![Page 1: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/1.jpg)
TYPE OF ATTACKS
![Page 2: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/2.jpg)
OUTLINE
• Social Engineering
• Network Attack
![Page 3: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/3.jpg)
SOCIAL ENGINEERING
![Page 4: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/4.jpg)
A Quote from Kevin Mitnick
“You could spend a fortune purchasingtechnology and services from every exhibitor,speaker and sponsor at the RSA Conference,and your network infrastructure could stillremain vulnerable to old-fashionedmanipulation.”
![Page 5: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/5.jpg)
Types of Attacks
• Phishing
• Impersonation on help desk calls
• Physical access (such as tailgating)
• Shoulder surfing
• Dumpster diving
• Stealing important documents
![Page 6: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/6.jpg)
Phishing
• Use of deceptive mass mailing
• Can target specific entities (“spear phishing”)
![Page 7: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/7.jpg)
Impersonation on help desk calls
• Calling the help desk pretending to be someone else
• Usually an employee or someone with authority
• Prevention:• Assign pins for calling the help desk
• Don’t do anything on someone’s order
• Stick to the scope of the help desk
![Page 8: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/8.jpg)
Physical access
• Tailgating
• Ultimately obtains unauthorize building access
• Prevention• Require badges
• Employee training
• Security officers
• No exceptions!
![Page 9: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/9.jpg)
Shoulder surfing
• Someone can watch the keys you press when entering your password
• Probably less common
• Prevention:
• Be aware of who’s around when entering your password
![Page 10: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/10.jpg)
Dumpster diving
• Looking through the trash for sensitive information
• Doesn’t have to be dumpsters: any trashcan will do
• Prevention:• Easy secure document destruction
• Lock dumpsters
• Erase magnetic media
![Page 11: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/11.jpg)
Stealing important documents
• Can take documents off someone’s desk
• Prevention:• Lock your office
• If you don’t have an office: lock your files securely
• Don’t leave important information in the open
![Page 12: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/12.jpg)
Attack Model
![Page 13: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/13.jpg)
NETWORK ATTACKS
• Datalink layer : ARP poisoning, MAC flooding
• Network Layer : Attack against IP
• Transport layer : Attack against TCP and UDP
• Application layer : cookie protocol problem, session hijacking
![Page 14: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/14.jpg)
DATALINK ATTACK
![Page 15: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/15.jpg)
ARP CACHE POISONING
• there is no way to authenticate the IP to MAC address mapping in the ARP reply
• if computer ‘A’ has sent and ARP request and it gets an ARP reply, then ARP protocol by no means can check whether the information or the IP to MAC mapping in the ARP reply is correct or not
• even if a host did not send an ARP request and gets an ARP reply, then also it trusts the information in reply and updates its ARP cache.
• An evil hacker can craft a valid ARP reply in which any IP is mapped to any MAC address of the hackers choice and can send this message to the complete network
![Page 16: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/16.jpg)
How ARP Works?
ARP Request is Broadcast to all the hosts in LAN
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
Who has IP 10.0.0.2?
Tell your MAC address
IIT Indore © Neminath Hubballi
![Page 17: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/17.jpg)
How ARP Works?
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
I have IP 10.0.0.2
My MAC is 00:00:00:00:00:02
Unicast Reply from concerned host
IIT Indore © Neminath Hubballi
![Page 18: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/18.jpg)
ARP Cache Stores IP-MAC Pairs
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
ARP cache : updated
IP MAC TYPE
10.0.0.2 00:00:00:00:00:02 dynamic
IIT Indore © Neminath Hubballi
![Page 19: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/19.jpg)
Why is ARP Vulnerable?
ARP is a stateless protocol
Hosts cache all ARP replies sent to them even if they
had not sent an explicit ARP request for it.
No mechanism to authenticate their peer
IIT Indore © Neminath Hubballi
![Page 20: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/20.jpg)
Known Attacks Against ARP
ARP Spoofing
Man-in-the-Middle Attack
Denial-of-Service Attack
MAC Flooding ( on Switch )
DoS by spurious ARP packets
IIT Indore © Neminath Hubballi
![Page 21: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/21.jpg)
ARP Spoofing Attack
Attacker sends forged ARP packets to the victim
10.0.0.1 10.0.0.200:00:00:00:00:01 00:00:00:00:00:02
I have IP 10.0.0.3
My MAC is 00:00:00:00:00:02
ARP Reply
IP MAC TYPE
10.0.0.3 00:00:00:00:00:02 dynamic
Attacker
Target
Victim
10.0.0.3
00:00:00:00:00:03
IIT Indore © Neminath Hubballi
![Page 22: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/22.jpg)
Spoofing Results in Redirection of
Traffic
10.0.0.1
00:00:00:00:00:01
10.0.0.2
00:00:00:00:00:02
Packets for 10.0.0.3
10.0.0.3
00:00:00:00:00:03
IIT Indore © Neminath Hubballi
![Page 23: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/23.jpg)
Man-in-the-Middle Attack Allows
Third Party to Read Private Data
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:03
00:00:00:00:00:02
Attacker
IP MAC TYPE
10.0.0.3 00:00:00:00:00:01 dynamic
IP MAC TYPE
10.0.0.2 00:00:00:00:00:01 dynamic
00:00:00:00:00:01
23IIT Indore © Neminath Hubballi
![Page 24: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/24.jpg)
Denial of Service Stops Legitimate
Communication
A malicious entry with a non-existent MAC address can lead to a
DOS attack
10.0.0.1 10.0.0.2
00:00:00:00:00:02
I have IP 10.0.0.3
My MAC is XX:XX:XX:XX:XX:XX
ARP Reply
IP MAC TYPE
10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
Attacker
Victim
00:00:00:00:00:01
Target
10.0.0.300:00:00:00:00:03
24IIT Indore © Neminath Hubballi
![Page 25: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/25.jpg)
Denial of Service Stops Legitimate
Communication
00:00:00:00:00:01
Victim unable to reach the IP for which the forged packet was
sent by the attacker
10.0.0.110.0.0.2
00:00:00:00:00:02
IP MAC TYPE
10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
Attacker
Victim
PING 10.0.0.3 Request timed out.
IIT Indore © Neminath Hubballi
![Page 26: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/26.jpg)
MAC Flooding Degrades Network
Performance
Attacker bombards the switch with numerous forged ARP packets
at an extremely rapid rate such that its CAM table overflows
PORT MAC
1 00:00:01:01:01:01
2 00:00:02:02:02:02
…. ……
….. …….
10.0.0.1
00:00:00:00:00:01
Attacker
26IIT Indore © Neminath Hubballi
![Page 27: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/27.jpg)
DoS by Spurious ARP Packets
Attacker sends numerous spurious ARP packets at the victim
such that it gets engaged in processing these packets
Makes the Victim busy and might lead to Denial of Service
10.0.0.1
00:00:00:00:00:01
Attacker
Victim
Spurious ARP Packets
Busy
ProcessingIIT Indore © Neminath Hubballi
![Page 28: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/28.jpg)
LAB’S TIME
![Page 29: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/29.jpg)
Objectives
• Scan, detect, protect and attack computer on LANs
![Page 30: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/30.jpg)
What you need :
• PC with windows server 2012 as host machine
• Windows2008 running on virtual maschine as target machine
• Installed-version of WinPcap driver
• Double click WinArpAttacker.exe
![Page 31: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/31.jpg)
What to do
1. Launch Windows server 8 Virtual Machine
2. Launch WinArpAttacker in the host machine
![Page 32: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/32.jpg)
3. Click the scan option from toolbar menu, select Scan LAN. The scan the active host on the LAN.
4. Select a victim host (window server 2008) from the display list. Select attack -> flood. Scanning acts as another gateway or IP-forwarder without other user recognition on the LAN, while spoofingARP tables.
![Page 33: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/33.jpg)
• 5. All data sniffed by spoofing andforwarded by WinArpAttackerIP-forward functions are counted, as shown in the main interface. The BanGateway option tells the gatewaywrong MACaddresses of target computer, so the target can’t receivepackets from the internet.
![Page 34: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/34.jpg)
6. Click save to save the report
![Page 35: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/35.jpg)
QUESTION
• Analize and document the scanned, attacked IP address.
![Page 36: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/36.jpg)
NETWORK LAYER
![Page 37: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/37.jpg)
• IP doesn’t has an authentication mechanism.
• A packet simply claims to originated from a given address, andthere is no a way to be sure that the host that sent the packet istelling the truth.
• The fitur of authentication must be provided by higher layer.
![Page 38: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/38.jpg)
IP Spoofing
• There is one host that claims to have an IP address of another.
![Page 39: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/39.jpg)
IP Session Hijacking
• Is an attack whereby a user’s session is taking over, being in thecontrol of an attacker.
![Page 40: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/40.jpg)
TRANSPORT LAYER
![Page 41: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/41.jpg)
• TCP ATTACK • TCP SYN or TCP ACK Flood attack
• TCP sequence number attack
• TCP/IP hijacking
• UDP attack• ICMP attack
• Smurf attack
• ICMP tunneling
![Page 42: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/42.jpg)
TCP SYN
![Page 43: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/43.jpg)
TCP Sequenced number attack
• Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system.
![Page 44: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/44.jpg)
TCP Hijacking
• This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.
![Page 45: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/45.jpg)
ICMP Attacks
• Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.
![Page 46: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/46.jpg)
SMURF ATTACK
• This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.
![Page 47: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/47.jpg)
ICMP Tunneling
• ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.
![Page 48: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/48.jpg)
APPLICATION LAYER
![Page 49: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/49.jpg)
Cookie protocol problems
Server is blind:• Does not see cookie attributes (e.g. secure, HttpOnly)
• Does not see which domain set the cookie
Server only sees: Cookie: NAME=VALUE
![Page 50: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/50.jpg)
Example 1: login server problems
1. Alice logs in at login.site.com
login.site.com sets session-id cookie for .site.com
2. Alice visits evil.site.com
overwrites .site.com session-id cookiewith session-id of user “badguy”
3. Alice visits course.site.com to submit homework
course.site.com thinks it is talking to “badguy”
Problem: course.site.com expects session-id from login.site.com;
cannot tell that session-id cookie was overwritten
![Page 51: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/51.jpg)
Example 2: “secure” cookies are not secure
Alice logs in at https://accounts.google.com
Alice visits http://www.google.com (cleartext)
• Network attacker can inject into responseSet-Cookie: SSID=badguy; secure
and overwrite secure cookie
Problem: network attacker can re-write HTTPS cookies !• HTTPS cookie value cannot be trusted
set-cookie: SSID=A7_ESAgDpKYk5TGnf; Domain=.google.com; Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure; HttpOnly
set-cookie: SAPISID=wj1gYKLFy-RmWybP/ANtKMtPIHNambvdI4; Domain=.google.com;Path=/ ;
Expires=Wed, 09-Mar-2026 18:35:11 GMT; Secure
![Page 52: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/52.jpg)
Interaction with the DOM SOPCookie SOP path separation:
x.com/A does not see cookies of x.com/B
Not a security measure: x.com/A has access to DOM of x.com/B
<iframe src=“x.com/B"></iframe>
alert(frames[0].document.cookie);
Path separation is done for efficiency not security:
x.com/A is only sent the cookies it needs
![Page 53: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/53.jpg)
Cookies have no integrity
User can change and delete cookie values
• Edit cookie database (FF: cookies.sqlite)
• Modify Cookie header (FF: TamperData extension)
Silly example: shopping cart software
Set-cookie: shopping-cart-total = 150 ($)
User edits cookie file (cookie poisoning):
Cookie: shopping-cart-total = 15 ($)
Similar problem with hidden fields
<INPUT TYPE=“hidden” NAME=price VALUE=“150”>
53
![Page 54: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/54.jpg)
Session hijacking
Attacker waits for user to login
then attacker steals user’s Session Token and “hijacks” session
⇒ attacker can issue arbitrary requests on behalf of user
Example: FireSheep [2010]
Firefox extension that hijacks Facebook session tokens over WiFi. Solution: HTTPS after login
![Page 55: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/55.jpg)
Beware: Predictable tokensExample 1: counter
⇒ user logs in, gets counter value,
can view sessions of other users
Example 2: weak MAC. token = { userid, MACk(userid) }• Weak MAC exposes k from few cookies.
Apache Tomcat: generateSessionId()
• Returns random session ID [server retrieves client state based on sess-id]
![Page 56: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/56.jpg)
Session tokens must be unpredictable to attacker
To generate: use underlying framework (e.g. ASP, Tomcat, Rails)
Rails: token = MD5( current time, random nonce )
![Page 57: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/57.jpg)
Beware: Session token theftExample 1: login over HTTPS, but subsequent HTTP
• Enables cookie theft at wireless Café (e.g. Firesheep)
• Other ways network attacker can steal token:• Site has mixed HTTPS/HTTP pages ⇒ token sent over HTTP
• Man-in-the-middle attacks on SSL
Example 2: Cross Site Scripting (XSS) exploits
Amplified by poor logout procedures:• Logout must invalidate token on server
![Page 58: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/58.jpg)
Mitigating SessionToken theft by binding
SessionToken to client’s computer
Client IP addr: makes it harder to use token at another machine• But honest client may change IP addr during session
• client will be logged out for no reason.
Client user agent: weak defense against theft, but doesn’t hurt.
SSL session id: same problem as IP address (and even worse)
A common idea: embed machine specific data in SID
![Page 59: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/59.jpg)
Session fixation attacks
Suppose attacker can set the user’s session token:
• For URL tokens, trick user into clicking on URL
• For cookie tokens, set using XSS exploits
Attack: (say, using URL tokens)
1.Attacker gets anonymous session token for site.com
2.Sends URL to user with attacker’s session token
3.User clicks on URL and logs into site.com• this elevates attacker’s token to logged-in token
4.Attacker uses elevated token to hijack user’s session.
![Page 60: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/60.jpg)
Session fixation: lessonWhen elevating user from anonymous to logged-in:
always issue a new session token
After login, token changes to value unknown to attacker
⇒ Attacker’s token is not elevated.
![Page 61: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/61.jpg)
LAB’S TIME
![Page 62: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/62.jpg)
Objectives
• Sniffing password using wireshark
![Page 63: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/63.jpg)
What to do
1. Launch Wireshark
2. From the wireshark menu bar, select capture interfaces(Ctrl+I)
![Page 64: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/64.jpg)
3. In the Wireshark capture interfaces dialog box, find and selectthe Ethernet Driver Interface that is connected to the system, andthen click start.
4. Switch to virtual machine and login to your email.
5. You may save the captured packets from file save as.
6. In Find by...
![Page 65: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/65.jpg)
QUESTION
1. Evaluate the protocols that are involved in the activity thatcaptured by wireshark
2. Evaluate the result of the activity
![Page 66: TYPE OF ATTACKS - ridhanegara.staff.telkomuniversity.ac.id · A Quote from Kevin Mitnick “You could spend a fortune purchasing technology and services from every exhibitor, speaker](https://reader036.vdocuments.us/reader036/viewer/2022070617/5d56095d88c9930a078bc239/html5/thumbnails/66.jpg)
REFERENCES
1. CEH Modul “SOCIAL ENGINEERING”
2. https://www.petri.com/social-engineering-security-plus
3. Matt Curtin.”Introduction to network security”, 1997
4. “Network Security”, www.tutorialspoint.com
5. Network Security, course slide, http://ece.duke.edu
6. Certified Ethical Hacker ver 8 (Sniffing) Modul