EBOOKBKMT.

COM
CỤC ỨNG DỤNG
CÔNG NGHỆ THÔNG TIN
TRUNG TÂM CHÍNH PHỦ ĐIỆN TỬ

Các phương thức tấn công

Cao Hoàng Nam

Các phương thức tấn công
• Các phương pháp trinh sát, dò quét, thu thập
thông tin
• Các loại hình tấn công phổ biến
• Đánh giá an toàn thông tin
• Đánh giá lỗ hổng an toàn thông tin
• Kiểm tra khả năng thâm nhập
• Quản lý bản vá
Những vụ tấn công mạng "đình đám" thời
gian qua

• Tin tặc Trung Quốc tấn công website Philippines

• Theo hãng tin ABS-CBN News, vào ngày 11/5, đã có tất cả 7
website của Philippines-trong đó có 2 website của Chính phủ nước
này-đã bị tin tặc đánh sập và thay đổi giao diện. Tin tặc đã thay đổi
giao diện các website bằng dòng chữ “HACKED BY CHINESE”
Những vụ tấn công mạng "đình đám" thời
gian qua
• Ngày 9/5, chỉ hai ngày sau khi Tổng thống Nga Vladimir Putin tuyên thệ
nhậm chức, nhóm tin tặc nổi tiếng Anonymous tuyên bố trên Twitter đã
đánh sập cổng thông tin Chính phủ nước Nga (tại địa chỉ www.kremlin.ru),
đồng thời khẳng định sẽ tiến hành thêm nhiều đợt tấn công tương tự khác
vào các website của Chính phủ nước này.
• rước đó một ngày, vào ngày 8/5, nhóm tin tặc giấu mặt đã sử dụng phương
pháp DDos (tấn công từ chối dịch vụ) để tấn công vào website của Virgin
Media - một trong những nhà cung cấp dịch vụ Internet lớn nhất tại Anh.
• Hai hacker người Na Uy đã bị cơ quan đặc trách về tội ác tại Anh (SOCA)
- vốn có vai trò tương đương FBI (Cục điều tra Liên bang Mỹ) tóm gọn
sau khi tấn công vào website của cơ quan này. Webiste của SOCA đã bị tê
liệt trong vòng vài tiếng đồng hồ, khiến nhiều công việc của cơ quan này
bị gián đoạn và đặt các tài liệu mật của SOCA vào nguy cơ bị "rò rỉ" cao.
Những vụ tấn cộng mạng đình đám internet
Việt trong năm qua
• Diễn đàn chuyên về hack và bảo mật HVA đã trở thành nạn nhân của 2 vụ
tấn công từ chối dịch vụ (DDOS) trong tháng 6/2011. Rạng sáng ngày
5/6/2011, nhiều thành viên diễn đàn này thông báo tình trạng truy cập khó
khăn hoặc hoàn toàn không truy cập được. Cùng ngày, ban quản trị HVA
có thông báo chính thức về sự cố trên, theo đó HVA đã có một lượng truy
cập tăng đột biến (lên đến 2.5Gbps), gây nghẽn toàn bộ đường truyền tới
máy chủ.
• Tháng 6/2011 cũng là thời điểm hàng loạt website có tên miền .gov.vn
(website của cơ quan bộ ngành) bị hack. Theo thống kê từ Bộ Thông tin
Truyền thông, có 329 trang web tên miền .gov.vntrở thành nạn nhân của
các vụ tấn công tính đến tháng 12/2011. Bên cạnh đó, hàng loạt website có
tên miền .org.vn cũng trở thành đối tượng của các vụ tấn công tương tự.
• Website Vietnamnet đã trải qua nhiều sự cố trong năm qua. Vào đầu năm
(4/1/2011), một đợt tấn công từ chối dịch vụ nhắm vào Vietnamnet khiến
trang web bị tắc nghẽn nhiều giờ đồng hồ, gây khó khăn cho hàng triệu
độc giả.
Những vụ tấn cộng mạng đình đám internet
Việt trong năm qua
Các phương pháp trinh sát, dò quét, thu
thập thông tin
• Footprinting
• Scanning Networks
• Enumeration
• Sniffing
• Social Engineering
What is Footprinting
Why Footprinting
Why Footprinting
• Know Security Posture: Performing footprinting on the target
organization in a systematic and methodical manner gives the
complete profile of the organization’s security posture.
• Reduce Attack Area: by using a combination of tools and
techniques, attackers can take an unknown entity (for example
XYZ organization) and reduce it to a specific range of domain
names, network blocks, and individual IP addresses of systems
directly connected to the Internet, as well as many other
details pertaining to its security posture
Why Footprinting
• Build information database: a detailed footprint provides
maximum information about the target organization. Attackers
can build their own information database about security
weakness of the target organization. This database can then be
analyzed to find the easiest way to break into the
organization’s security perimeter.
• Draw network map: combining footprinting techniques with
tools such as Tracert allows the attacker to create network
diagrams of the target organization’s network presence. This
network map represents their understanding of the target’s
Internet footprint. These network diagrams can guide the
attack.
Objectives of Footprinting
Footprinting Methodology
Overview of Network Scanning
Types of Scanning

• Port scanning: open ports and services

• Network scanning: IP addresses
• Vulnerability scanning: Presence of known
weaknesses
Objectives of Network Scanning
Objectives of Network Scanning
• Discovering live hosts, IP address, and open ports of live hosts
running on network
• Discovering open ports: open ports are the best means to break into
a system or network, you can find easy ways to break into the target
organization’s network by discovering open ports on its network
Objectives of Network Scanning
• Discovering operating systems and system architecture of the
targeted system: this is also referred to as fingerprinting. Here the
attacker will try to launch the attack based on the operating system’s
vulnerabilities.
• Identifying the vulnerabilities and threats: vulnerabilities and threats
are the security risks present in any system. You can compromise the
system or network by exploiting these vulnerabilities and threats
• Detecting the associated network service of each port
Scanning Methodology
What is Enumeration
• Enumeration is defined as the process of extracting user
names, machine names, network resources, shares, and
services from a system.
• In the enumeration phase, the attacker creates active
connections to the system and performs directed queries to
gain more information about the target.
• The attacker uses the gathered information to identify the
vulnerabilities or weak points in system security and then tries
to exploit them.
What is Enumeration
Techniques for Enumeration
Technique for Enumeration
• Extract user names using email Ids: every email ID contains
two parts; one is user name and the other is domain name. For
example: abc@gmail.com, abc is user name and gmail.com is
the domain name.
• Extract information using the default passwords: many online
resources provide lists of default passwords assigned by the
manufacturer for their products. Often users forgot to change
the default passwords provided by the manufacturer or
developer of the product. If users don’t change their passwords
for a long time, then attackers can easily enumerate their data
Techniques for enumeration
• Brute force Active Directory: Microsoft Active Directory is
susceptible to a user name enumeration weakness at the time
of user-supplied input verification. This is the consequence of
design error in the application. If the “logon hours” feature is
enabled, the attemps to the service authentication result in
varying error messages. Attackers take this advantage and
exploit the weakness to enumerate valid user names. If
succeed, then the attackers can conduct a brute force attack to
reveal respective passwords.
• Extract user names using SNMP: attackers can easily guess
the “strings” using this SNMP API through which they can
extract required user names.
Techniques for enumeration
• Extract user groups from Windows: these extract user accounts
from specified groups and store the results and also verify if
the session accounts are in the group or not.
• Extract information using DNS Zone Transfer: DNS zone
transfer reveals a lot of valuable information about the
particular zone you request. When a DNS zone transfer
request is sent to the DNS server, the server transfers its DNS
records containing information such as DNS zone transfer. An
attacker can get valuable topological information about a
target’s internal network using DNS zone transfer.
Services and Ports to Enumeration
Packet Sniffing
Sniffing Threats
How a Sniffer works
Types of Sniffing Attacks
Types of Sniffing Attacks
• MAC Flooding: sniffing attack that floods the network switch with
data packets that interrupt the usual sender to recipient data flow
that is common with MAC address. The data , instead of passing
from sender to recipient, blasts out across all the ports. Thus,
attackers can monitor the data across the network.
• DNS Poisoning: is a process in which the user is misdirected to a
fake website by providing fake data to the DNS server. The website
looks similar to the genuine site but it is controlled by the attacker.
• ARP Poisoning: is an attack in which the attacker tries to associate
his/her own MAC address with the victim’s IP address so that the
traffic meant for that IP address is sent to the attacker.
Types of Sniffing Attacks
• DHCP attacks: -DHCP starvation: attacking a DHCP server by
sending a large amount of requests to it
-Rogue DHCP server attack: attacker sets up a rogue
DHCP server to impersonate a legitimate DHCP server on the LAN;
the rogue server can start issuing leases to the network’s DHCP
clients. Information provided to the clients by this rogue server can
disrupt their network access, causing DoS.
 Password Sniffing: method used to steal passwords by monitoring
the traffic that moves across the network and pulling out data
including the data containing passwords. After obtaining passwords,
attackers can gain control over the network, access user accounts,
sensitive meterial.
Types of Sniffing Attacks
• Spoofing Attacks: attacker successfully pretends to be someone else
by falsifying data and thereby gains access to restricted resources or
steals personal information. Attacker can use victim’s IP address
illegally to access their accounts, to send fraudulent emails, to set up
fake website for acquiring sensitive information or set up fake
wireless access points and simulate legitimate users to connect
through the illegitimate connection.
What is Social Engineering
Behaviors vulnerable to Attack
Factors that make companies vulnerable to
attack
Why is Social Engineering effective?
Phases in Social Engineering attack
Các loại hình tấn công phổ biến
• Denial of Service
• Session Hijacking
• Hacking Webservers
• SQL Injection
• Buffer Overflow
What is a Denial of Service attack?
What are Distributed Denial of Service
attacks?
How Distributed Denial of Service attacks
work
Symtoms of Denial of Service attack
DoS attack Techniques
What is Session Hijacking?
Dangers posed by Hijacking
Why Session Hijacking successful
Key Session Hijacking Techniques
Key Session Hijacking Techniques

• Brute forcing: involves making thousands of requests using all the

available session IDs until the attacker gets succeeded. This
technique is comprehensive but a time-consuming process
• Stealing: attacker uses various techniques to steal session IDs. The
techniques maybe installing trojans on client PCs, sniffing network
traffic…
• Calculating: using non-randomly generated IDs, attacker tries to
calculate the session IDs. The number of attempts that need to be
carried out for retrieving the session ID of the user or client depends
on the key space of session IDs. Therefore, the probability of
success of this type of attack can be calculated based on the size and
key space of session IDs
Why Webservers are compromised
Impact of Webserver attacks
Webserver attack methodology
Webserver attack methodology
• Information gathering: every attacker tries to collect as much
information as possible about the target web server. Once the
information is gathered, attacker analyzes the gathered information
in order to find the security lapses in the current mechanism over the
web server
• Web server footprinting: gather more information about security
aspects of a web server with the help of tools or footprinting
techniques. The main purpose is to know about its remote access
capabilities, its ports and services, and the aspects of its security.
• Mirroring website: method of copying a website and its content onto
another server for offline browsing
Webserver attack methodology
• Vulnerability scanning: method of finding various vulnerabilities
and misconfigurations of a web server. It is done with the help of
various automated tools known as vulnerable scanners.
• Session hijacking: is possible once the current session of the client is
identified. Complete control of the user session is taken over by the
attacker by means of session hijacking.
• Hacking web server passwords: attackers use various password
cracking methods like brute force attacks, hybrid attacks, dictionary
attacks, etc and crack web server passwords.
What is SQL Injection
SQL Injection attacks
Types of SQL Injection
Types of SQL Injection
• Blind SQL injection: wherever there is web application
vulnerability, blind SQL injection can be used either to access the
sensitive data or to destroy the data. Attacker can steal the data by
asking a series of true or false questions through SQL statements.
Types of SQL Injection
• Simple SQL injection script builds a SQL query by concatenating
hard-coded strings together with a string entered by the user. There
are two types:
• UNION SQL injection: used when the user uses the UNION command.
Attacker checks for the vulnerability by adding a tick to the end of a “,php?
id=“ file.
• Error Based SQL injection: attacker makes use of the database-level error
messages disclosed by an application. This is very useful to build a
vulnerability exploit request.
Buffer Overflow
Why are programs and applications
vulnerable to Buffer overflow
An example of Buffer overflow
• In C program
• #include<stdio.h>
int main (int argc, char **argv)
{
char target[5] = “TTTT”;
char attacker[11]=“AAAAAAAAAA”;
strcpy( attacker, “ DDDDDDDDDDDDD”);
printf (“% \n”, target);
return 0;
}
An example of Buffer overflow
Đánh giá an toàn thông tin
Security Assessment
Security assessment categories:
1. Security audits
2. Vulnerability assessments
3. Penetration testing
Security Audits
• IT security audit focus on people and processes used to design,
implement and manage security on a network
• This is a baseline involved for processes and policies within an
organization
• IT management usually initiates IT security audits
• In a computer, the security audit technical assessment of a
system or application is done manually or automatic
Security Audits
Security Audits
• Perform a manual assessment by using the following
techniques:
– Interviewing the staff
– Reviewing application and operationg systems access
controls
– Analyzing physical access to the systems.
• Perform an automatic assessment by uing the following
techniques:
– Generating audit reports
– Monitoring and reporting the changes in the files
Vulnerability Assessment
• Vulnerability assessment is a basic type of security.
• Helps you in finding known security weaknesses by scanning a
network
• Using scanning tools search network segments for IP-enabled
devices and enumeration systems, operating systems and
applications.
• Using vulnerability scanners also identify common security
mistakes such as accounts have weak passwords, files and folders
with weak permissions, default services and application need to be
uninstalled, mistakes in security configuration
Vulnerability Assessment
Limitations of Vulnerability Assessment
Penetration Testing
Penetration Testing
Why Penetration Testing
Comparing Security Audits, Vulnerability
Assessment and Penetration Testing
What should be tested
What makes a good penetration testing
External Penetration Testing
Internal Penetration Testing
Automated Testing
Manual Testing
Penetration Testing Techniques
Phases of Penetration Testing
Phases of Penetration Testing
• Pre-attack Phase: focus on gathering as much information as
possible about the target organization or network to be
attacked.
• Attack Phase: information gathered in the pre-attack phase
forms the basis of the attack strategy.
• Post-attack Phase: tester needs to restore the network to its
original state. This involves cleanup of testing processes and
removal of vulnerabilities created (not those that existed
originally).
Patch Management
• According to the CERT Coordination Center (Computer
Emergency Response Team/CC), thousands of software
vulnerabilities are discovered and reported every year.
• A flexible and responsive security patch management process
has become a critical component in the maintenance of
security on any information system.
• As more and more software vulnerabilities are discovered and
therefore need updates and patches, it is essential that system
administrators manage the patching process in a systematic
and controlled way.
Patch Management
• According to statistics published by CERT/CC, the number of
annual vulnerabilities catalogued has continued to rise, from 345 in
1996, to 8,064 in 2006. Put another way, identifiable software
vulnerabilities have increased more than 20 times over the last
decade.
• Attackers are able to take advantage of newly discovered
vulnerabilities in less time than ever.
• It has been shown that the amount of time between the discovery of
a software vulnerability and corresponding attacks has been steadily
decreasing.
• There is also an increasing trend towards attack tools that exploit
newly discovered vulnerabilities appearing well before any
corresponding patch is released by the software vendor to fix a
problem. This situation is generally known as a “zero-day attack”.
Patch Management
• To avoid attacks through known issues or vulnerabilities,
organisations should make sure all IT system administrators
are fully up to date with the latest security patch/hot-fix
releases from their software vendors.
• Patches and updates should be reviewed regularly and applied
to the operating system and/or applications that make up the
organisation’s information systems.
• To accomplish this, the patching process should be managed in
a systematic and controlled way.
Patch management
• Successful Patch Management requires a robust and
systematic process.
• This process, the Patch Management Lifecycle, involves a
number of key steps:
– preparation,
– vulnerability identification and patch acquisition
– risk assessment and prioritisation,
– patch testing
– patch deployment and verification.
Preparation
• Create and maintain an hardware and software inventory:
– System administrators should create and maintain a clear inventory
record of all hardware equipment and software packages, along with
version numbers of those software packages most used within the
organisation.
– This inventory will help system administrators better monitor and
identify vulnerabilities and patches that are applicable across the
organisation.
• Standardise configurations:
– Standard configurations should be created and maintained for every
major group of IT resources, such as user workstations and file servers.
– Standardised configurations can simplify the patch testing and
application updating process, and will reduce the amount of
time/labour devoted to patch management.
Preparation
• Educate users:
– Information security is everybody’s business and an effective
patching process cannot be implemented without the cooperation
and participation of end-users across the organisation.
– Users should be made aware of the importance of IT security
and patch management as part of their daily work process.
– If sufficient training is provided to end-users, they can often
perform lightweight patching on their own workstations, which
will reduce the workload on system administrators around basic
patch management.
Vulnerability identification and patch
acquisition
• There are a number of information resources available to
system administrators in order to monitor vulnerabilities and
patches that may be applicable to their installed hardware and
software systems.
• Product vendor websites and mailing lists:
– Direct and reliable resources for system administrators on vulnerability
and patch related information for specific products.
– Many large vendors also maintain support mailing lists that enable
them to broadcast notifications of vulnerabilities, patches and updates
to subscribers via email.
– However, vendors sometimes do not report new vulnerabilities straight
away, as they may not wish to report a specific vulnerability until a
patch is available.
Vulnerability identification and patch
acquisition
• Third-party security advisory websites:
– A third-party security advisory website is one that is not affiliated with
any one vendor, and may sometimes provide more detailed information
about vulnerabilities that have been discovered.
– These websites may cover a large number of products and report new
vulnerabilities ahead of the product vendors because, as mentioned,
some vendors may choose to hold a vulnerability notification until a
patch is available.
– Not all websites are reliable, system administrators should carefully
chose the best one.
Risk assessment and prioritisation
• Timely response is critical to effective patch management.
With limited resources, system administrators may need to
prioritise the deployment of new patches, performing a risk
assessment to determine which systems should be patched
first. In general, this prioritisation should be based on the
following criteria:
– Threat: A threat is any potential direct danger to information systems.
– Vulnerability: It could be a flawed software service running on a
server, or unnecessary open ports, and so on.
– Criticality: This is a measure of how important or valuable a system is
to business operations.
Patch testing
• Patch testing is vital to ascertain whether or not a new patch
will affect the normal operation of any existing software. It is
important that this testing is performed on a mirror system that
has an identical or very similar configuration to the target
production system.
• In addition to identifying any unintended problems, patches
themselves should be tested to ensure that they have fully
patched the vulnerability.
Patch deployment and verification
• Patching vulnerabilities in a system may be as simple as
modifying a configuration setting, or it may require the
installation of a completely new version of the software.
• No single patch method can apply across all software
applications and operating systems.
• Product or application vendors may provide specific
instructions for applying security patches and updating their
products, and it is recommended that system administrators
read all the relevant documentation provided by vendors
before proceeding with patch installation.
Patch deployment and verification
• In addition, security patches should be deployed through an
established change control process.
• Before applying a new patch, administrators may want to
conduct a full backup of the system to be patched. This
enables a quick and easy restoration of the system to a
previous state if the patch has an unintended or unexpected
impact on the system.
• After the patch is deployed, system administrators and users
should verify that all systems and applications are functioning
normally, and that they comply with laid down security
policies and guidelines.
 CỤC ỨNG DỤNG
CÔNG NGHỆ THÔNG TIN
TRUNG TÂM CHÍNH PHỦ ĐIỆN TỬ

Thank you for your attention