Often when we find vulnerabilities in the system or missconfiguration own, we will consider it a small thing, because we respond not as a security hole. Tools and techniques used by crackers is a variation of many attacks before they do. As a good administrator and a network system or end user, you must be a lot to learn from the experience of the attack which happened before (although the attacks happen to other people) to avoid the attack would happen next. Knowing the type of attack is very important to maintain system stability, so you do not have to bother to install a new system to make it more secure, you just need a little patching or even configure your system for some people perhaps this paper is written are very basic, but it would not hurt ifyou as a professional to review the basic things from time to time.
his article is not intended to attack but instead is to survive, because I think to survive you must know how to attack. In this article there are frequent attacks by crackers and every attack has its own methods, for example just to do IP spoofing method which has many of them man in the middle attack. With the above reasons I will try to scratch raise public attacks is often done cracker and should be known by an administrator or end user
- IP Spoofing
IP spoofing is also known as the Source Address Spoofing, namely forgery attacker IP address, so consider the attacker IP address is the IP address of hosts on the network, not from outside the network. For example, the attacker has the IP address 66.25.xx.xx type A when the attacker to attack the network of this type of attack the attacker will assume IP Network is part of the target instance 192.xx.xx.xx IP type C. IP spoofing occurs when an attacker ‘divert’ packet routing to change the direction of the data or transmission to different destinations.Packet for routing usually transmitted in a transparent and clear so that makes easy for the attacker to modify the data origin or destination of the data. This technique is not only used by the attacker but also used by security professionals to tracing the identity of the attacker.
- FTP Attack
One of the attacks carried out against the File Transfer Protocol is a buffer overflow attack caused by “malformed command”. The purpose of this attack the FTP server is average to get a command shell or to conduct Denial Of Service. Denial Of Service attacks can eventually cause a user or attacker to retrieve the resource in the network without authorization, while the command shell can make an attacker to gain access to the server system and data files that eventually an anonymous attacker could create a root-acces who has the right management of the system network even attacked. Never or rarely update the server version and mempatchnya is a mistake often made by an admin, and this is what makes a vulnerable FTP server to be entered. An example is the popular FTP servers on the UNIX family such as WU-FPTD that is always on the upgrade of two times a day to improve the conditions that allow the bufferoverflow. FTP Mengexploitasi also useful to know the password contained in the system, FTP Bounce attack (using ftp server others to carry out the attack), and knowing that the information in the system
- Unix Finger Exploit
In the early days of the Internet, Unix OS finger utility used to efficiently sharing information among users. Because the demand for information on this finger information not blame the rules, most system administrators leave this utility (finger) with a very minimal security, even without any security at all. For an attacker is very valuable utility to make information on footprinting, including login names and contact information. This utility also provides excellent information about user activity within the system, how long the user is in the system and how much users care system. The information generated from this finger to minimize the efforts of crackers to penetrate a system. Personal information about the user finger raised by this daemon is enough for a atacker to do social engineering with the social skills to utilizing user to ‘tell’ passwords and access codes to the system.
- Flooding adn Broadcasting
An attacker can reduce the speed of the network and hosts who were in them significantly by continuing to request / demand for an information from servers that can handle the classic attack Denial Of Service (Dos), send requests to a port called excessive flooding, this is also sometimes called spraying. When a request is sent to the flood all station network located in this attack is called broadcasting. The second objective of this attack is the same: create a network resource that provides information becomes weak and finally gave up.
Attackers often use these flooding attacks to gain access to the system used to attack other networks in a single attack called Distributed Denial Of Service (DDOS). This attack is often called smurf if sent melaluli ICMP and called these attacks fraggles when dijalakan through UDP. A node (used as tools) that strengthens broadcast traffic is often referred to as Smurf Amplifiers, are very effective tools to perform flooding attacks. By doing spoofing the target network, an attacker can send a request to the smurf amplifier, the amplified Network that will send a response within kesetiap host’s own network, which means a request made by the attacker will produce the same job and over the network ulangpada target, the result of this attack is a denial of service that leaves no trace.
These attacks can be anticipated by refusing to broadcast directed to the router. Flooding-level TCP (SYN ATTACK mostly) have been used in the month of February in 2000 to attack Yahoo!, EBay etc. using DDOS attack (Distributed Denial Of Service). Network that does not use a firewall to check the TCP packets can normally be attacked by way ini.Beberapa filtering function on the firewall (Firewall Filtering Function) will usually be able to hold a flooding attack from an IP address, but the attacks made via DDOS would be difficult in preventing these attacks as we know it came from different IP addresses on a regular basis. Actually one way to stop DDOS attacks is to restore the original package to the address or also with how to turn off the network (usually done by a system which has suffered a very severe).
- Fragmented Packet Attacks
Internet data transmitted via the TCP / IP can be divided into packages that contain only the first packet whose contents form the main part of information (head) of the TCP. Some firewalls will allow to process part of packages that do not contain information on the packet source address first, this will result in some type system to crash. For example, the server will be NT crash if packages are split (fragmented packet) is to rewrite the first packet of information from a protocol. Also split the package atmosphere can cause flooding attacks. Because of the split package will remain stored until the end of the form back to the complete data, the server will store the packages had been broken in kernel memory. And finally the server will be a crash if too many packages that have been broken down and stored in memory without reunited
- Email Exploit
Email exploitation occurs in five forms: mail floods, manipulation commands, transport-level attack, inserting malicious code and social engineering. Email attack could create a system crash, open and execute even rewrite files also make an application or access to command functions. Mail flood attack occurs when a lot of e-mail sent by the attacker to the target resulting overwhelmed transfer agent to handle, resulting in communication between different program becomes unstable and can create a system to crash. Doing flooding is a very rough way, but effective, means to create a mail server to be down. One interesting way of doing mail-flood attack is a function mengexploitasi auto-responder (auto-responder function) contained in most email applications
- DNS and Bind Vulnerabilities
The news recently about the vulnerability of applications Berkeley Internet Name Domain (BIND) in various versions illustrate the fragility of the Domain Name System (DNS), which is directed at the crisis the basic operation of the Internet (Internet basic operation). Errors in BIND is not something new. Since its inception, the standard BIND is the most favorite target for attack by a cracker community
BIND vulnerabilities not only lies in the DNS. System address translator (number-address translator) is the subject of many exploits, including an attack on the level of information, Denial Of Service attacks, the takeover of power by hijacking. The assault on the level of information aims to create a server answering something other than the correct answer. One way to do this type of attack is through cache poisoning, which will fool the remote name server to store the answers from third-party domain name by providing various kinds of information to the domain name server that has the authorization.
Cracker will try to attack the system through the control by buffer overflow, which is one of the most potentially exploit the BIND vulnerabilities. Exploit interference occurs because of weaknesses in the coding / programming BIND which allows an attacker to take advantage of code-code that can be executed to enter the system. Some operating systems have provided a patch for the stack that can not be executed, as well as the compiler does (providing patches) that protects the stack from the overflow. This protective mechanism at least make a cracker would be difficult to use exploits.
It is clear that updating the system regularly and use a patch is one that must be done to build effective security, if the vendor of your control does not provide patches regularly, you better change your DNS software that provides patches regularly, of course, to maintain securitysystem.
- Password Attacks
Password is something common when we talk about security. Sometimes a user does not care a pin number they have, such as online transaction in the cafe, even transact online at home is also very dangerous if not equipped with security software such as SSL and PGP
Password is one of security procedures are very difficult to attack, an attacker may have many tools (in engineering and in social life) only to open something that is protected by a password.When an attacker managed to get a password that is owned by a user, then he will have the same authorization with the useKebnayakan seranagn made to guess the password is (guessing), brute force, cracking and sniffing.
Password guessing can be done by entering a password each one manually or with the help of a script that has been programmed.Brute-force attack that uses the same logic but with a password guessing brute-force attack much faster and more powerful. In this type of attack an attacker using a script (usually free cracking programs) that will try common passwords passwords (usually found in the dictionary).The purpose of this type of attack is to accelerate the discovery of the network admin password before aware of the attack.Password cracking is a method for protection against the encrypted passwords that are in the system. With the assumption that atacker has entered into the system, he could have turned his power within the system by way cracking password file using brute-force method
- Proxy Server Attacks
One of the Proxy server function is to speed up response time by unifying the process of some hosts in a trusted network. In most cases, each host has the power to read and write (read / write). If the firewall is in the trusted network is not configured optimally, particularly for blocking access from outside, especially if the authentication and encryption is not used, an attacker can attack the proxy server and get the same access to trusted members of other networks. If the attacker had entered the system he certainly could do anything and he can do DDOS (distributed denial of service) are anoymous to attack other networks. Router is not configured optimally also will serve as a proxy server and will lead to the same vulnerability to a proxy server.
- Remote Command Processing Attacks
Trusted Relationship between two or more hosts to provide facilities and exchange of information resource sharing. Similarly, the proxy server, trusted relationship provides to all members of the network the same access to power in one or another system (the network). The attacker will attack the server that is a member of the trusted system. Just as exposure to the proxy server, when access is received, an attacker would have the ability to execute commands and mengkases data available to other users.
- Remote File System Attacks
Protocol for data transport is TCPLevel which has the ability with the mechanism to read / write (read / write) between the network and host. Attacker can easily find traces of information from this mechanism to gain access to the file directory. Depending on the OS (operating system) is used, the attacker can find information about the network, sharing privileges, name and location of users and groups, and the specification of the application or (name and version of software). System is configured or secured to a bare minimum will easily reveal this information even through a firewall though. On UNIX systems, this information is carried by NFS (Network File System) on port 2049. Windows systems provide this data on the SMB (server messaging block) and NetBIOS on port 135 to 139 (NT) and port 445 on win2k.Network administrators can minimize the risk that would occur by using these protocols by providing some rules. Network with windows system, should be blocking access to ports 139 and 445 from outside the network, if possible. In 2049 the port unix system should be in block, file sharing is limited and requests for files via showmount (in unix command) should be on record in the log.
- Selective Program Insertions
Selective insertions program is carried out attacks when the attacker put a destructive programs, such as viruses, worms and trojans. Destructive programs are often called malware.These programs have the ability to damage the system, the destruction of files, stolen passwords to open the backdoor. Usually sold antivirus market will be able to detect and clean up programs like this, but if there is a new virus (assuming melissa variant) virus scanner may not be able to deal with new scripts. Some network administrators to defense against malware with alternative technologies such as behavior blockers, which dismissed the codes based on samples suspected of malware behavior, rather than by signature. Several other applications will quarantine the virus and code-code that is suspected in a protected area, usually called sandboxes.
- Port Scanning
Through the port scanning an attacker could see the functions and how to survive a system from a variety of ports. An attacker can gain access into the system through a port that is not protected. For example, scanning can be used to determine where the default SNMP strings in open to the public, which means the information can be extracted for use in remote command attacks.
- TCP/IP Sequence Stealing, Passive Port Listening and Packet Interception
TCP / IP Sequence Stealing, Passive Listening Port and Packet Interception walk to collect sensitive information to access the network. Unlike active attack or brute-force attacks using this method has more stealth-like quality. TCP / IP Sequence Stealing is a mapping of the sequence of numbers (number), which can make the attacker’s packets appear legal. When the system asks the session to another machine, the two systems are exchanging numbers TCP synchronization. If not random, Attacker can recognize algorithm used to generate these numbers. Sequence number that has been stolen can be used to disguise the attacker to be one of the earlier system, and finally allow to pass the firewall. This is really effective when used with IP spoofing.
Through passive listening port, an attacker can monitor and record (log) of all messages and files are sent to all ports that can be accessed on the target system to find the point of vulnerability. Packet Interception is a part (exactly lining) of the active listener program is on target port on the system that functions to receive or restore all types of messages (data) sent specific. Such messages could be returned to the unauthorized system, read and returned back end either without change or with changes to the attacker, or even not be returned.
- HTTPD Attacks
Vulnerabilities contained in HTTPD or Web server is five kinds: buffer overflows, bypasses httpd, cross-scripting, web code vulnerabilities, and the URL floods.
HTTPD Buffer Overflow occurs because the attacker to add errors to the port used for web traffic with a lot of ways to enter carackter and string to find a suitable place overflow. When he found a place for overflow, an attacker would insert the string that will be of an executable command.Buffer-overflow attacks can give the attacker access to the command prompt
Some features of the HTTPD can be used to create HTTPD byapass, giving access to the server using the logging function. In this way, a web page can be accessed and replaced without recorded by the web server. This method is often used by crackers, cyber hacktivis and Vandals to mendeface website.
Through cross-scripting and cross-site scripting an attacker could exploit the exchange of cookies between browser and webserver. This facility could enable the script to change the web interface. This script can run malware, read the important information and expose data such as credit card number and password. In the end the attacker can perform denial of service with the URL floods, which is done by repeated and continued to repeat the demand for port 80 through the boundary httpd TTL (time to live)
Source Reference :ilmukomputer.com,www.brainbench.com/transcript.jsp?pid=4351894
Leave a Reply