2. ROFIQ FAUZI
ID-NETWORKERS | WWW.IDN.ID
CONSULTANT
CERTIFIED TRAINER
http://www.mikrotik.com/consultants/asia/indonesia
• 2005, Network Engineer at WISP.
• 2007, Network & Wireless Engineer at INDOSAT Central Java Area
• 2008, IT Network & Telco Procurement at INDOSAT HQ
• 2012-Now, MikroTik Consultant & Certified Trainer at ID-
Networkers (PT Integrasi Data Nusantara).
• 2013-Now, Network Manager at WISP Indomedianet, Indonesia
• 2013-Now, Network Consulting Engineer at Connexin Limited, Hull,
UK
http://www.mikrotik.com/training/partners/asia/indonesia
2
3. ID NETWORKERS
ID-NETWORKERS | WWW.IDN.ID
In the Most Prestigious Networking Certification
EXPERT LEVEL TRAINERS & CONSULTANS
OVERVIEW
We are young entrepreneurs, we are only one training
partner & consultant who has expert level trainers in the
most prestigious networking certification, CCIE Guru ,
JNCIE Guru and MTCINE guru, which very limited
number in Indonesia even Asia. Proven that hundred of
our students pass the certification exam every year. We
are the biggest certification factory in Indonesia.
WEBSITE
www.idn.id | www.trainingmikrotik.com
3
5. INTERNET SECURITY THREATS
ID-NETWORKERS | WWW.IDN.ID
o Information gathering
o Sniffing and eavesdropping
o Spoofing
o Session hijacking and man-in-
the-middle attacks 0 SQL
injection
o ARP Poisoning
o Password-based attacks
o Denial of service attack
o Compromised-key attack
o Malware attacks
o Target Footprinting
o Password attacks
o Denial of service attacks
o Arbitrary code execution
o Unauthorized access Privilege
escalation
o Back door Attacks
o Physical security threats
o Data/Input validation
o Authentication andAuthorization
attacks
o Configuration management
o Information disclosure
o Session management issues
o Cryptography attacks
o Parameter manipulation
o Improper error handling and
exception management
Host Threats Application ThreatsNetwork Threats
5
7. INTERNET CRIME REPORT
ID-NETWORKERS | WWW.IDN.ID
230,000
240,000
250,000
260,000
270,000
280,000
290,000
300,000
310,000
320,000
2010 2011 2012 2013 2014
Internet Crime Compliant
• Victims are encouraged by law
enforcement to file a complaint
online at www.ic3.gov
• Total Complaints Received in 2014
is amount 269,422
• Complaints Reporting a Loss is
123,684
• Total Losses Reported was
$800,492,073
Overall Statistic
The following is the crime report data from IC3; the Internet Crime ComplaintCenter (IC3) is a partnership among the
Federal Bureau of Investigation (FBI)
$800M
LOSS
YEAR
REPORT
7
9. HACKING EFFECTS IN BUSINESS
ID-NETWORKERS | WWW.IDN.ID
Every business must provide strong security for its customers. Attackers use hacking techniques to steal, pilfer, and
redistribute intellectual property ofbusinesses and in turn to make financial gain
Reputation
Business Loss
Revenue Loss
Compromise Information
According to the Symantec 2012 State of Information survey,
information costs businesses worldwide $1.1 trillion annually.
Theft of customers' personal information may risk
the business's reputation and invite lawsuits
Hacking can be used to steal, pilfer, and redistribute
intellectual property leading to business loss
Botnets can be usedto launchvarious types of DoS andother web-based attacks,
which may lead to business down-time and significant loss of revenues
Attackers may steal corporate secrets and sell them to competitors,
compromise critical financial I information, and leak informationto rivals
9
10. KNOW THE ATTACK
ID-NETWORKERS | WWW.IDN.ID
If you know both of yourself
and your enemies, you will not
be lose in a hundred battles.
If you do not know yourself
nor your enemies, you will be
lose in every single battle.
(The Art of War - Sun Tzu).
10
11. WHO IS HACKER?
ID-NETWORKERS | WWW.IDN.ID
Multitude of Reasons
• Intelligent individuals with excellent computer
skills
• Hacking is a hobby to see how many
computers or networks they can compromise
• Their intention can either be to gain knowledge
or to poke around doing illegal things
• Some hack with malicious intent, such as
stealing business data, credit card information,
social security numbers, email passwords, etc.
A hacker is a person who illegally breaks into a system or network withoutany authorization to destroy, steal sensitive
data, or perform malicious attacks.
11
13. GATHER INFORMATION
gathers as much information as possible about the target prior to launching the attack.
ID-NETWORKERS | WWW.IDN.ID
SOCIAL ENGINEERING ATTACK
because there is no patch for human stupidity.
13
14. GOOGLE SCAM
How to bypass the two-factor google authentication systems using fake SMS
ID-NETWORKERS | WWW.IDN.ID
14
15. PORT SCANNING
ID-NETWORKERS | WWW.IDN.ID
Port scanners can be used to detect listening ports to find information about the nature of services
running on the target machine
15
16. PORTS
ID-NETWORKERS | WWW.IDN.ID
The primary defense technique in this regard is to shut down services thatare not required.Appropriate filtering may also
be adopted as a defense mechanism.However,attackers can still use tools to determine the rules implemented for filtering.
• Port is an specific application or specific process on the computer /
host running that running service.
• In a host, total number of port is 65535, with numbering classification
as follows:
1. From 0 to 1023 (well-known ports),
2. From 1024 to 49151 (registered port),
3. From 49152 to 65535 (unregistered / dynamic, private or
ephemeral ports)
16
18. GAINING ACCESS
ID-NETWORKERS | WWW.IDN.ID
Software applications
come with large number
of functionalities and
features
Most administrators don't
have the necessary skills
to maintain or fix issues,
which may lead to
configuration errors
some scripts have
various vulnerabilities,
which can lead to shrink
wrap code attacks
Attackers search for OS
vulnerabilities and exploit
them to gain access to a
network system
OPERATING SYSTEM APPLICATION LEVEL MISCONFIGURATION SRINK WRAP CODE
18
19. INTRUSION DETECTION SYSTEM
ID-NETWORKERS | WWW.IDN.ID
• Intrusion: activities that can detected as
anomalies, incorrect, inappropriate occurring on
the network or host, usually done by hacker
• IDS (Intrusion Detecting System): system that
can detect intrusion, it is like the alarm system
19
20. BACKGROUND
ID-NETWORKERS | WWW.IDN.ID
• Admin can not always monitor the servers directly or
always login in to check the servers for intruder.
• We need firewall not just to blocking intruder, but also
log and report them to admin immediately.
• In wide network with many MikroTik router, we don’t
know which is under attack.
• We can report the to the IP owner of the intruders as
abuse.
20
21. HOW IDS WORK
ID-NETWORKERS | WWW.IDN.ID
• Passive System
ü sensor detects a potential security breach
ü logs the information
ü alert on the console
• Reactive System
ü Like Passive System, but plus:
ü auto-responds (resetting the connection or drop the
traffic) from intruders
ü Send the report to admin
21
28. TOOLS
ID-NETWORKERS | WWW.IDN.ID
We want simulation with the following tools:
• MikroTik (I am using RB 751)
as IDS machine
• Attacker (my laptop)
it will attack the MikroTik with different method
• Email Account (gmail account)
there are 1 email for smtp relay and some mail as mail
of administrator.
28
29. MIKROTIK CONFIGURATION
ID-NETWORKERS | WWW.IDN.ID
Router Identity
In menu /system identity, set the router name, ex : customer identity
Why we must set the router id?
– If we have many routers, which one is being attacked.
– Because router identity will be informed in email as subject.
29
30. MIKROTIK CONFIGURATION
ID-NETWORKERS | WWW.IDN.ID
Configure Mikrotik to Send e-mail
Create mail account for the smtp relay, In this lab we using Gmail.
In /tool e-mail , set the smtp server, your username & password of gmail
/tool email
set address=74.125.141.108 user=yourgmailuser
password=yourpassword port=587
Lets try to send some email to make sure its work
30
31. MIKROTIK FIREWALL
ID-NETWORKERS | WWW.IDN.ID
• To protect the router from unauthorized access,
both originating from the WAN (Internet) or from
the LAN (local).
• To protect the network that through the router.
• In MikroTik, firewall has many features that are
all included in the IP Firewall menu.
• Basic Firewall in MikroTik configure at
IP>Firewall>Filter Rule.
31
32. MIKROTIK FIREWALL
ID-NETWORKERS | WWW.IDN.ID
• Each firewall filter rules are organized in a chain and read
sequentially.
• Each chain will be read by the router from top to bottom.
• In Firewall Filter Rule there 3 default chain
• input – processes packets sentto the router
• output – processes packets sent by the router
• forward – processes packets sentthrough the router
• In addition to the 3 default chain, We can make chain by our self as
needed.
• Every user-defined chain should subordinate to at least one of the
default chains
32
33. MIKROTIK FIREWALL
ID-NETWORKERS | WWW.IDN.ID
Rules can be placed in three default chains
• input (to router)
• output (from router)
• forward (trough the router)
Input
Winbox
Forward
WWW E-Mail
Output
Ping from Router
33
34. MIKROTIK FIREWALL
ID-NETWORKERS | WWW.IDN.ID
• Rule IF….THEN….
• IF packet match with our define criteria.
• THEN what will we do for that packet?
• In IP firewall IF condition define in tab General,
Advanced and Extra, and THEN condition define
in Action tab
34
37. MIKROTIK FIREWALL
ID-NETWORKERS | WWW.IDN.ID
accept - acceptthe packet. Packet is not passed to next firewall rule.
add-dst-to-address-list - add destination address to address list
specified by address-listparameter
add-src-to-address-list - add source address to address list
specified by address-listparameter
drop - silently drop the packet
jump - jump to the user defined chain specified by the value of jump-
target parameter
log - add a message to the system log containing following data: in-
interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and
length of the packet. After packet is matched it is passed to next rule
in the list, similar as passthrough
passthrough - ignore this rule and go to next one (useful for
statistics).
reject - drop the packet and send an ICMP rejectmessage
return - passes control back to the chain from where the jump took
place
tarpit - captures and holds TCP connections (replies with SYN/ACK
to the inbound TCP SYN packet)
IP>Firewall>Filter Rules>Action
37
38. IP Firewall Filter Rule (Extra) - PSD
ID-NETWORKERS | WWW.IDN.ID
PSD (Port Scan Detection)
Filter or and identify port scanning (TCP)
low port : 0 – 1023
high port : 1024 - 65535
38
40. MIKROTIK CONFIGURATION
ID-NETWORKERS | WWW.IDN.ID
Configure MikroTik to Run the Script
Scripts can be written directly to console or can be stored in Script
repository
• Example script that directly run in console:
[admin@MikroTik]>:put (45+23+1)
• Script repository ( /system script) can be run by running other
script, on event scheduler or netwatch
40
41. MIKROTIK CONFIGURATION
ID-NETWORKERS | WWW.IDN.ID
Configure in Script Repository (/system script)
:foreach a in=[/ip firewall address-list find list=port_scaners] do={:global
ip [/ip firewall address-list get $a address];
:log warning ("Scan Attack from:" .$ip);
:local sysname [/system identity get name];
:local date [/system clock get date];
:local time [/system clock get time];
/tool e-mail send from="Router $sysname<mikrotik.ids@gmail.com>"
to="indomedia.monitoring@yahoo.com" start-tls=yes server=74.125.127.108
port=587 user=mikrotik.ids password=t3ddyb3ar subject="Scan Attack!" body="
Dear Admin, n nWe have note that on $date at $time. There is scanning attack
to $sysname from IP $ip, and has been blocked by firewall. nSee
http://whois.sc/$ip for detail IP attacker information. n n Thanks & Regard
nIDS Machine":log warning "IP intruder telah diblock dan Email report telah
dikirim."}
Find match address list
Get the IP address
Log it on machine
Get router id, date & time
send the report
41
43. MIKROTIK CONFIGURATION
ID-NETWORKERS | WWW.IDN.ID
Configure in System Scheduler
In /system schedule add schedule in order to run the scripts within a certain period
Interval set to 5m, because the ip address list time out set to 5m 10s,
its to ensure that the IP in address-list sent once.
43
44. MIKROTIK CONFIGURATION
ID-NETWORKERS | WWW.IDN.ID
In /system log, add logging for mail topics, Its make us easy to get the log if there are
troubleshoot in send mail
44
45. ATACKER DEMO
ID-NETWORKERS | WWW.IDN.ID
– Today most of the attackers who attacked
continuously usually is a machine or boot
– In this demonstration, we will use Software for
testing/simulation
– For demo, We will using Nmap for scanning and
Brute Force for involves systematically checking
all possible code, combination, or password until
the correct one is found
45
48. CONCLUTIONS
ID-NETWORKERS | WWW.IDN.ID
ü We can change our mikrotik box to become a
smart machine that inform us if it’s attacked by
intruders.
ü We can improve this method to any malicious
connection
48
49. “If you cannot survive in the tired of learning, then you will be suffering by the pain of stupidity” (Imam
Syafi’i)
THANK YOU
FOR YOUR TIME
If you have any other questions or would like me
to clarify anything else, please, let me know. I am
always glad to help in any way I can
Jakarta & Semarang,Indonesia
www.trainingmikrotik.com
rrofiq@idn.id
+62 8156583545
@mymikrotik
www.facebook.com/ropix
ADDRESS:
WEBSITE:
EMAIL:
TELEPHONE:
id.linkedin.com/in/ropix/
rofiq.fauzi
CONTACT
ID-NETWORKERS | WWW.IDN.ID
49