fools your enemy with mikrotik

Fools your enemy with Mikrotik

BY: DIDIET KUSUMADIHARDJAMIKROTIK USER MEETING (MUM) 2016JAKARTA, INDONESIA 14 OCTOBER 2016

Didiet Kusumadihardja - [email protected]

2About Me

Didiet Kusumadihardja1. IT Security Specialist

PT. Mitra Solusi Telematika

2. Trainer & IT Consultant Arch Networks

MTCNA, MTCINE, MTCWE, MTCUME, MTCTCE, MTCRE


3PT. Mitra Solusi Telematika

Gedung TMT 2. GFJl. Cilandak KKO

Jakarta


4

GlobalIT Security

Incident


5Global IT Security Incident 2014

Entire Network Canceled



3 Tahun di Hack ( 2012 – 2015)



500 Juta Account

3 Miliar Account ???Source: Tech Times


8

IndonesiaIT Security

Incident


9

Source: Akamai

INDONESIAIS

SAFE?


10Indonesia IT Security Incident 2013

polri.go.id2013

Deface

Motive: Fame?



Teman Ahok

DDoS Attack

Motive: Politics?



Videotron

Kebayoran BaruJakarta Selatan

Motive: Curiosity?


13

Source: Carnegie Mellon University

IT SecurityTrends

Gak PerluPinter Buat

Hacking


14Hacking Tools Example

Cain & AbelKali Linux


15

Source: SCMagazine

Modern Business

Cybercrime as a Service (CaaS)


16

How Hackersdo it?


17Hacking Phase

1.Reconnaissance2.Scanning3.Gaining Access4.Maintaining Access5.Clearing Tracks

Source: Ethical Hacking by EC-Council


18Hacking Phase (Cont’d)


Information Gathering

OS Detail Open Port

Version

Device Type

Application Vulnerability

Exploit Vulnerability

Escalate PrivilegeBackdoors

Delete/overwrite Event/LogsData harvesting


19Hacking Phase Analogy



20When we fools them?



21Why at Scanning Phase?

TELNET SSH


22Scanning Tools

SoftPerfect Network Scanner

The Dude


23

How to fools them?


24Use a bait

Honey Pot

Hacker Bait


25Web Server Example

Web Server

HTTP HTTPS

=


26Confuse your enemy

HTTP HTTPS


27Server Farm Network Example

192.168.1.2 DNS Server192.168.1.5 Web Server192.168.1.10 DB Server192.168.1.15 Mail Server

SERVER X

192.168.1.0/24


28Confuse your enemy

192.168.1.1 Fake Server 1192.168.1.2 DNS Server192.168.1.3 Fake Server 2192.168.1.4 Fake Server 3192.168.1.5 Web Server192.168.1.6 Fake Server 4192.168.1.7 Fake Server 5192.168.1.8 Fake Server 6192.168.1.9 Fake Server 7192.168.1.10 DB Server192.168.1.11 Fake Server 8192.168.1.12 Fake Server 9192.168.1.13 Fake Server 10192.168.1.14 Fake Server 11192.168.1.15 Mail Server 192.168.1.0/24


29

How we do it with Mikrotik?


30

NAT(Network Address Translation)


31

Fake NAT


32Fake Ports at your Web Server

HTTP & HTTPS toLegitimate Server

Other Ports toFake Server


33Simple NAT for Web Server

INTERNET

ROUTER WEB SERVER192.168.2.3

Chain Action

NAT (Port Mapping)

10.0.0.1


34Add Additional NAT for Bait

Web Server192.168.2.3 Fake Server

(Honey Pot)192.168.2.4

Chain Action


35Fake Server at your Server Farm Network

Only one legitimateserver

Others are Fake Server


36Another Example

Web Server192.168.2.3

Fake Server(Honey Pot)192.168.2.4

Chain Action


37Combine with Honey Pot

KFSensorOthers HoneyPot: Honeyd, Kippo, Dionaea, Nepenthes


38What Hacker See (NMAP)

Before After

Nmap / Zenmap


39What Hacker See (SoftPerfect NetScan)

Before After

SoftPerfect Network Scanner


40I don’t want to use HoneyPot

Step 1: Chain

Step 2: Action


41What we see, If someone PING

SRC-MAC ADDRESSSRC-IP ADDRESS


42What we see, If someone NMAP

Mikrotik LOG:


43The Dude, Hotspot & Userman

IP Address MAC Address User ID Person


44Use Case 1

Internet Café(WARNET)

University

OfficeInsider Threat


45Use Case 2

AnalyticsFor Fun

Learn hacking methodfrom hacker / script kiddies

Research

http://public.honeynet.id

(Low Interaction Honeypot)(High Interaction Honeypot)


46

Thank you..

Question?

DIDIET KUSUMADIHARDJA

[email protected]://didiet.arch.web.id/

https://www.facebook.com/ArchNetID/