has the power to read and write (read / write) which means what can I do in my system will be able to do well in your system and vice versa. If firewal that are in trusted networks are not configured optimally, particularly for blocking access from outside, especially if the authentication and encryption is not used, an attacker can
attack proxy server and get the same access to trusted members of other networks. If attaker already entered into the system he certainly could do anything and he could do DDOS (distributed denial of service) are anoymous to attack other networks. Router is not configured optimally also will serve as a proxy server and will lead to the same vulnerability to a proxy server.
10. Command Processing Remote Attacks
Trusted Relationship between two or more hosts to provide facilities and exchange of information resource sharing. Similarly, the proxy server, trusted relationship provides to all members of the network the same access to power in one or another system (the network). The attacker will attack the server that is a member of the trusted system. Just as exposure to the proxy server, when access is received, an attacker would have the ability to execute commands and mengkases data available to other users.
11. Remote File System Attack
Protocol-protocol to transport data from the Internet backbone, is the level of TCP (TCPLevel) which has the ability with the mechanism to read / write (read / write) between the network and host. Attacker can easily find traces of information from this mechanism to gain access to the file directory.
Depending on the OS (operating system) is used, the attacker can get information about network extrack, sharing privileges, names and locations of users and groups, and the specification of the application or banner (name and version of software). System is configured or secured to a bare minimum will easily reveal this information even through a firewall though. On UNIX systems, this information is carried by NFS (Network File System) on port 2049. Windows systems provide this data on the SMB (server messaging block) and NetBIOS on port 135 to 139 (NT) and port 445 on Win2k.
Network administrators can minimize the risk that would occur with the use Protokolprotokol by giving some rules. Network with windows system, should be blocking access to ports 139 and 445 from outside the network, if possible. In 2049 the port unix system should be in block, file sharing is limited and requests for files via showmount (in unix command) should be on record in the log.
12. Selective insertions Program
Selective insertions program is carried out attacks when the attacker put a destructive programs, such as viruses, worms and trojans (this term may have you know well) on the target system. Destructive programs are often called malware. These programs have the ability to damage the system, the destruction of files, stolen passwords to open the backdoor.
Usually sold antivirus market will be able to detect and clean up programs like this, but if there is a new virus (assuming melissa variant) virus scanner may not be able to deal with new scripts. Some network administrators to defense against malware with alternative technologies such as behavior blockers, which dismissed the codes based on samples suspected of malware behavior, rather than by signature. Several other applications will quarantine the virus and code-code that is suspected in a protected area, usually called sandboxes.
13. Port Scanning
Through the port scanning an attacker could see the functions and how to survive a system from a variety of ports. A atacker can get access into the system through a port that is not protected. For example, scaning can be used to determine where the default SNMP strings in open to the public, which means the information can be extracted for use in remote command attacks.
14.TCP/IP Stealing, Port Passive Listening and Packet Interception
TCP / IP Sequence Stealing, Passive Listening Port and Packet Interception walk to collect sensitive information for mengkases network. Unlike active attack or brute-force attacks using this method has more stealth-like quality. TCP / IP Sequence Stealing is a mapping of the sequence of numbers (number), which can make the attacker's packets appear legal. When the system asks the session to another machine, the system is
exchanging numbers TCP synchronization. If not random, Attacker can recognize algorithm used to generate these numbers. Sequence number that has been stolen can be used to disguise the attacker to be one of the earlier system, and finally allow to pass the firewall. This is really effective when used with IP spoofing.
Through passive listening port, an attacker can monitor and record (log) of all messages and files are sent to all ports that can be accessed on the target system to find the point of vulnerability. Packet Interception is a part (exactly lining) of the active listener program is on target port on the system that functions to receive or restore all types of messages (data) sent specific
15. HTTPD Attacks
Vulnerabilities contained in HTTPD or Web server is five kinds: buffer overflows, bypasses httpd, cross-scripting, web code vulnerabilities, and the URL floods.
HTTPD Buffer Overflow occurs because the attacker can add errors to the port used for web traffic with a lot of ways to enter carackter and string to find a suitable place overflow. When he found a place for overflow, an attacker would insert the string that will be of an executable command. Buffer-overflow attacks can give the attacker access to the command prompt.
Some features of the HTTPD can be used to create HTTPD byapass, giving access to the server using the logging function. In this way, a web page can be accessed and replaced without recorded by the web server. This method is often used by crackers, cyber hacktivis and Vandals to mendeface website.
While vulnerabilities in web scripts can happen to all the web programming language and any extension application. Include VB, Visual C, ASP, TCL, Perl, PHP, XML, CGI and ColdFusion. Basically, the attacker will mengexploitasi weaknesses of an application, such as CGI scripts do not check the input or the IIS RDS vulnerability in allowing showcode.asp run commands remotely (remote command priviledges). Through cross-scripting and cross-site scripting an attacker could mengexploitasi exchange of cookies between browser and webserver. This facility could enable the script to change the web interface, etc.. This script can run malware, read the important information and to expose sensitive data such as
credit card number and password. In the end the attacker can perform denial of service with the URL floods, which is done by repeated and continued to repeat the demand for port 80 through the boundary httpd TTL (time to
live). Some users or managers may hate to hear these attacks. But in fact there is no real fix for secure networks or websites. Security is a process, not product. If you install a firewall, IDSes (instrusion detection system), routers and honeypots (the system to the trap) may be able to provide the layers to survive, but once again the most sophisticated equipment in the world will not help an organization to organization has a process to upgrade the system , wearing a patch, security checks on the system itself and other methods.
There have been many companies that use IDSes but do not monitor the log files, they install a firewall, but not upgrades. The best way to protect the site or network from attack is to bring security as the challenges that are happening to the security itself.

No comments:
Post a Comment