Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fools your enemy with MikroTik

936 views

Published on

With the emerging security threat nowadays, we should know how to detect and analyze every possible threat to your network.

Just with simple solution we could make our MikroTik to became a powerful tool to fool the hacker.

MikroTik as Low Interaction HoneyPot.

Published in: Internet
  • Be the first to comment

Fools your enemy with MikroTik

  1. 1. Fools your enemy with Mikrotik BY: DIDIET KUSUMADIHARDJA MIKROTIK USER MEETING (MUM) 2016 JAKARTA, INDONESIA 14 OCTOBER 2016
  2. 2. About Me Didiet Kusumadihardja 1. IT Security Specialist  PT. Mitra Solusi Telematika 2. Trainer & IT Consultant  Arch Networks MTCNA, MTCINE, MTCWE, MTCUME, MTCTCE, MTCRE Didiet Kusumadihardja - didiet@arch.web.id 2
  3. 3. PT. Mitra Solusi Telematika Didiet Kusumadihardja - didiet@arch.web.id 3 Gedung TMT 2. GF Jl. Cilandak KKO Jakarta
  4. 4. Global IT Security Incident Didiet Kusumadihardja - didiet@arch.web.id 4
  5. 5. Global IT Security Incident 2014 Didiet Kusumadihardja - didiet@arch.web.id 5 Entire Network Canceled
  6. 6. Global IT Security Incident 2015 Didiet Kusumadihardja - didiet@arch.web.id 6 3 Tahun di Hack ( 2012 – 2015)
  7. 7. Global IT Security Incident 2016 Didiet Kusumadihardja - didiet@arch.web.id 7 500 Juta Account 3 Miliar Account ??? Source: Tech Times
  8. 8. Indonesia IT Security Incident Didiet Kusumadihardja - didiet@arch.web.id 8
  9. 9. Didiet Kusumadihardja - didiet@arch.web.id 9 Source: Akamai INDONESIA IS SAFE?
  10. 10. Indonesia IT Security Incident 2013 Didiet Kusumadihardja - didiet@arch.web.id 10 polri.go.id 2013 Deface Motive: Fame?
  11. 11. Indonesia IT Security Incident 2016 Didiet Kusumadihardja - didiet@arch.web.id 11 Teman Ahok DDoS Attack Motive: Politics?
  12. 12. Indonesia IT Security Incident 2016 Didiet Kusumadihardja - didiet@arch.web.id 12 Videotron Kebayoran Baru Jakarta Selatan Motive: Curiosity?
  13. 13. Source: Carnegie Mellon UniversityDidiet Kusumadihardja - didiet@arch.web.id 13 IT Security Trends Gak Perlu Pinter Buat Hacking
  14. 14. Hacking Tools Example Didiet Kusumadihardja - didiet@arch.web.id 14 Cain & Abel Kali Linux
  15. 15. Didiet Kusumadihardja - didiet@arch.web.id 15 Source: SCMagazine Modern Business Cybercrime as a Service (CaaS)
  16. 16. How Hackers do it? Didiet Kusumadihardja - didiet@arch.web.id 16
  17. 17. Hacking Phase 1.Reconnaissance 2.Scanning 3.Gaining Access 4.Maintaining Access 5.Clearing Tracks Source: Ethical Hacking by EC-CouncilDidiet Kusumadihardja - didiet@arch.web.id 17
  18. 18. Hacking Phase (Cont’d) 1.Reconnaissance 2.Scanning 3.Gaining Access 4.Maintaining Access 5.Clearing Tracks Information Gathering OS Detail Open Port Version Device Type Application Vulnerability Exploit Vulnerability Escalate Privilege Backdoors Delete/overwrite Event/Logs Data harvesting Didiet Kusumadihardja - didiet@arch.web.id 18
  19. 19. Hacking Phase Analogy 1.Reconnaissance 2.Scanning 3.Gaining Access 4.Maintaining Access 5.Clearing Tracks Didiet Kusumadihardja - didiet@arch.web.id 19
  20. 20. When we fools them? 1.Reconnaissance 2.Scanning 3.Gaining Access 4.Maintaining Access 5.Clearing Tracks Didiet Kusumadihardja - didiet@arch.web.id 20
  21. 21. Why at Scanning Phase? Didiet Kusumadihardja - didiet@arch.web.id 21 TELNET SSH
  22. 22. Scanning Tools SoftPerfect Network Scanner The Dude Didiet Kusumadihardja - didiet@arch.web.id 22
  23. 23. How to fools them? Didiet Kusumadihardja - didiet@arch.web.id 23
  24. 24. Use a bait Didiet Kusumadihardja - didiet@arch.web.id 24 Honey Pot Hacker Bait
  25. 25. Web Server Example Web Server HTTP HTTPS = Didiet Kusumadihardja - didiet@arch.web.id 25
  26. 26. Confuse your enemy Didiet Kusumadihardja - didiet@arch.web.id 26 HTTP HTTPS
  27. 27. Server Farm Network Example 192.168.1.2  DNS Server 192.168.1.5  Web Server 192.168.1.10  DB Server 192.168.1.15  Mail Server SERVER X Didiet Kusumadihardja - didiet@arch.web.id 27 192.168.1.0/24
  28. 28. Confuse your enemy 192.168.1.1  Fake Server 1 192.168.1.2  DNS Server 192.168.1.3  Fake Server 2 192.168.1.4  Fake Server 3 192.168.1.5  Web Server 192.168.1.6  Fake Server 4 192.168.1.7  Fake Server 5 192.168.1.8  Fake Server 6 192.168.1.9  Fake Server 7 192.168.1.10  DB Server 192.168.1.11  Fake Server 8 192.168.1.12  Fake Server 9 192.168.1.13  Fake Server 10 192.168.1.14  Fake Server 11 192.168.1.15  Mail Server Didiet Kusumadihardja - didiet@arch.web.id 28 192.168.1.0/24
  29. 29. How we do it with Mikrotik? Didiet Kusumadihardja - didiet@arch.web.id 29
  30. 30. NAT (Network Address Translation) Didiet Kusumadihardja - didiet@arch.web.id 30
  31. 31. Fake NAT Didiet Kusumadihardja - didiet@arch.web.id 31
  32. 32. Fake Ports at your Web Server HTTP & HTTPS to Legitimate Server Other Ports to Fake Server Didiet Kusumadihardja - didiet@arch.web.id 32
  33. 33. Simple NAT for Web Server INTERNET ROUTER WEB SERVER 192.168.2.3 Chain Action NAT (Port Mapping) Didiet Kusumadihardja - didiet@arch.web.id 33
  34. 34. Add Additional NAT for Bait Web Server 192.168.2.3 Fake Server (Honey Pot) 192.168.2.4 Didiet Kusumadihardja - didiet@arch.web.id 34 Chain Action
  35. 35. Fake Server at your Server Farm Network Only one legitimate server Others are Fake Server Didiet Kusumadihardja - didiet@arch.web.id 35
  36. 36. Another Example Web Server 192.168.2.3 Fake Server (Honey Pot) 192.168.2.4 Didiet Kusumadihardja - didiet@arch.web.id 36 Chain Action
  37. 37. Combine with Honey Pot Didiet Kusumadihardja - didiet@arch.web.id 37 KFSensor Others HoneyPot: Honeyd, Kippo, Dionaea, Nepenthes
  38. 38. What Hacker See (NMAP) Before After Didiet Kusumadihardja - didiet@arch.web.id 38 Nmap / Zenmap
  39. 39. What Hacker See (SoftPerfect NetScan) Before After Didiet Kusumadihardja - didiet@arch.web.id 39 SoftPerfect Network Scanner
  40. 40. I don’t want to use HoneyPot Didiet Kusumadihardja - didiet@arch.web.id 40 Step 1: Chain Step 2: Action
  41. 41. What we see, If someone PING Didiet Kusumadihardja - didiet@arch.web.id 41 SRC-MAC ADDRESS SRC-IP ADDRESS
  42. 42. What we see, If someone NMAP Didiet Kusumadihardja - didiet@arch.web.id 42 Mikrotik LOG:
  43. 43. The Dude, Hotspot & Userman Didiet Kusumadihardja - didiet@arch.web.id 43 IP Address  MAC Address  User ID  Person
  44. 44. Use Case 1 Didiet Kusumadihardja - didiet@arch.web.id 44 Internet Café (WARNET) University Office Insider Threat
  45. 45. Use Case 2 Didiet Kusumadihardja - didiet@arch.web.id 45 Analytics For Fun Learn hacking method from hacker / script kiddies Research http://public.honeynet.id (Low Interaction Honeypot) (High Interaction Honeypot)
  46. 46. Thank you . . Question? DIDIET KUSUMADIHARDJA didiet@arch.web.id http://didiet.arch.web.id/ https://www.facebook.com/ArchNetID/ Didiet Kusumadihardja - didiet@arch.web.id 46

×