Fools your enemy with Mikrotik

BY: DIDIET KUSUMADIHARDJA

MIKROTIK USER MEETING (MUM) 2016

JAKARTA, INDONESIA

14 OCTOBER 2016

About Me

Didiet Kusumadihardja

1. IT Security Specialist

PT. Mitra Solusi Telematika

2. Trainer & IT Consultant

Arch Networks

MTCNA, MTCINE, MTCWE, MTCUME, MTCTCE, MTCRE

Didiet Kusumadihardja - didiet@arch.web.id

2

PT. Mitra Solusi Telematika

Didiet Kusumadihardja - didiet@arch.web.id

3

Gedung TMT 2. GF

Jl. Cilandak KKO

Jakarta

Global

IT Security

Incident

Didiet Kusumadihardja - didiet@arch.web.id

4

Global IT Security Incident 2014

Didiet Kusumadihardja - didiet@arch.web.id

5

Entire Network Canceled

Global IT Security Incident 2015

Didiet Kusumadihardja - didiet@arch.web.id

6

3 Tahun di Hack ( 2012 – 2015)

Global IT Security Incident 2016

Didiet Kusumadihardja - didiet@arch.web.id

7

500 Juta Account

3 Miliar Account ???

Source: Tech Times

Indonesia

IT Security

Incident

Didiet Kusumadihardja - didiet@arch.web.id

8

Didiet Kusumadihardja - didiet@arch.web.id

9

Source: Akamai

INDONESIA

IS

SAFE?

Indonesia IT Security Incident 2013

Didiet Kusumadihardja - didiet@arch.web.id

10

polri.go.id

2013

Deface

Motive: Fame?

Indonesia IT Security Incident 2016

Didiet Kusumadihardja - didiet@arch.web.id

11

Teman Ahok

DDoS Attack

Motive: Politics?

Indonesia IT Security Incident 2016

Didiet Kusumadihardja - didiet@arch.web.id

12

Videotron

Kebayoran Baru

Jakarta Selatan

Motive: Curiosity?

Source: Carnegie Mellon UniversityDidiet Kusumadihardja - didiet@arch.web.id

13

IT Security

Trends

Gak Perlu

Pinter Buat

Hacking

Hacking Tools Example

Didiet Kusumadihardja - didiet@arch.web.id

14

Cain & Abel

Kali Linux

Didiet Kusumadihardja - didiet@arch.web.id

15

Source: SCMagazine

Modern Business

Cybercrime as

a Service (CaaS)

How Hackers

do it?

Didiet Kusumadihardja - didiet@arch.web.id

16

Hacking Phase

1.Reconnaissance

2.Scanning

3.Gaining Access

4.Maintaining Access

5.Clearing Tracks

Source: Ethical Hacking by EC-CouncilDidiet Kusumadihardja - didiet@arch.web.id

17

Hacking Phase (Cont’d)

1.Reconnaissance

2.Scanning

3.Gaining Access

4.Maintaining Access

5.Clearing Tracks

Information Gathering

OS Detail Open Port

Version

Device Type

Application Vulnerability

Exploit Vulnerability

Escalate Privilege

Backdoors

Delete/overwrite Event/Logs

Data harvesting

Didiet Kusumadihardja - didiet@arch.web.id

18

Hacking Phase Analogy

1.Reconnaissance

2.Scanning

3.Gaining Access

4.Maintaining Access

5.Clearing TracksDidiet Kusumadihardja - didiet@arch.web.id

19

When we fools them?

1.Reconnaissance

2.Scanning

3.Gaining Access

4.Maintaining Access

5.Clearing TracksDidiet Kusumadihardja - didiet@arch.web.id

20

Why at Scanning Phase?

Didiet Kusumadihardja - didiet@arch.web.id

21

TELNET SSH

Scanning Tools

SoftPerfect Network Scanner

The Dude

Didiet Kusumadihardja - didiet@arch.web.id

22

How to fools

them?

Didiet Kusumadihardja - didiet@arch.web.id

23

Use a bait

Didiet Kusumadihardja - didiet@arch.web.id

24

Honey Pot

HackerBait

Web Server Example

Web Server

HTTP HTTPS

=

Didiet Kusumadihardja - didiet@arch.web.id

25

Confuse your enemy

Didiet Kusumadihardja - didiet@arch.web.id

26

HTTP HTTPS

Server Farm Network Example

192.168.1.2 DNS Server

192.168.1.5 Web Server

192.168.1.10 DB Server

192.168.1.15 Mail Server

SERVER X

Didiet Kusumadihardja - didiet@arch.web.id

27

192.168.1.0/24

Confuse your enemy

192.168.1.1 Fake Server 1

192.168.1.2 DNS Server

192.168.1.3 Fake Server 2

192.168.1.4 Fake Server 3

192.168.1.5 Web Server

192.168.1.6 Fake Server 4

192.168.1.7 Fake Server 5

192.168.1.8 Fake Server 6

192.168.1.9 Fake Server 7

192.168.1.10 DB Server

192.168.1.11 Fake Server 8

192.168.1.12 Fake Server 9

192.168.1.13 Fake Server 10

192.168.1.14 Fake Server 11

192.168.1.15 Mail ServerDidiet Kusumadihardja - didiet@arch.web.id

28

192.168.1.0/24

How we do it

with Mikrotik?

Didiet Kusumadihardja - didiet@arch.web.id

29

NAT

(Network Address Translation)

Didiet Kusumadihardja - didiet@arch.web.id

30

Fake NAT

Didiet Kusumadihardja - didiet@arch.web.id

31

Fake Ports at your Web Server

HTTP & HTTPS to

Legitimate Server

Other Ports to

Fake Server

Didiet Kusumadihardja - didiet@arch.web.id

32

Simple NAT for Web Server

INTERNET

ROUTER WEB SERVER

192.168.2.3

Chain Action

NAT (Port Mapping)

Didiet Kusumadihardja - didiet@arch.web.id

33

Add Additional NAT for Bait

Web Server

192.168.2.3 Fake Server

(Honey Pot)

192.168.2.4

Didiet Kusumadihardja - didiet@arch.web.id

34

Chain Action

Fake Server at your Server Farm Network

Only one legitimate

server

Others are Fake Server

Didiet Kusumadihardja - didiet@arch.web.id

35

Another Example

Web Server

192.168.2.3Fake Server

(Honey Pot)

192.168.2.4

Didiet Kusumadihardja - didiet@arch.web.id

36

Chain Action

Combine with Honey Pot

Didiet Kusumadihardja - didiet@arch.web.id

37

KFSensor

Others HoneyPot: Honeyd, Kippo, Dionaea, Nepenthes

What Hacker See (NMAP)

Before AfterDidiet Kusumadihardja - didiet@arch.web.id

38

Nmap / Zenmap

What Hacker See (SoftPerfect NetScan)

Before After

Didiet Kusumadihardja - didiet@arch.web.id

39

SoftPerfect Network Scanner

I don’t want to use HoneyPot

Didiet Kusumadihardja - didiet@arch.web.id

40

Step 1: Chain

Step 2: Action

What we see, If someone PING

Didiet Kusumadihardja - didiet@arch.web.id

41

SRC-MAC ADDRESS

SRC-IP ADDRESS

What we see, If someone NMAP

Didiet Kusumadihardja - didiet@arch.web.id

42

Mikrotik LOG:

The Dude, Hotspot & Userman

Didiet Kusumadihardja - didiet@arch.web.id

43

IP Address MAC Address User ID Person

Use Case 1

Didiet Kusumadihardja - didiet@arch.web.id

44

Internet Café

(WARNET)

University

Office

Insider Threat

Use Case 2

Didiet Kusumadihardja - didiet@arch.web.id

45

AnalyticsFor Fun

Learn hacking method

from hacker / script kiddies

Research

http://public.honeynet.id

(Low Interaction Honeypot)

(High Interaction Honeypot)

Thank you

.

.

Question?

DIDIET KUSUMADIHARDJA

didiet@arch.web.id

http://didiet.arch.web.id/

https://www.facebook.com/ArchNetID/Didiet Kusumadihardja - didiet@arch.web.id

46