Dokumen ini membahas tentang teknik-teknik untuk mendapatkan akses ke sistem target setelah melakukan footprinting dan scanning. Beberapa teknik yang disebutkan antara lain cracking password, social engineering, dan mengeksekusi aplikasi untuk mendapatkan akses ke sistem target. Dokumen ini juga membahas berbagai cara untuk memperkuat keamanan password agar sulit diretas.
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...PimJacobs3
“Your files have been encrypted! To decrypt the files, follow the following instructions…” Behind this dreaded message is much more than the cybercriminal sending it. The deployment of ransomware is often the most visible (and painful) step in a much larger process, in which many criminal actors and activities together form a complex whole. It often drives organizations to desperation. Each stage of the ransomware kill chain offers opportunities to intervene, both offensive as well as defensive. In this session we’ll focus on the defensive side and learn about reducing attack surfaces by detecting and preventing kill-chain attacks at an early stage with the use of Attack Surface Reduction rules.
After this session you’re on par with the latest updates on ASR rules, guidance on how to use them effectively (we don’t accept audit mode) and to gain insights with the help of advanced hunting. This is a must visit session for IT pro’s who wants to break the ransomware kill chain!
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Experts Live 2022 - Attack Surface Reduction rules...your best ally against r...PimJacobs3
“Your files have been encrypted! To decrypt the files, follow the following instructions…” Behind this dreaded message is much more than the cybercriminal sending it. The deployment of ransomware is often the most visible (and painful) step in a much larger process, in which many criminal actors and activities together form a complex whole. It often drives organizations to desperation. Each stage of the ransomware kill chain offers opportunities to intervene, both offensive as well as defensive. In this session we’ll focus on the defensive side and learn about reducing attack surfaces by detecting and preventing kill-chain attacks at an early stage with the use of Attack Surface Reduction rules.
After this session you’re on par with the latest updates on ASR rules, guidance on how to use them effectively (we don’t accept audit mode) and to gain insights with the help of advanced hunting. This is a must visit session for IT pro’s who wants to break the ransomware kill chain!
USER AUTHENTICATION
MEANS OF USER AUTHENTICATION
PASSWORD AUTHENTICATION
PASSWORD VULNERABILITIES
USE OF HASHED PASSWORDS – IN UNIX
PASSWORD CRACKING TECHNIQUES
USING BETTER PASSWORDS
TOKEN AUTHENTICATION
BIO-METRIC AUTHENTICATION
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Nota Subjek Sains Komputer Tingkatan 5 lengkap - SUBJEK MPEIMadrasah Idrisiah
Nota ini merupakan hasil perkongsian guru Sains Komputer kebangsaan. Ia merupakan sebuah rujukan grafik dan ringkasan bagi buku teks subjek sains komputer subjek MPEI dan STEM
UNTUK DOSEN Materi Sosialisasi Pengelolaan Kinerja Akademik DosenAdrianAgoes9
sosialisasi untuk dosen dalam mengisi dan memadankan sister akunnya, sehingga bisa memutakhirkan data di dalam sister tersebut. ini adalah untuk kepentingan jabatan akademik dan jabatan fungsional dosen. penting untuk karir dan jabatan dosen juga untuk kepentingan akademik perguruan tinggi terkait.
3. 3
3
Informasi yang telah dikumpulkan sampai tahapan ini
• Alamat IP
• Sistem Operasi
• Hardware, Software
• Port dan service
• Username
• Alamat Email
D3 Teknologi Komputer - Telkom University
Footprinting & Scanning
9. 9
Menebak password dari informasi yang diketahui tentang user
• Tanggal lahir
• Acara TV favorit
• Nomer telefon
9
Menebak Password
10. 10
• Penyerang mengaku sebagai teknisi perlu melakukan
konfigurasi/update pada aplikasi yang digunakan di perusahaan
tersebut.
• Karena harus melakukan update di jaringan, kemudian meminta
user untuk memberitahu password yang digunakan untuk login di
komputer
10
Social Engineering
11. 11
• Keylogger : aplikasi untuk mencatat aktifitas keyboard
• Eh nebeng ngeprint dong à pasang keylogger
• Kirim email, ini foto gw liburan à fotonya sudah ditempel
keylogger
• Keylogger mencuri password
11
Social Engineering + Keylogger
16. 16
• Dictionary Attack dilakukan dengan cara membandingkan password
dengan suatu dictionary
• Dictionary = Kamus à wordlist
• Daftar kata atau kemungkinan password
• Dijalankan menggunakan aplikasi password cracking
16
Dictionary Attack
20. 20
• =Dictionary
• =Bikin sendiri wordlist
• File text
• Isi dengan daftar kemungkinan password dari korban
• Informasi berasal dari proses footprinting
20
Wordlist
21. 21
Wordlist
• Googling: password wordlist
• https://github.com/danielmiessler/SecLists/tree/master/Password
s
• https://github.com/danielmiessler/SecLists/blob/master/Password
s/Common-Credentials/10-million-password-list-top-1000000.txt
• Kali Linux default wordlist
21
25. 25
Keamanan Jaringan
19. Brute Force
Setia Juli Irzal Ismail
D3 Teknologi Komputer – Fakultas Ilmu Terapan
Telkom University.
26. 26
• Brute Force Attack dilakukan dengan cara mencoba semua
kombinasi karakter yang mungkin
• Misal untuk 3 karakter
26
Brute Force Attack
aaa
aab
aac
aad
.....
ZZZ
Login :
Password:
29. 29
• abcdefg - 7 karakter - 0,29 detik
• abcdefgh - 8 karakter - 5 jam
• abcdefghi - 9 karakter - 5 hari
• abcdefghij - 10 karakter - 4 bulan
• abcdefghijk - 11 karakter - 10 tahun
29
Estimasi waktu yang dibutuhkan
30. 30
Keamanan Jaringan
20. Teknik Cracking Lainnya
Setia Juli Irzal Ismail
D3 Teknologi Komputer – Fakultas Ilmu Terapan
Telkom University.
31. 31
Hash Cracking
• Password disimpan dalam bentuk Hash
• Hash : teknik kriptografi
• MD5, SHA1, SHA 256 dll
• Penyerang mencari file hash password
• Mencari database password hash – rainbow table
• Tools: Winrtgen
31
Teknik Cracking Password Lainnya
32. 32
• Menangkap password di trafik jaringan
• Penyadapan
• Tools: Cain & Abel
• Pertemuan berikutnya
32
Sniffing
33. 33
• Perangkat jaringan dikonfigurasi dengan default password
• Diset dari Pabriknya
• Harusnya diganti
• Tools:
• Cirt.net
33
Default Password
35. 35
• Man-in-the-middle attack
• SSL Strip, Burp Suite, BEEF (Browser Exploitation Tools)
• Hash Injection
• Masuk dulu ke sistem
• Mencuri Hash Password;
• Session Hijacking
• Cookies pada jaringan
• USB Drive à Passview
35
Teknik Lainnya
37. 37
• Dictionary attack
• Brute-Force Attack
• Teknik Lainnya
• Ternyata ada banyak sekali cari untuk meretas password
• Bagaimana untuk mengamankan password?
37
Cracking Password
39. 39
• Makin Panjang makin bagus: minimum 12 karakter
• Kombinasi Karakter:
• huruf kecil, huruf besar, angka, simbol
• Kombinasi beberapa kata atau kalimat
• Tools random password generator
39
Tips
40. 40
• Ganti Password anda secara rutin
• Jangan gunakan password yang sama pada setiap layanan yang
berbeda
• Jangan simpan password di browser / aplikasi
40
Tips Password
42. 42
Buku Bacaan Wajib (BW)
Engebretson, P. (2011). The Basic of Hacking and Penetration Testing:
Ethical Hacking and Penetration Testing Made Easy. Syngress.
Stallings, W. (2010). Network Security Essentials:Applications and
Standards 4th Edition. Prentice Hall.
Buku Bacaan Anjuran (BA)
Harris, S. (2010). CISSP All in One Exam Guide, 5th Edition. McGraw Hill.
Walker, M. (2010). CEH Certified Ethical Hacker All-in-One. McGraw Hill.
42
Referensi