m o
c . i Fools your enemy with Mikrotik b o o h a s BY: DIDIET KUSUMADIHARDJA
MIKROTIK USER MEETING (MUM) 2016 JAKARTA, INDONESIA 14 OCTOBER 2016
2
m o
About Me Didiet Kusumadihardja 1.
2.
b o o h a
IT Security Specialist
PT. Mitra Solusi Telematika
c .i
Trainer & IT Consultant
s
Arch Networks
Didiet Kusumadihardja -
[email protected]
MTCNA, MTCINE, MTCWE, MTCUME, MTCTCE, MTCRE
3
m o
PT. Mitra Solusi Telematika Gedung TMT 2. GF Jl. Cilandak KKO Jakarta
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
4
b o o h a
Global IT Security Incident
s
Didiet Kusumadihardja -
[email protected]
c .i
m o
5
m o
Global IT Security Incident 2014 Entire Network
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Canceled
6
m o
Global IT Security Incident 2015
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
3 Tahun di Hack ( 2012 – 2015)
7
m o
Global IT Security Incident 2016
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
500 Juta Account 3 Miliar Account ??? Source: Tech Times
8
b o o h a
Indonesia IT Security Incident
s
Didiet Kusumadihardja -
[email protected]
c .i
m o
9
b o o h a
c .i
m o
INDONESIA IS SAFE?
s
Didiet Kusumadihardja -
[email protected]
Source: Akamai
10
m o
Indonesia IT Security Incident 2013 polri.go.id 2013
b o o h a
s
Deface
Didiet Kusumadihardja -
[email protected]
c .i
Motive: Fame?
11
m o
Indonesia IT Security Incident 2016
b o o h a
Teman Ahok
s
c .i
DDoS Attack Didiet Kusumadihardja -
[email protected]
Motive: Politics?
12
m o
Indonesia IT Security Incident 2016
b o o h a
Videotron
c .i
Kebayoran Baru Jakarta Selatan
s
Didiet Kusumadihardja -
[email protected]
Motive: Curiosity?
13
b o o h a
s
Didiet Kusumadihardja -
[email protected]
m o
c .i
IT Security Trends
Gak Perlu Pinter Buat Hacking Source: Carnegie Mellon University
14
m o
Hacking Tools Example
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Cain & Abel Kali Linux
15
b o o h a
s
Didiet Kusumadihardja -
[email protected]
m o
c .i
Cybercrime as a Service (CaaS)
Modern Business Source: SCMagazine
16
b o o h a
How Hackers do it?
s
Didiet Kusumadihardja -
[email protected]
c .i
m o
17
m o
Hacking Phase
b o o h a
1.Reconnaissance 2.Scanning
c .i
3.Gaining
Access 4.Maintaining Access 5.Clearing Tracks
s
Didiet Kusumadihardja -
[email protected]
Source: Ethical Hacking by EC-Council
18
m o
Hacking Phase (Cont’d)
b o o h a
1.Reconnaissance 2.Scanning 3.Gaining
Access 4.Maintaining Access 5.Clearing Tracks
s
Didiet Kusumadihardja -
[email protected]
c .i
Information Gathering OS Detail
Application
Open Port
Version
Exploit Vulnerability
Device Type
Vulnerability
Backdoors
Escalate Privilege Data harvesting Delete/overwrite Event/Logs
19
m o
Hacking Phase Analogy
b o o h a
1.Reconnaissance 2.Scanning 3.Gaining
Access 4.Maintaining Access 5.Clearing Tracks
s
Didiet Kusumadihardja -
[email protected]
c .i
20
m o
When we fools them?
b o o h a
1.Reconnaissance 2.Scanning 3.Gaining
Access 4.Maintaining Access 5.Clearing Tracks
s
Didiet Kusumadihardja -
[email protected]
c .i
21
m o
Why at Scanning Phase?
b o o h a
TELNET
s
Didiet Kusumadihardja -
[email protected]
SSH
c .i
22
m o
Scanning Tools SoftPerfect Network Scanner
b o o h a The Dude
s
Didiet Kusumadihardja -
[email protected]
c .i
23
b o o h a
How to fools them?
s
Didiet Kusumadihardja -
[email protected]
c .i
m o
24
m o
Use a bait
Hacker
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Bait Honey Pot
25
m o
Web Server Example
Web Server
b o = o h a s
c .i
HTTP
Didiet Kusumadihardja -
[email protected]
HTTPS
26
m o
Confuse your enemy
b o o h a HTTP
s
Didiet Kusumadihardja -
[email protected]
HTTPS
c .i
27
m o
Server Farm Network Example
c .i
SERVER X
b o o h a
s
192.168.1.2 DNS Server 192.168.1.5 Web Server 192.168.1.10 DB Server 192.168.1.15 Mail Server Didiet Kusumadihardja -
[email protected]
192.168.1.0/24
28
m o
Confuse your enemy 192.168.1.1 Fake Server 1 192.168.1.2 DNS Server 192.168.1.3 Fake Server 2 192.168.1.4 Fake Server 3 192.168.1.5 Web Server 192.168.1.6 Fake Server 4 192.168.1.7 Fake Server 5 192.168.1.8 Fake Server 6 192.168.1.9 Fake Server 7 192.168.1.10 DB Server 192.168.1.11 Fake Server 8 192.168.1.12 Fake Server 9 192.168.1.13 Fake Server 10 192.168.1.14 Fake Server 11 192.168.1.15 Mail Server
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
192.168.1.0/24
29
b o o h a
How we do it with Mikrotik?
s
Didiet Kusumadihardja -
[email protected]
c .i
m o
30
b o o h a
c .i
m o
NAT (Network Address Translation)
s
Didiet Kusumadihardja -
[email protected]
31
b o o h a Fake NAT
s
Didiet Kusumadihardja -
[email protected]
c .i
m o
32
m o
Fake Ports at your Web Server
b o o h a
c .i
HTTP & HTTPS to Legitimate Server
s
Didiet Kusumadihardja -
[email protected]
Other Ports to Fake Server
33
m o
Simple NAT for Web Server
c .i
NAT (Port Mapping)
b o o h a
INTERNET
ROUTER
s
WEB SERVER 192.168.2.3
Didiet Kusumadihardja -
[email protected]
Chain
Action
34
m o
Add Additional NAT for Bait Chain
Action
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Web Server 192.168.2.3
Fake Server (Honey Pot) 192.168.2.4
35
m o
Fake Server at your Server Farm Network
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Only one legitimate server
Others are Fake Server
36
m o
Another Example Chain
Action
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Web Server 192.168.2.3
Fake Server (Honey Pot) 192.168.2.4
37
m o
Combine with Honey Pot
b o o h a
c .i
s
KFSensor
Didiet Kusumadihardja -
[email protected]
Others HoneyPot: Honeyd, Kippo, Dionaea, Nepenthes
38
m o
What Hacker See (NMAP)
b o o h a
Nmap / Zenmap
s
Before
Didiet Kusumadihardja -
[email protected]
c .i
After
39
m o
What Hacker See (SoftPerfect NetScan) SoftPerfect Network Scanner
b o o h a
s
Before
Didiet Kusumadihardja -
[email protected]
c .i
After
40
m o
I don’t want to use HoneyPot Step 1: Chain
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Step 2: Action
41
m o
What we see, If someone PING
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
SRC-MAC ADDRESS SRC-IP ADDRESS
42
m o
What we see, If someone NMAP
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
Mikrotik LOG:
43
m o
The Dude, Hotspot & Userman
b o o h a
s
c .i
IP Address MAC Address User ID Person Didiet Kusumadihardja -
[email protected]
44
m o
Use Case 1
b o o h a
s
Internet Café (WARNET)
Didiet Kusumadihardja -
[email protected]
c .i
University
Insider Threat
Office
45
m o
Use Case 2 http://public.honeynet.id
b o o h a
s
Analytics
(Low Interaction Honeypot) Didiet Kusumadihardja -
[email protected]
c .i
Research
For Fun Learn hacking method from hacker / script kiddies (High Interaction Honeypot)
46
m o
DIDIET KUSUMADIHARDJA
Thank you . . Question?
b o o h a
s
Didiet Kusumadihardja -
[email protected]
c .i
[email protected] http://didiet.arch.web.id/ https://www.facebook.com/ArchNetID/