Professional Documents
Culture Documents
i. c
o b
Fools your enemy with Mikrotik
h o
a
BY: DIDIET KUSUMADIHARDJA
s
MIKROTIK USER MEETING (MUM) 2016
JAKARTA, INDONESIA
14 OCTOBER 2016
2
m
About Me
Didiet Kusumadihardja
.i c o
1. IT Security Specialist
o b
o
PT. Mitra Solusi Telematika
a h
s
Arch Networks
m
PT. Mitra Solusi Telematika
Gedung TMT 2. GF
.i co
b
Jl. Cilandak KKO
Jakarta
oo
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
4
o m
.i c
Global
o b
o
IT Security
Incident
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
5
m
Global IT Security Incident 2014
Entire Network
.i co
Canceled
o b
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
6
m
Global IT Security Incident 2015
.i c o
3 Tahun di Hack ( 2012 – 2015)
o b
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
7
m
Global IT Security Incident 2016
.i co
o b
ho
s a 500 Juta Account
o m
.i c
Indonesia
o b
o
IT Security
Incident
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
9
o m
.i c
o b INDONESIA
o
IS
a h SAFE?
s
Didiet Kusumadihardja - didiet@arch.web.id
Source: Akamai
10
m
Indonesia IT Security Incident 2013
polri.go.id
.i co
2013
o b
ho
Deface
s a
Didiet Kusumadihardja - didiet@arch.web.id
Motive: Fame?
11
m
Indonesia IT Security Incident 2016
.i co
b
Teman Ahok
oo
a h
DDoS Attack
s
Didiet Kusumadihardja - didiet@arch.web.id
Motive: Politics?
12
m
Indonesia IT Security Incident 2016
.i co
Videotron
o b
Kebayoran Baru
ho
Jakarta Selatan
s a
Didiet Kusumadihardja - didiet@arch.web.id
Motive: Curiosity?
13
o m
.i c IT Security
o b Trends
ho Gak Perlu
s a Pinter Buat
Hacking
Didiet Kusumadihardja - didiet@arch.web.id
Source: Carnegie Mellon University
14
m
Hacking Tools Example
.i c o
o b
ho
s a Cain & Abel
Kali Linux
Didiet Kusumadihardja - didiet@arch.web.id
15
o m
.i cCybercrime as
o b a Service (CaaS)
ho
s a Modern Business
o m
.i c
How Hackers
o b
do it?
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
17
m
Hacking Phase
.i c o
b
1.Reconnaissance
2.Scanning
oo
3.Gaining Access
a h
4.Maintaining Access
5.Clearing Tracks s
Didiet Kusumadihardja - didiet@arch.web.id
Source: Ethical Hacking by EC-Council
18
m
Hacking Phase (Cont’d)
.i c o
b
1.Reconnaissance
Information Gathering Device Type
o
OS Detail Open Port
2.Scanning
o
Application Vulnerability
Version
3.Gaining Access
a h Exploit Vulnerability
Backdoors
4.Maintaining Access
5.Clearing Tracks s
Didiet Kusumadihardja - didiet@arch.web.id
Escalate Privilege
Data harvesting
Delete/overwrite Event/Logs
19
m
Hacking Phase Analogy
.i co
b
1.Reconnaissance
2.Scanning
oo
3.Gaining Access
a h
4.Maintaining Access
5.Clearing Tracks s
Didiet Kusumadihardja - didiet@arch.web.id
20
m
When we fools them?
.i co
b
1.Reconnaissance
2.Scanning
oo
3.Gaining Access
a h
4.Maintaining Access
5.Clearing Tracks s
Didiet Kusumadihardja - didiet@arch.web.id
21
m
Why at Scanning Phase?
.i co
b
TELNET SSH
oo
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
22
m
Scanning Tools
.i co
o b
ho The Dude
s a
Didiet Kusumadihardja - didiet@arch.web.id
23
o m
.i c
How to fools
o b
them?
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
24
m
Use a bait
.i co
o b
ho
Hacker
s a Bait
m
Web Server Example
.i c o
= o o b
a h
s
Web Server
HTTP HTTPS
Didiet Kusumadihardja - didiet@arch.web.id
26
m
Confuse your enemy
.i co
o b
o
HTTP HTTPS
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
27
m
Server Farm Network Example
.i
SERVER X c o
o b
ho
192.168.1.2 DNS Server
192.168.1.5 Web Server
192.168.1.10 DB Server
192.168.1.15 Mail Server
s a
Didiet Kusumadihardja - didiet@arch.web.id
192.168.1.0/24
28
m
Confuse your enemy
.i co
b
192.168.1.2 DNS Server
192.168.1.3 Fake Server 2
o
192.168.1.4 Fake Server 3
o
192.168.1.5 Web Server
192.168.1.6 Fake Server 4
h
192.168.1.7 Fake Server 5
a
192.168.1.8 Fake Server 6
192.168.1.9 Fake Server 7
s
192.168.1.10 DB Server
192.168.1.11 Fake Server 8
192.168.1.12 Fake Server 9
192.168.1.13 Fake Server 10
192.168.1.14 Fake Server 11
192.168.1.15 Mail Server 192.168.1.0/24
Didiet Kusumadihardja - didiet@arch.web.id
29
o m
.i c
How we do it
o b
with Mikrotik?
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
30
o m
.i c
b
NAT
o
(Network Address Translation)
o
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
31
o m
.i c
b
Fake NAT
o
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
32
m
Fake Ports at your Web Server
.i c o
b
HTTP & HTTPS to
Legitimate Server
oo
a h
s
Other Ports to
Fake Server
m
Simple NAT for Web Server
.i c o
NAT (Port Mapping)
INTERNET
o b
ho
ROUTER s
WEB SERVER
192.168.2.3
a
Didiet Kusumadihardja - didiet@arch.web.id Chain Action
34
m
Add Additional NAT for Bait
Chain Action
.i co
o b
o
Web Server
h
192.168.2.3 Fake Server
a
(Honey Pot)
s
192.168.2.4
m
Fake Server at your Server Farm Network
.i co
b
Only one legitimate
server
oo
a h
s
Others are Fake Server
m
Another Example
Chain Action
.i c o
o b
ho Web Server Fake Server
a
192.168.2.3 (Honey Pot)
s
192.168.2.4
m
Combine with Honey Pot
.i c o
o b
ho
KFSensor
s a
Didiet Kusumadihardja - didiet@arch.web.id Others HoneyPot: Honeyd, Kippo, Dionaea, Nepenthes
38
m
What Hacker See (NMAP)
.i co
b
Nmap / Zenmap
oo
a h
sBefore
Didiet Kusumadihardja - didiet@arch.web.id
After
39
m
What Hacker See (SoftPerfect NetScan)
.i co
o b
ho
s
Before
a After
Didiet Kusumadihardja - didiet@arch.web.id
40
m
I don’t want to use HoneyPot
Step 1: Chain
.i co
b
Step 2: Action
oo
a h
s
Didiet Kusumadihardja - didiet@arch.web.id
41
m
What we see, If someone PING
.i co
o b
ho
s a SRC-MAC ADDRESS
SRC-IP ADDRESS
Didiet Kusumadihardja - didiet@arch.web.id
42
m
What we see, If someone NMAP
.i c o
o b Mikrotik LOG:
ho
s a
Didiet Kusumadihardja - didiet@arch.web.id
43
m
The Dude, Hotspot & Userman
.i co
o b
ho
s a
IP Address MAC Address User ID Person
Didiet Kusumadihardja - didiet@arch.web.id
44
m
Use Case 1
.i co
o b
ho University
Internet Café
(WARNET) s a Insider Threat
m
Use Case 2
http://public.honeynet.id
.i c o
o b
ho
a
Research
Analytics
(Low Interaction Honeypot)
s
Didiet Kusumadihardja - didiet@arch.web.id
For Fun
Learn hacking method
from hacker / script kiddies
(High Interaction Honeypot)
46
o m
DIDIET KUSUMADIHARDJA
Thank you
.i c
.
o b
.
ho
Question?
s a didiet@arch.web.id
http://didiet.arch.web.id/
https://www.facebook.com/ArchNetID/
Didiet Kusumadihardja - didiet@arch.web.id