ATHENA CEH v7 module 16

Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at any sin

Trang 1

IMIodule l6

Engineered by Presented by Professionals

CỊIERH Certified Ethical Hacker

Trang 2

SECURITY NEWS

—

k PT Te DIG 1 Wikileaks works on a model that allows whistleblowers to submit leaked

documents through internet or postal mail, ensuring that the sender's identity is

concealed and trails cleared

The network used by Wikileaks is similar to a technology called The Onion Router

or Tor Tor is open-source software and its website states that it is currently used

by a branch of U.S Navy for gathering intelligence

It is a system used to outflank filtering and censors enabling users to evade

“ blockers keeping their identity anonymous To evade online traffic analysis Tor

“distributes transactions over several places on the Internet, so no single point can

link you to your destination The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you - and then periodically erasing your footprints Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays

that cover your tracks so no observer at any single point can tell where the data

came from or where it's going.”

http://uk.ibtimes.com

eee OR Adee |

Trang 3

IModule < -

Intrusion Detection Systems (IDS)

r

How to Set up a Honeypot?

Ways to Detect an Intrusion IDS, Firewall and Honeypot System Types of Intrusion Detection Systems

Firewall ani, Types of Firewall | Firewall Identification Techniques

Honeypot Countermeasures

Types of Honeypot Firewall and IDS Penetration Testing

Trang 5

Intrusion Detection Systems (IDS)

An intrusion detection system (IDS) gathers and analyzes information from within a computer or a network, to identify the possible violations of security policy, including unauthorized access, as well as misuse

An IDS is also referred to as a “packet-sniffer,” which intercepts packets traveling along various communication mediums and protocols, usually TCP/IP

vì

=2

Ws The packets are analyzed after they are captured

J An IDS evaluates a suspected intrusion once it has taken place and signals an alarm

Trang 6

How IDS Works?

Alarm notifies admin and packet

Trang 7

Siønature It is also known as misuse bao,

1 Signature recognition tries to identify events

Trang 8

Types of Intrusion Detection Systems

~— Network-based | Host-based

Intrusion Detection 4 Intrusion Detection

box that is placed on the network in the events that occur on a specific host

promiscuous mode, listening for patterns © These are not as common, due to the overhead

indicative of an intrusion they incur by having to monitor each system

@ These mechanisms are typically programs @ These mechanisms check for Trojan horses,

that parse log files after an event has already or files that have otherwise been modified,

occurred, such as failed log in attempts indicating an intruder has already been there,

for example, Tripwire

: —— _

TRUNG TAM DAO TAO AN NINH MANG & QUAN TRI MANG

WWW.ATHENA.EDU.VN

Trang 9

System Integrity Verifiers (SIV)

Trang 10

General Indications of Intrusions

©@ Unexplained changes in the file’s size

(D Unfamiliar file names in directories

Repeated probes of the available

services on your machines

Connections from unusual locations

Repeated log in attempts from remote hosts

Arbitrary data in log files, indicating

an attempt at creating either a Denial of Service, or a crash service

Trang 11

General Indications of System Intrusions

Modifications to system software and configuration files

Gaps in the system accounting

Unusually slow system performance System crashes or reboots

Short or incomplete logs Missing logs or logs with incorrect permissions or ownership Unfamiliar processes

Unusual graphic displays or text messages

Trang 12

Firewall

both designed to prevent unauthorized accesstoor ? leaving the intranet and blocks those that do from a private network : not meet the specified security criteria

between the two networks, which is usually a private traffic or with the source or destination

2 network and a public network such as the Internet : addresses and ports ©

Secure Private Local Area Network Public Network

Ww = Specified traffic allowed x< = Restricted unknown traffic

Trang 13

Firewall Architecture

the firewall, it has two interfaces:

public interface directly connected to the Internet Sia daiease a inteereitieiele Gail

private interface connected to the intranet ' Intranet

Bastion Host: Á “,/ứẰ “& ae see

configured to protect network resources from attack wv = : :

Screened subnet: 7

hosts that offer public services

~ @aeaesqgseeee

Intranet

has no hosts controlled by the organization f “ ` ‘

® Inthis case, more than three interfaces are

present that allow for further subdividing the ae sie oe

systems based upon the specific security r⁄⁄ | > :

objectives of the organization , Internet ) >

Trang 14

DeMiulitarized Zone (DMZ)

Se

internet

such as Internal trusted network, DMZ network, and External un-trusted network (Internet)

Trang 15

Inspection Leve Firewalls Gateways

Level ps Gateways : +

3 ccrcRiectevcicviiSsTedps.=e eve a ates

Trang 16

Packet Filtering Firewall

Depending on the packet and the criteria, the firewall can:

Packet filtering firewalls work at the network level

of the OSI model (or the IP layer of TCP/IP), they are

usually a part of a router * Drop the packet

* Forward it, or send a message to the originator

J Rules can include the source and the destination IP address,

the source and the destination port number, and the

protocol used

compared to a set of criteria before it is forwarded

Trang 17

Circuit-Level Gateway Firewall

WVWWW

Circuit-level gateways work at the session layer of

the OSI model or the TCP layer of TCP/IP

They monitor TCP handshaking between packets to

determine whether a requested session is legitimate

Circuit-level gateways hide information about the private network they protect, but they do not filter individual

Trang 18

Application-Level Firewall

Application-level gateways (proxies) can filter > > An application-level gateway that is configured to be a packets at the application layer of the OSI model: web proxy will not allow any FTP, gopher, telnet, or other

: traffic

Incoming or outgoing packets cannot access

: \ Asan application-level gateway examines packets at an

services for which there is no proxy application layer, it can filter application specific

commands such as http:post and get

Trang 19

stateful Multilayer Inspection Firewall

W Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls They filter packets at the network layer, to determine whether session packets are legitimate,

and they evaluate the contents of packets at the application layer

eT SSSSSR ESE ESSER SERS SEES SEETHER ERE Eee eee ee

Trang 20

Firewall Identification: Port Scanning

Port scan helps the ;

Sa ace The kind of response

ports are available (i.e., received indicates what service might be whether the port is

listening to a port);it used and can

consists of sending a therefore be probed

message to each port, further for weakness

one atatime

For example: Check Point's FireWall-1 listens on TCP ports

uniquely identify 256, 257, 258, and 259

themselves using and Microsoft's Proxy simple port scans Server usually listens

Trang 21

Firewall Identification:

Firewalking

Firewalking is similar to tracerouting and works by sending TCP or UDP packets into the firewall that have a TTL set at one hop greater than the targeted firewall

Trang 23

system resource that is

expressly set up to attract and

trap people who attempt to

keystrokes This could send early warnings of a more concerted attack

Trang 24

Low-interaction honeypot

They work by emulating services and programs that would be found on an individual's system

If the attacker does something that the emulation does not expect, the honeypot will simply generate an error

Captures limited amounts of information, mainly transactional data and some limited interaction

Ex: Specter, Honeyd, and KFSensor

including new tools, communications,

Trang 25

How to Set Up a Honeypot?

> EJ đề

“———

® Download or purchase a

honeypot software s Install the software on your

~ Tiny Honeypot, LaBrea, and on the computer to install

programs available for Linux computer to make sure every feature

systems of the program is installed

that works with Windows

Trang 26

How to Set Up a Honeypot?

software in the “Program check the items that you

folder, click “OK” and the applications and Trojans, and

name your domain

program will install

+

©)

WWW.ATHENA.EDU.VN

Trang 27

Module Flow

~

IDS, Firewall and Evading Evading

KH Ae te

Trang 28

Intrusion Detection Tool:

Snort is an open source network intrusion

detection system, capable of performing Snort C :

rea |-ti me ec: \Snort\bin>snort -c c:\Snort\etc\snort.conf -1 c:\Snort\log -i 2

= Initialization Complete — -*> Snort! <*-

Version 2.9.0.2-ODBC-MySOL-FlexRBSP-WIN3S2 GRE (Build 92)

By Martin Roesch & The Snort Team: http://www snort.org/snort/snort—team

and is used to Using PCRE wersion: 6.10 2010-06-25

Using SLIB wersion: 1.2.3

detect a variety of such Rules Engine: SF SNORT DETECTION BNGINB Version 1.12 <Build 18>

_ Preprocessor Object: SP_SSLPP Version 1.1 <Build 4>

as buffer overflows, stealth port scans, CGI Pxepxocexsox bject: SF SSH Version 1.1 <Build 3>

7 Commencing packet processing (pid—5896)

attacks, SMB probes, and OS fingerprinting SS: Session exceeded configured max bytes to queue 1048576 using 1048979 bytes (

attempts client queue) 192.168.168.7 11616 > 92.46.53.163 80 (0) - Liistate Oxl LWPlag=

0x2003

l *** Caught Int-Signal

J It uses a flexible to describe

: : Run time £ ket i 5985 944000 aoe

traffic that it should collect or pass, as well ———-_— a

asa that utilizes a Snort ran for 0 days 1 hours 39 minutes 45 seconds

Pkt=/hr- Sewer’

modular plug-in architecture a —=

Pkt=s/sec: 1 SS: Premed session from cache that was using 1098947 bytes (purge whole cache) -

—J of Snort: 192.168.168.7 11616 > 92.46.53.163 80 (0) : LWstate Oxi LWFlag= 0x222003

= Straight packet sniffer like tcpdump Packet I/O Totals:

Received: 147490 - rs : Analyxe‹dl: 11774

m Packet logger (useful for network traffic a —-

Trang 29

_ Engine (acto Works:

Snort Engine poses | Base Detection Engine

: : al W > Decoder: Saves the captured

NIC in Ww ee =") Dynamic Loaded Libraries level protocols, and decodes IP

sniffing oe) bộ H Output Plugins packets against rules previously

Rule Set

: a Rules Files: These are plain text files which ways (console, extern files, : bassus >‹ 3 contain a list of rules with : =o ne a known syntax : databases, etc)

WWWVW Â '} IENA EDL VN

Trang 30

Snort Rules

3 Snort's rule engine enables one to write his/her own rules to meet the needs of the network

Snort rules help in differentiating between normal Internet activities and malicious activities

| Snort rules must be contained on a single line, the Snort rule parser doesn't handle rules on

multiple lines

“ Snort rules come with two logical parts:

» Rule header: Identifies rule’s actions such as alerts, log, pass, activate, dynamic, etc

» Rule options: Identifies rule’s alert messages

WWW.ATHENA.EDU.VN

Trang 31

Snort Rules: Rule Actions and IP

Protocols a

2 Rule Actions 2 )— “ IP Protocols CO

Trang 32

Snort Rules: The

4 It deals with the for any particular rule

4 Use keyword " "to define any IP address

4 Snort accepts addresses that are formed by a straight numeric IP address and a CIDR block applies netmask to the rule's

address and to incoming packets that are verified against the rule

~ Example IP Address Negation Rule:

alert tcp !192.168.1.0/24 any -> 192.168.1.0/24 111 (content:

"]00 O1 86 a5|"; msg: "external mountd access";)

Trang 33

Snort Rules: Port Numbers

“ Port numbers can be listed in different ways, including "any" ports, static

port definitions, ranges, and by negation Port ranges are indicated with the range operator ":"

“ Example of Port Negation

log tcp any any -> 192.168.1.0/24 !6000:6010

Log UDP traffic coming from any port and destination

Log UDP any any -> 92.168.1.0/24 1:1024 ports ranging from 1 to 1024

Log TCP traffic from any port going to ports less than

Log TCP any any -> 192.168.1.0/24 :5000 or equal to S000

Log TCP traffic from privileged ports less than or

Log TCP any :1024 -> 192.168.1.0/24 400: equal to 1024 going to ports greater than or equal to

400

/VWW A Tk IENA EDL | VN

Trang 34

Intrusion Detection System: Tipping Point

- j TippingPoint IPS is inserted

seamlessly and transparently

into the network, it is an in-line

device

J Each packet is thoroughly

inspected to determine whether

they are malicious or legitimate

J It provides performance,

application, and infrastructure

protection at gigabit speeds

through total packet inspection

@ Permitted Last: 27.39 k_ Avg: 13.79 k Max: 40.38 k

@ Blocked Last: 0.00 Avg: 0.00 Max: 0.00 ElDiscarded Invalid Last: 69.38 Avg: 66.91 Max: 81.33

Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009

XXXXXXXX - Attacks Per Protocol

@ ICMP Last: 3.67 k Avg: 3.90 k Max: 6.06 k

@ UDP Last: 886.08 Avg: 1.04 k Max: 6.61 k E1 TCP Last : 22.90 k Avg: 8.94 k Max: 35.85 k

@MiP-Other Last: 0.00 Avg: 0.00 Max : 0.00 Graph Last Updated: Tue 22 Sep 12:20:02 CEST 2009 http://h10163 www1 hp com

Trang 35

Intrusion Detection Tools

Security Network Intrusion Prevention System

Trang 36

Intrusion Detection Tools

SNARE (System iNtrusion Analysis

Wig eXpert-BSM LS ZR ( : Envi x

= http://www.csl.sri.com ~~? eporting nvironment)

Trang 37

Firewall: Sunbelt Personal Firewall

[J rapiregr * deny VP perme deny 7 a4

[] ceappme x deny w perme * deny 2 ask

@ Internet Explorer x deny w perm X đery w perme E3 LSA Shall (Expert Vercion) Mw dary permet M dary x# parm

g Windows NT Logon Appi x deny Ww pormet x deny w perm

[_] Userint Logon Application % deny Ww perme x deny wW perm#

[] Generic Host Processfo 3 deny Ww perme X dery ww perme

GF Microsoft File and Printe X deny Ww perme x dery A perme [=- Any other application x deny ww perme x deny ww perme

Trang 38

Trang 39

Aitnorizatiory Negotiate YRQegY GH 000000 | OS 00 OB 03 10 00 00 00 48 00 00 00 7F 00

[ eoorded 900 of 9890 bytes.) 000010 ¡ ĐO l6 D0 16 00 00 00 00 01 00 00 00 01

Message iS - RBOT Vvorm propagation N1

Request Data - $599 Bytes : ™ Event Details Text Viewer - oe

networking protocols Export logs in multiple formats Denial Of Service (DOS) attack protection

on a Pe MYMU 2M 8 MILAM TOT MALS

VT IAP VAY LAY { nân iW YUAN IR ANY

WWW.ATHENA.EDU.VN

Trang 40

Honeypot Tool:

= SPECTER is a smart honeypot-based intrusion detection system that offers common Intern

as SMTP, FTP, POP3, HTTP and TELNET which appear perfectly normal to the attackers but i in fact are traps

= SPECTER provides massive amounts of c

password files, documents and all kinds of nhưng

VV SUB7 802%

24

2 -?J

Host Mame [uhensreteds =f User Contiguation Í 2{

SwwemNee: [OUTPOST ——— 7Í - ngượkCs6gszen | 2Í

Cef@ssesVesea no ` Web Service Configuration) 2Í

Mad Server IP Adaere® F100 169.1 260 Mad Ackhets

fF Une custom waning message 2

[2 Remote Managenert Por: | 28

Expect tiendly connections

Uve custom mad message for POPS

Your schons ae logged etrumon ater! was actvated

Tiêu đề	ATHENA CEH v7 Module 16
Trường học	Athena University
Chuyên ngành	CAH (Cybersecurity and Network Security)
Thể loại	Module
Năm xuất bản	2023
Thành phố	Unknown

Định dạng
Số trang	96
Dung lượng	11,07 MB