Ethical Hacking

ILKOM

2009 / 2010

Trojan• A trojan is a small program that runs

hidden on an infected computer.• Sebuah program atau code yang tanpa

otorisasi yang menempel pada program sah. Program tanpa otorisasi ini melakukan aktivitas yang tidak diketahui dan tidak diinginkan oleh pengguna.

• Penyerang dapat mengakses sistem yang terkena trojan ketika sistem tersebut melakukan online.

Trojan

• With the help of a trojan an attacker gets access to stored passwords in the trojaned computer and would be able to read personal documents, delete files, display pictures, and/or show messages on the screen.

• Transmitting to intruder any files that can be read, installing other program that provide unauthorized network access.

Trojan

• Trojan jg berusaha utk mengexploit vulnerablility utk meningkatkan level akses dari belakang sistem user yang terkena trojan. Bila ini berhasil maka akan meningkatkan level hak akses.

• Bila user menggunakan akses level administrator pada OS maka trojan dapat melakukan apa saja sebagaimana yang dpt dilakukan administrator.

Tipe Trojan

• Remote Access Trojans• Password sending Trojans• Keylogger• Destructive Trojans• Denial of service (DoS) attack Trojans• Proxy Trojans• FTP Trojans• Security software disablers

• Remote Access Trojans– Trojan ini biasanya tertuju pada media dan

berakibat otoritas tinggi karena kemampuannya untuk memberikan kepada penyerang kekuatan untuk melakukan hal melebihi kemampuan dari korban itu sndiri.

– Biasanya kombinasi berbagai trojan.• Password sending Trojans

– Trojan ini mengambil semua cache password dan menangkap pasword yang menuju ke korban dan meng-emailkan ke penyerang tanpa korban sadari.

• Keylogger– Trojan menyalin tekanan pada keyboard

korban dan membiarkan penyerang mencari password atau sensitif mesin di dalam log file.

• Destructive Trojans– Trojan ini khusus untuk menghancurkan atau

menghapus file utama sprt .dll, .ini, .exe• Denial of service (DoS) attack Trojans

– Trojan ini digunakan penyerang utk melakukan DoS. Varian trojan ini yaitu mail-bomb trojan yang bertujuan utama menginfeksi sebanyak dan berurutan pada spesifik email/address dengan subjek dan konten acak tanpa bisa difilter.

• FTP trojan– Trojan ini membuka port 21 dan memberikan

siapa saja atau penyerang ke dalam mesin.• Proxy Trojans

– Trojan ini mengubah menjadi sebuah proxy bagi seluruh dunia atau penyerang saja. Trojan ini digunakan untuk anonymous telnet, ICQ, IRC dan sebagainya.

• Security software disablers– Ada sebuah fungsi dari trojan yaitu

mendisable security software pada target, sehingga penyerang dapat melakukan explot lebih leluasa untuk keperluan ilegal lainnya.

Pembuat trojan cari

• Credit card information, e-mail addresses.• Accounting data (passwords, user names, etc.)• Confidential documents• Financial data (bank account numbers, Social Security

numbers, insurance information, etc.)• Using the victims computer for illegal purposes, such as

to hack, scan, flood, or infiltrate other machines on the network or Internet.

Indikasi terserang trojan

• CD-ROM drawer opens and closes by itself.• Computer screen flips upside down or inverts.• Wall paper or background settings change by

themselves.• Documents or messages print from the printer by

themselves.• Computer browser goes to a strange or unknown web

page by itself.• Windows color settings change by themselves.• Screen saver settings change by themselves.

Indikasi terserang trojan

• Right and left mouse buttons reverse their Functions• Mouse pointer disappears.• Mouse moves by itself.• Windows Start button disappears.• Strange chat boxes appear on the victim’s • computer and the victim is forced to chat with a stranger.• The ISP complains to the victim that their computer is IP

scanning.

Indikasi terserang trojan

• Computer shuts down and powers off by itself.• Task bar disappears.• The account passwords are changed or unauthorized

persons can access legitimate accounts.• Strange purchase statements in credit card bills.• The computer monitor turns itself off and on.• Modem dials, and connects, to the Internet by itself.• Ctrl + Alt + Del stops working.• While rebooting the computer a message flashes that

there are other users still connected.

Trojan launcher

• PhatBot– This Trojan allows the attacker to control computers and link

them into P2P networks that can then be used to send large amounts of spam e-mail messages, or flood Web sites with data, in an attempt to knock them offline.

– It can steal Windows Product Keys, AOL login names and passwords as well as the CD key of some famous games. It tries to disable antivirus and firewall software.

• Amitis– The Server copies itself to the windows directory so even if the

main file is deleted the victim is still infected.– The server automatically sends the requested notification as

soon as the victim goes online.

Trojan launcher• Senna Spy

– Senna Spy Generator 2.0 is a trojan generator. Senna Spy Generator is able to create Visual Basic source code for a trojan based on the selection of a few options.This trojan is compiled from generated source code, anything could be changed in it.

– Feature server diantaranya mengubah wallpaper, execute dos command, find filter, FTP server, hang up internet connection, mengambil kunci lisensi.

• Back orifice– Back Orifice (BO) is a remote administration system which allows a user

to control a computer across a TCP/IP connection using a simple console or GUI application. On a local LAN or across the internet, BO gives its user more control of the remote Windows machine than the person at the keyboard of the remote machine.

• Netbus– NetBus is a Win32 based Trojan program. Like Back Orifice, NetBus

allows a remote user to access and control the victim’s machine by way of its Internet link.

Trojan launcher• SubSeven

– Its symptoms include a slowing down the computer, and a constant stream of error messages. SubSeven is a trojan virus most commonly spread through file attachments in e-mail messages, and the ICQ program.

• Netcat– Outbound or inbound connections, TCP or UDP, to, or from,any port.– Ability to use any local source port.– Ability to use any locally-configured network source address.– Built-in port-scanning capabilities, with randomizer– Built-in loose source-routing capability.

• Subroot Telnet Trojan – It is a telnet remote administration tool.

• Donald Dick– Donald Dick is a tool that enables a user to control another computer over a

network. It uses a client-server architecture with the server residing on the victim's computer. The attacker uses the client to send command through TCP or SPX to the victim listening on a pre-defined port.Donald Dick uses default port either 23476 or 23477.

Menghindari trojan

• Do not download blindly from people, or sites, if it is not 100% safe.

• Even if the file comes from a friend, be sure what the file is before opening it.

• Do not use features in programs that automatically get, or preview, files.

• Do not blindly type commands when told to type them, or go to web addresses mentioned by strangers, or run pre-fabricated programs or scripts

Menghindari trojan

• Do not be lulled into a false sense of security just because an antivirus program is running in the system.

• Ensure that the corporate perimeter defenses are kept continuously up-to-date.

• Filter and scan all content that could contain malicious content at the perimeter defenses.

• Run local versions of antivirus, firewall, and intrusion detection software at the desktop.

Menghindari trojan

• Rigorously control user permissions within the desktop environment to prevent the installation of malicious applications.

• Manage local workstation file integrity through checksums, auditing and port scanning.

• Monitor internal network traffic for unusual open ports or encrypted traffic.

• Use multiple virus scanners.

Sniffing

• Sniffer adalah sebuah software yang menangkap data informasi yang vital dari lalu lintas spesifik dalam jaringan tertentu.

• “data interception” tehcnology. (menangkap/mencegat)

• The objective of sniffing is to grab:– Password (e-mail, web, SMB, ftp, SQL, telnet) – Email text – Files in transfer (e-mail, ftp, SMB)

Sniffing

• Yang biasa menjadi cara yaitu pada ethernet / jaringan kabel. Dimana proses ethernet protokol bekerja dengan membroadcast paket ke semua host dlm jaringan, dengan header paket yang mengandung MAC address tujuan paket. Dan sniffer memanfaatkan kondisi ini untuk menjadi alamat palsu.

Jenis Sniffing

• Passive sniffing : menangkap paket yang berjalan di dalam jaringan pada saat dilakukan broadcast.

• Active sniffing : menangkap paket yang ditujukan ke destination address dan sniffer meracuni ethernet dengan alamat palsu.

Sniffing

• Sniffer tidak saja digunakan untuk proses penangkapan informasi penting bagi penyusup tetapi digunakan NIDS (network intrusion detection system) untuk menemukan paket-paket asing sehingga dapat memberikan alarm bagi sistem selain itu juga sebagai metrics dan analisis.

• Etherflood : memenuhi sebuah ethernet dengan random alamat dan kemudian ethernet mengirimkan informasi pada semua portnya. Sehingga semua jaringan dapat di sniff oleh penyerang dari semua port ethernet tersebut.

• ARP poisoning : meracuni paket ARP dari NIC penyerang sehingga memaksa NIC korban untuk mengirimkan data kepada penyerang (gateway). Dan jika pemaksaan dilakukan dengan MAC flooding terhadap switch maka akan menjadikan switch bersifat “hub”.

• Small Network– Use of static IP addresses and static ARP

tables which prevent hackers from adding spoofed ARP entries for machines in the network

• Large Networks– Network switch "Port Security" features

should be enabled– Use of Arpwatch to monitor ethernet activity

Mencegah spoof

• Ethereal– Ethereal is a network protocol analyzer for

UNIX and Windows. – It allows the user to examine data from a live

network or from a capture file on a disk.– The user can interactively browse the

captured data, viewing summary and detailed information of each packet captured.

• Dsniff– Dsniff is a collection of tools for network

auditing and penetration testing. – ARPSPOOF, DNSSPOOF, and MACOF

facilitate the interception of network traffic that is normally unavailable to an attacker.

• Sniffit– Sniffit is a packet sniffer for TCP/UDP/ICMP

packets. – It provides detailed technical information

about the packets and packet contents in different formats.

• Aldebaran– Aldebaran is an advanced LINUX

sniffer/network analyzer. – It supports sending data to another host,

dump file encryption, real-time mode, packet content scanning.

• Ntop– Ntop is a network traffic probe that shows

network usage.– In webmode, it acts as a web server, creating

an html dump of the network status. • IPTraf

– IPTraf is a network monitoring utility for IP networks. It intercepts packets on the network and gives out various pieces of information about the currently monitored IP traffic.

– monitor the load on an IP network, the types of network services that are most in use.

• Network Probe– This network monitor and protocol analyzer

gives the user an instant picture of the traffic situation on the target network and can be sorted, searched, and filtered by protocols, hosts, conversations, and network interfaces.

• Snort– Sniffer mode simply reads the packets off of the

network and displays them for you in a continuous stream on the console.

– Packet logger mode logs the packets to the disk.– Network intrusion detection mode is the most complex

and configurable configuration, allowing Snort to analyze network traffic for matches against a user defined rule set.

• ensure that a packet sniffer cannot be installed.

• The best way to be secured against sniffing is to use encryption.

• ARP Spoofing is used to sniff a switched network. So the attacker will try to ARP spoof the gateway. This can be prevented by permanently adding the MAC address of the gateway to the ARP cache.

Mencegah sniff

• Change the network to SSH.• There are various tools to detect a sniffer

in a network. They are as follows:– ARP Watch– Promiscan– Antisniff– Prodetect

Mencegah sniff