just text it: keamanan

Showing posts with label keamanan. Show all posts

Wednesday, November 9, 2011

Security Evaluation

Evaluation of Information Systems SecurityTask Information System Security
Coursestudents STMIK ELRAHMA
(Dian Didik Purwanto)

Although an information system has been designed to have a security device, the operation of security issues should always be monitored. This is caused by several things, among others:A. Source of Security HolesSecurity holes (security holes) may occur due to several things: one design (design flaw), one of the implementation, configuration wrong, and wrong usage.

1. One Design.Security holes caused by incorrect design generally rare. But if it happens very difficult to repair. For example:
a. Design sequence number (sequence numbering) of the TCP / IP packets can be exploited causing a problem known as "IP spoofing", ie a host falsifying themselves as if into another host by creating fake packets after observing a sequence of packets from hosts who want to be attacked .
b. ROT13 encryption algorithm in which the character is shifted only 13 letters, although very carefully programmed, anyone who knows the algorithm can easily break the encryption.Solution:To address security holes because of design, required accurate flow planning / design of the system to be created.

2. Implementation errors.Security holes caused by implementation errors often occur because the program is implemented in a hurry so that less careful in coding. As a result, checks or testing to be done be done. Examples of implementation errors:
a. Often the limit ("bound") from an "array" is not checked, so there is called out of bound which can be exploited (eg overwrite to the next variable).
b. Programmers forget to filter anehaneh characters are included as inputs of a program so the program can access files or information that should not be accessed.Solution:
To overcome the mistakes of implementation, a programmer must learn from the mistakes of existing errors, programmers should be careful and always put the safety factor, do not forget programmers must update the information continuously to find bugs bugs in the application used.

3. Configuration errors.Although the program has been implemented properly, can still occur due to incorrect configuration of security holes.
Examples of problems caused by incorrect configuration is
a. Files that should not be changed by the user could inadvertently be "writable". If the file is an important file, such as files that are used to store the password, then the effect becomes a security hole.
b. Sometimes a computer / server configurations sold with very weak.
c. Sometimes workstations distributed with the file / etc / aliases (useful for direct e-mail), / etc / utmp (useful to record anyone's use of the system) that can be changed by anyone.d. The existence of programs that inadvertently set to "setuid root" so that users have access when run as super user (root) who can do anything.Solution:To solve the configuration error, then a system requires a policy / standard policy (SOP) Standard Operating Procedure governing the centralized network configuration, setting user permissions, setting what programs are allowed to install and use, based on the user level.4. One use of the programErrors in using the program can also result in security holes. Error using programs that run using the root account (super user) can be fatal. It often happens horror stories from the system administrator who was careless in running a new command "rm-rf" (which delete files or directories and sub directories in it). As a result, all files in the system is lost.Solution:a. Required knowledge in running a program, be careful in running the program, especially if done using the administrator account as the root.b. Perform system backups and data regularly and thoroughly.B. System security testersDue to the many things that must be monitored, the administrator of the information system requires "automated tools", the device auto attendants, which can help test or evaluate the safety of the system being managed. Here is a sample program based on the security testers Operating System used:1. COPSCOPS was written by Dan Farmer. COPS analyzes the system to search for common configuration issues, and state conditions that still exist on UNIX systems, including:a. file, directory and device permissions that are invalid or errorneous.b. weak passwords.c. poor security on the password and group files.d. bits SUID / SGID inappropriate on those files.e. suspicious changes in the checksum file.2. TripwireTripwire is a file or application programs can check and compare with the previous database. This application works by creating an information database of all the system files and store them in a file. Every time Tripwire is run to check file system examination results will be compared with the database ever created.Tripwire application installed on a partition that is protected and has a Read Only Media policy.Components of the Tripwire configuration file consists of1) Configuration File2) File Policy3) File Database4) File Report3. SATAN and SAINTSATAN (Security Administrator's Tool for Analyzing Networks created by Dan Farmer and Venema Wetse th 1995. Satan is a program to detect common network vulnerabilities with a web browser interface.SATAN was designed to help system administrators to automate the process of testing their systems for known vulnerabilities that can be exploited over a network. This is especially useful for network system with multiple hosts. Such as network software, this tool can function properly, but can also be misused, for example, useful to prospective intruders look for systems with security holes.

As the successor of SATAN, the 1998 World Wide Digital Security developed the SAINT (Security Administrator's Integrated Network Tool) as a free and updated version of SATAN.Saint works by scanning each TCP and UDP services. At every service that runs Saint will perform probes designed to detect each passing package that allows an attacker gains unauthorized access, and make the denial.SAINT Scan Step Four:1) Saint scanning every living system on the network for TCP and UDP services.2) For each service that is found running, launched a set of probes designed to detect anything that could allow an attacker to gain unauthorized access, create a denial-of-service, or obtain sensitive information about the network.3) Check Scanner for possible weaknesses of the system.4) When a weakness is detected, the results are categorized in several ways, allowing customers to target the data they find most useful.In addition to these programs, there are many programs created by hackers to conduct "trial and error". Programs like these, who are quick bermunculuan, usually can be obtained (downloaded) from the Internet through the places associated with security, such as "rootshell". (See "Sources of information and organizations related to information system security" on page 54.) Cobacoba Examples of programs include:· Crack: a program to guess or crack passwords using a dictionary (dictionary).· Land: a program that can make the system Windows 95 / NT become stuck (hang, lock up). This program sends a packet that has been "spoofed" so as if the package is coming from the same machine by using an open port (eg port 113 or 139).· Ping-o-death: a program (ping) which can either crash the Windows 95/NT and some versions of Unix.· Winuke: a program to tie up a Windows-based systemsRecommended to install the Program Administrator Security Examiners in accordance with the design of network systems and their role.C. Probing ServicesProbing the service is an action to determine what services are available in a server. Services performed by a server using TCP or UDP protocol specific. Each service is run by using a different port, for example:• SMTP, to send and receive e-mails, using protocol TCP, port 25• POP3 to retrieve e-mail, using the TCP protocol, port 110• HTTP webserver for the service using TCP port 80• TELNET for remote access using TCP port 23On UNIX systems, see the file / etc / services and / etc / inetd.conf to see what services are executed by the server or the computer in question. There are also services that run through the inetd.conf but does not run as a daemon that runs behind the scenes.Selection of any service depends on the needs and the desired security level. Unfortunately often the system is purchased or assembled to run several major services as a "default". Sometimes some of the services to be shut down because there is a possibility can be exploited by crackers. For that there are some programs that can be used to perform a "probe" (feeling) what services are available. This program can also be used by criminals to see what services are available in the system to be attacked and based on data obtained can launch an attack:1. Manual probeTo check a service is active or not on a server, can do the manual steps in the following way:a. For example to see if there is an e-mail service using the SMTP used telnet to port 25.unix% telnet target.host.com 25Trying 127.0.0.1 ...Connected to target.host.com.Escape character is'^]'.The new 220-dma ESMTP Sendmail 8.9.0/8.8.5; Mon, June 22, 199810:18:54 +0700b. For other services, such as POP or POP3 can be done in the same manner by using a number of "ports" in accordance with the service were observed.unix% telnet localhost 110Trying 127.0.0.1 ...Connected to localhost. Escape character is'^]'.+ OK QPOP (version 2.2) at dma-baru.paume.itb.ac.id starting.+ <20651.898485542 @ dma-baru.paume.itb.ac.id>quit+ OK Pop server at dma-baru.paume.itb.ac.id signing off.Connection closed by foreign host.2. Automatic ProbeProbe process can be done automatically with the help of an application program, with our application does not need to do an entry port manually. Here is an example of probe application for:a. UNIX systems§ nmap# Nmap 172.16.100.100Starting Nmap 4:11 (http://www.insecure.org/nmap/) at 2011-11-07 23:48 CDTInteresting ports on 172.16.100.100:Not shown: 1675 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp open domain111/tcp open rpcbind732/tcp open unknown3128/tcp open squid-httpNmap finished: 1 IP address (1 host up) scanned in 0346 seconds#b. Probe for Windows 95/98/NT system§ SuperscanIs an application designed to conduct probes on the network / server is the destination3. Detecting probeTo detect whether the presence or absence of a probe activity on the system, system administrators can install programs to the system being managed. Probing usually leave traces in the system log files. By examining the entries in the log file, can be known whether there is activity probes.root # tail / var / log / syslogMay 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8422] -> epson [192.168.1.2]: [635]May 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8423] -> epson [192.168.1.2]: ssl-ldapMay 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8426] -> epson [192.168.1.2]: [637]May 16 15:40:42 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8429] -> epson [192.168.1.2]: [638]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8430] -> epson [192.168.1.2]: [639]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8437] -> epson [192.168.1.2]: [640]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8441] -> epson [192.168.1.2]: [641]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8445] -> epson [192.168.1.2]: [642]May 16 15:40:43 epson tcplogd: "Syn probe"notebook [192.168.1.4]: [8454] -> epson [192.168.1.2]: [643]4. OS FingerprintingKnowing the operating system (OS) from the target to be attacked is one of the work performed by a cracker. After knowing the OS to go, he can see the target database system weaknesses. Fingerprinting is a term commonly used to analyze the target system OS. Fingerprinting can be done in various ways.The most conventional way is to telnet to the server in question. If the server happens to provide the telnet service, there is often a banner that shows the name of the OS and its version.unix% telnet 192.168.1.4Trying 192.168.1.4 ...Connected to 192.168.1.4.Escape character is'^]'.Linux 2.0.33 (rock.pau-mikro.org) (ttyp0)login:If the system does not provide services but telnet will provide FTP service, then the information is often available. FTP service is available on port 21. By doing a telnet to that port and give the command "syst" you can find out what version of OS used as the example below.unix% telnet ftp.netscape.com 21Trying 207.200.74.26 ...Connected to ftp.netscape.com.Escape character is'^]'.Ftp29 220 FTP server (UNIX (r) System V Release 4.0) ready.Syst215 UNIX Type: L8 Version: SunOSIf the server does not have an FTP server running the Web server will however, still no way to tell the OS that is used by using the program netcat (nc) like the example below (which looks the OS in use is Debian GNU):$ Echo-e "GET / HTTP/1.0 \ n \ n" | nc localhost 80 | \grep "^ Server:"Server: Apache/1.3.3 (Unix) Debian / GNUA more sophisticated way of fingerprinting is to analyze the system response to the request (request) specific. For example, by analyzing the packet sequence number of TCP / IP is issued by the server can be narrowed space type of OS used.There are several tools to perform OS detection, among others:• nmapHere is an example of using the program nmap to detect the OS of the system using the IP number 192.168.1.1.# Nmap-O 192.168.1.1Starting Nmap 4:11 (http://www.insecure.org/nmap/) at 2011-11-08 22:57 CDTInteresting ports on 192.168.1.1:Not shown: 1675 closed portsPORT STATE SERVICE22/tcp open ssh53/tcp open domain111/tcp open rpcbind732/tcp open unknown3128/tcp open squid-httpDevice type: general purposeRunning: Linux 2.4.x | 2.5.X | 2.6.xOS details: Linux 2.4.7 - 2.6.11Uptime of 7296 days (since Wed Nov 1 15:51:41 2011)Nmap finished: 1 IP address (1 host up) scanned in 2302 seconds#• QuesoHere is an example of using Queso program to detect the OS of the system using the IP number 192.168.1.1. Incidentally this system is a Windows 95 system.Queso unix # 192.168.1.1* Not Listen 192.168.1.1:80, windoze 95/98/NTD. Use of the program attackerOne way to find out the weaknesses of the information system is to attack yourself with the program packages attacker (attack) which can be obtained on the Internet.1. Striker program.By using this program can be known whether the system is vulnerable and can be exploited by others. Keep in mind that these programs do not use it to attack other systems (systems that you do not manage). It is unethical and can be dragged to court.Examples of programs attackera. Ping of DeathPing (sometimes referred to as the acronym for Packet Internet Gopher) is a utility program that can be used to check Induktivitas network of technology-based Transmission Control Protocol / Internet Protocol (TCP / IP).By using this utility, can be tested whether a computer is connected to other computers. This is done by sending a packet to an IP address that was about to be tested connectivity and wait for a response from him.PING example:C: \> ping www.google.comPinging www.l.google.com [64,233,183,103] with 32 bytes of data:Reply from 64,233,183,103: bytes = 32 time = 25ms TTL = 245Reply from 64,233,183,103: bytes = 32 time = 22ms TTL = 245Reply from 64,233,183,103: bytes = 32 time = 25ms TTL = 246Reply from 64,233,183,103: bytes = 32 time = 22ms TTL = 246Ping statistics for 64,233,183,103:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:

Minimum = 22ms, Maximum = 25ms, Average = 23msPing of Death is one form of attack "ping attack". On the internet, this form of attack is a form of DoS attack (denial of service attack) caused by an attacker who deliberately sending an IP packet whose size is greater than that allowed by the IP protocol that is 65,536 bytes. One feature of the TCP / IP is fragmentation, which allows a single IP packet is broken down into smaller sections. In 1996, the attackers began to take advantage of this feature, that is when they discovered that a package that is broken down into small parts can be increased to greater than that permitted is 65,536 bytes. Many operating systems do not know what to do when receiving packets with excessive size, so that eventually the operating system stops working, crashed, or rebooted.Ping of death attack is very unpleasant because of the signs or the identity of the attacker sending packets with excessive size can be easily disguised, and because the attacker does not need to know anything about the machine they are going to attack unless the IP Addressnya. At the end of 1997, operating system vendors have made a patch which allows to avoid this attack.b. land, latierra, winnuke, JOLT & variationsc. mail server attack: MS Exchange, Netscaped. mail bombinge. mail attachment attack: rockme.cf. Distributed DoS attack: trinoo, TFN2. Program Data bugs (Snifing)In addition to programs that are aggressive attackers cripple a target system, there are also programs that are doing attacker theft or interception of data. For tapping the data, usually known as "sniffer". Although data is not physically stolen (in the sense of being lost), sniffer is very dangerous because it can be used for intercepting passwords and sensitive information. This is an attack on privacy aspects.Examples of program bugs (sniffer), among others:a. pcapture (Unix)b. Sniffit (Unix)c. tcpdump (Unix)d. WebXRay (Windows)E. The use of network monitoring systemsNetwork monitoring systems can be used to determine the existence keamaman hole. For example, a server should only be accessible from within the internal network, but from the monitoring network can be seen that there are trying to access from outside the network. In addition to the monitoring network can also be seen in efforts to cripple the system by means of Denial of Dervice attack (DoS).1. Network Monitoring Applications using the SNMP protocol (Simple Network Management Protocol)Examples of programs network monitoring / management include:a. Etherboy (Windows), Etherman (Unix)Etherboy features are:1) Shows the traffic on the network2) Identify all the devices on the LAN, including the potential threat3) focuses on the appearance of a particular protocol4) Generate a report in the form of text, html, and rtf5) menampilakan realtime traffic statistics and classification based onb. Packetboy (Windows), Packetman (Unix)Program of amsoft.com which works by scanning passing packets in a network, the program can decode TCP / IP, IPX (Novell Netware), Appletalk, Banyan, DECnet.c. SNMP Collector (Windows)SNMP Collector program will collect data via the SNMP agent or proxy SNMP. SNMP Collector to help collect data on system performance of the system being tested.d. Webboy (Windows)Webboy is an application monitoring internet / intranet. Webboy collect standard web access statistics including urls accessed, cache hit ratios, Internet protocols are used and the protocol created by users. To help administrators, Webboy can also be used as a mechanism to monitor alarms when unusual network activity.2. Examples of programs that do not pemanatu network using SNMP, among others:a. iplog, icmplog, updlog, which is part of the package iplog to monitor TCP, UDP, and ICMP, easy to adding support for other protocols.b. iptraf, already included in the Debian Linux packageiptraf is a network utility for linux console-based statistics. Iptraf collect and count the bytes of the TCP packet, and packet byte count and the number of stations in the LAN.# Iptrafc. netdiag, NetWatchNetdiag is the software used to analyze network traffic and configuration of the remote host. This application is very useful to help analyze the systems used are not suspected of carrying out normal activities. Netdiag consists of a collection of software tcpblast, netload, trafshow, NetWatch, strobe, statnet, and tcpspray.d. ntop, a network monitoring applications such as the top program that monitors the Unix disisteme. trafshow, is an ncurses-based utility that shows in detail the network traffic. This application shows the source address, source port, destination address, destination port, IP proto, byte counter and CPSConclusion:After evaluation of the managed system, then system administrators can know which parts of the system which has a vulnerability, so that System Administrators can increase securityBibliography1. Information System Security ... - Budi.insan.co.id - PT Insan Infonesihttp:// www.budi.insan.co.id / books / handbook.pdf2. http://budi.insan.co.id/courses/el695/secure-eval-2000.pdf3. http://www.tripwire.org4. http://en.wikipedia.org/wiki/SAINT_ 28software% 29%5. http://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks6. http://www.amtsoft.com/netboy7. http://openstorage.gunadarma.ac.id/research/Modul/PacketBoy.pdf8. http://ojnk.sourceforge.net/stuff/iplog.readme9. http://iptraf.seul.org/about.html10. http://packages.debian.org/lenny/netdiag11. http://linux.maruhn.com/sec/trafshow.htmlThis paper can be downloaded athttp://www.ziddu.com/download/17236075/makalahevaluasikeamanansisteminformasi.pdf.html

Makalah Evaluasi Keamanan Sistem

Evaluasi Keamanan Sistem Informasi

Tugas Mata Kuliah Keamanan Sistem Informasi

mahasiswa STMIK ELRAHMA ( Dian Didik Purwanto )

Meski sebuah sistem informasi sudah dirancang memiliki perangkat pengamanan, dalam operasi masalah keamanan harus selalu dimonitor. Hal ini disebabkan oleh beberapa hal, antara lain:
A.Sumber Lubang Keamanan

Lubang keamanan (security hole) dapat terjadi karena beberapa hal; salah disain (design flaw), salah implementasi, salah konfigurasi, dan salah penggunaan.

1. Salah Desain.

Lubang keamanan yang ditimbulkan oleh salah desain umumnya jarang terjadi. Akan tetapi apabila terjadi sangat sulit untuk diperbaiki. Misalnya:

a. Desain urutan nomor (sequence numbering) dari paket TCP/IP dapat dieksploitasi sehingga timbul masalah yang dikenal dengan nama “IP spoofing”, yaitu sebuah host memalsukan diri seolah-olah menjadi host lain dengan membuat paket palsu setelah mengamati urutan paket dari host yang hendak diserang.

b. Algoritma enkripsi ROT13 dimana karakter hanya digeser 13 huruf, meskipun diprogram dengan sangat teliti, siapapun yang mengetahui algoritmanya dapat dengan mudah memecahkan enkripsi tersebut.

Cara mengatasi:

Untuk mengatasi lubang keamanan karena salah desain, diperlukan perencanaan akurat tentang alur / desain sistem yang akan dibuat.

2. Kesalahan implementasi.

Lubang keamanan yang disebabkan oleh kesalahan implementasi sering terjadi karena program diimplementasikan secara terburu-buru sehingga kurang cermat dalam pengkodean. Akibatnya cek atau testing yang harus dilakukan menjadi tidak dilakukan. Contoh kesalahan implementasi :

a. Seringkali batas (“bound”) dari sebuah “array” tidak dicek sehingga terjadi yang disebut out of bound yang dapat dieksploitasi (misalnya overwrite ke variable berikutnya).

b. Programer lupa untuk memfilter karakter-karakter yang anehaneh yang dimasukkan sebagai input dari sebuah program sehingga sang program dapat mengakses berkas atau informasi yang semestinya tidak boleh diakses.

Cara mengatasi :

Untuk mengatasi kesalahan implementasi, seorang programer harus belajar dari kesalahan kesalahan yang sudah ada, programer harus cermat dan selalu mengutamakan faktor keamanan, tidak lupa programer juga harus mengupdate informasi secara terus menerus untuk mengetahui bugs bugs pada aplikasi yang digunakan.

3. Kesalahan konfigurasi.

Meskipun program sudah diimplementasikan dengan baik, masih dapat terjadi lubang keamanan karena salah konfigurasi. Contoh masalah yang disebabkan oleh salah konfigurasi adalah

a. Berkas yang semestinya tidak dapat diubah oleh pemakai secara tidak sengaja menjadi “writeable”. Apabila berkas tersebut merupakan berkas yang penting, seperti berkas yang digunakan untuk menyimpan password, maka efeknya menjadi lubang keamanan.

b. Kadangkala sebuah computer/server dijual dengan konfigurasi yang sangat lemah.

c. Kadangkala workstation didistribusikan dengan berkas /etc/aliases (berguna untuk mengarahkan e-mail), /etc/utmp (berguna untuk mencatat siapa saja yang sedang menggunakan sistem) yang dapat diubah oleh siapa saja.

d. Adanya program yang secara tidak sengaja diset menjadi “setuid root” sehingga ketika dijalankan pemakai memiliki akses seperti super user (root) yang dapat melakukan apa saja.

Cara mengatasi :

Untuk mengatasi kesalahan konfigurasi, maka suatu sistem memerlukan kebijakan/policy standar ( SOP ) Standar Operating Procedur yang mengatur tentang konfigurasi jaringan secara tersentral, pengaturan hak akses user, pengaturan program apa saja yang boleh diinstall dan digunakan berdasar pada tingkatan user.

4. Salah penggunaan program

Kesalahan dalam menggunakan program dapat juga mengakibatkan terjadinya lubang keamanan. Kesalahan menggunakan program yang dijalankan dengan menggunakan account root (super user) dapat berakibat fatal. Sering terjadi cerita horor dari sistem administrator baru yang teledor dalam menjalankan perintah “rm -rf” (yang menghapus berkas atau direktori beserta sub direktori di dalamnya). Akibatnya seluruh berkas di sistem menjadi hilang.

Cara mengatasi :

a. Diperlukan pengetahuan dalam menjalankan suatu program, berhati-hati dalam menjalan program, terutama apabila dilakukan dengan menggunakan account administrator seperti root tersebut.

b. Melakukan backup sistem dan data secara berkala dan menyeluruh.

B. Penguji keamanan sistem

Dikarenakan banyaknya hal yang harus dimonitor, administrator dari sistem informasi membutuhkan “automated tools”, perangkat pembantu otomatis, yang dapat membantu menguji atau mengevaluasi keamanan sistem yang dikelola. Berikut adalah contoh program penguji keamanan berdasarkan Sistem Operasi yang digunakan:

1. COPS

COPS ditulis oleh Dan Farmer. COPS menganalisis sistem untuk mencari permasalahan konfigurasi umum, dan kondisi kondisi yang masih ada pada sistem UNIX, termasuk :

a. file, direktori dan permisi device yang tidak valid atau errorneous.

b. password yang lemah.

c. keamanan yang buruk pada file password dan kelompok.

d. bit-bit SUID/SGID yang tidak tepat pada file-file.

e. perubahan-perubahan yang mencurigakan dalam checksum file.

2. Tripwire

Tripwire adalah aplikasi mampu mengecek file atau program dan membandingkannya dengan database sebelumnya. Aplikasi ini bekerja dengan membuat sebuah database informasi semua file sistem dan menyimpannya pada suatu file. Setiap kali tripwire dijalankan untuk melakukan pengecekan file sistem hasil pemeriksaan akan dibandingkan dengan database yang pernah dibuat.

Aplikasi tripwire diinstall pada partisi yang terlindung dan memiliki policy Media Read Only.

Komponen file konfigurasi pada tripwire terdiri dari

1) File Konfigurasi

2) File Policy

3) File Database

4) File Report

3. SATAN dan SAINT

SATAN ( Security Administrator’s Tool for Analyzing Networks dibuat oleh Dan Farmer dan Wetse Venema th 1995. Satan adalah program untuk mendeteksi kerentanan jaringan yang umum dengan interface web browser.

SATAN dirancang untuk membantu sistem administrator mengotomatisasi proses pengujian sistem mereka untuk kerentanan diketahui yang dapat dieksploitasi melalui jaringan. Hal ini sangat berguna untuk sistem jaringan dengan beberapa host. Seperti software jaringan, alat ini dapat berfungsi baik, namun dapat juga disalahgunakan,misalnya berguna untuk calon penyusup mencari sistem dengan lubang keamanan.

Sebagai penerus dari SATAN, tahun 1998 World Wide Digital Security mengembangkan SAINT (Security Administrator's Integrated Network Tool) sebagai versi gratis dan update dari SATAN.

Saint bekerja dengan memindai setiap servis TCP dan UDP. Pada setiap servis yang berjalan Saint akan melakukan probe yang dirancang untuk mendeteksi setiap paket yang lewat yang memungkinan penyerang mendapatkan akses secara tidak sah, dan membuat penolakan.

Empat Langkah Scan SAINT:

1) Saint memindai setiap sistem hidup pada jaringan untuk layanan TCP dan UDP.

2) Untuk setiap layanan yang ditemukan berjalan, meluncurkan satu set probe yang dirancang untuk mendeteksi apa pun yang dapat memungkinkan penyerang untuk mendapatkan akses tidak sah, membuat penolakan-of-service, atau mendapatkan informasi sensitif tentang jaringan.

3) Cek Pemindai untuk kemungkinan kelemahan sistem.

4) Ketika kelemahan terdeteksi, hasil dikategorikan dalam beberapa cara, memungkinkan pelanggan untuk target data yang mereka menemukan yang paling bermanfaat.

Selain program tersebut, ada banyak program yang dibuat oleh hackers untuk melakukan “coba-coba”. Program-program seperti ini, yang cepat sekali bermunculuan, biasanya dapat diperoleh (download) dari Internet melalui tempat-tempat yang berhubungan dengan keamanan, seperti misalnya “Rootshell”. (Lihat “Sumber informasi dan organisasi yang berhubungan dengan keamanan sistem informasi” on page 54.) Contoh program cobacoba ini antara lain:

· crack: program untuk menduga atau memecahkan password dengan menggunakan sebuah kamus (dictionary).

· land: sebuah program yang dapat membuat sistem Windows 95/ NT menjadi macet (hang, lock up). Program ini mengirimkan sebuah paket yang sudah di”spoofed” sehingga seolah-olah paket tersebut berasal dari mesin yang sama dengan menggunakan port yang terbuka (misalnya port 113 atau 139).

· ping-o-death: sebuah program (ping) yang dapat meng-crash-kan Windows 95/NT dan beberapa versi Unix.

· winuke: program untuk memacetkan sistem berbasis Windows

Administrator direkomendasikan untuk menginstal Program Penguji Keamanan sistem sesuai dengan desain jaringan dan kegunaanya.

C. Probing Services

Probing servis adalah suatu tindakan untuk mengetahui servis apa yang tersedia dalam sebuah server. Servis sebuah server dilakukan dengan menggunakan protokol TCP atau UDP tertentu. Setiap servis dijalankan dengan menggunakan port yang berbeda, misalnya:

• SMTP, untuk mengirim dan menerima e-mail, menggunakan protokol TCP, port 25

• POP3, untuk mengambil e-mail, menggunakan protokol TCP, port 110

• HTTP untuk layanan webserver menggunakan protokol TCP port 80

• TELNET untuk melakukan akses remote menggunakan protokol TCP port 23

Pada sistem UNIX, lihat berkas /etc/services dan /etc/inetd.conf untuk melihat servis apa saja yang dijalankan oleh server atau komputer yang bersangkutan. Selain itu ada juga servis yang dijalankan tidak melalui inetd.conf melainkan dijalankan sebagai daemon yang berjalan dibelakang layar.

Pemilihan servis apa saja tergantung kepada kebutuhan dan tingkat keamanan yang diinginkan. Sayangnya seringkali sistem yang dibeli atau dirakit menjalankan beberapa servis utama sebagai “default”. Kadang-kadang beberapa servis harus dimatikan karena ada kemungkinan dapat dieksploitasi oleh cracker. Untuk itu ada beberapa program yang dapat digunakan untuk melakukan “probe” (meraba) servis apa saja yang tersedia. Program ini juga dapat digunakan oleh kriminal untuk melihat servis apa saja yang tersedia di sistem yang akan diserang dan berdasarkan data-data yang diperoleh dapat melancarkan serangan :

1. Probe manual

Untuk mengecek sebuah servis aktif atau tidak pada sebuah server, dapat dilakukan langkah manual dengan cara sebagai berikut :

a. Misalnya untuk melihat apakah ada servis e-mail dengan menggunakan SMTP digunakan telnet ke port 25.

unix% telnet target.host.com 25

Trying 127.0.0.1...

Connected to target.host.com.

Escape character is '^]'.

220 dma-baru ESMTP Sendmail 8.9.0/8.8.5; Mon, 22 Jun 1998

10:18:54 +0700

b. Untuk servis lain, seperti POP atau POP3 dapat dilakukan dengan cara yang sama dengan menggunakan nomor “port” yang sesuai dengan servis yang diamati.

unix% telnet localhost 110

Trying 127.0.0.1...

Connected to localhost. Escape character is '^]'.

+OK QPOP (version 2.2) at dma-baru.paume.itb.ac.id starting.

+<20651.898485542@dma-baru.paume.itb.ac.id>

quit

+OK Pop server at dma-baru.paume.itb.ac.id signing off.

Connection closed by foreign host.

2. Probe Otomatis

Proses probe dapat dilakukan secara otomatis dengan program bantuan aplikasi, dengan aplikasi kita tidak perlu melakukan entri port secara manual. Berikut adalah contoh aplikasi probe untuk :

a. sistem UNIX

§ nmap

#nmap 172.16.100.100

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-11-07 23:48 WIT

Interesting ports on 172.16.100.100:

Not shown: 1675 closed ports

PORT STATE SERVICE

22/tcp open ssh

53/tcp open domain

111/tcp open rpcbind

732/tcp open unknown

3128/tcp open squid-http

Nmap finished: 1 IP address (1 host up) scanned in 0.346 seconds

b. Probe untuk sistem Window 95/98/NT

§ Superscan

Adalah aplikasi yang dirancang untuk melakukan probe pada jaringan / server yang dituju

3. Mendeteksi probe

Untuk mendeteksi apakah ada tidaknya sebuah kegiatan probe pada sistem, Sistem Administrator dapat menginstall program ke sistem yang dikelola. Probing biasanya meninggalkan jejak berkas log di sistem. Dengan mengamati entri di dalam berkas log, dapat diketahui ada tidaknya kegiatan probe.

root# tail /var/log/syslog

May 16 15:40:42 epson tcplogd: "Syn probe"

notebook[192.168.1.4]:[8422]->epson[192.168.1.2]:[635]

May 16 15:40:42 epson tcplogd: "Syn probe"

notebook[192.168.1.4]:[8423]->epson[192.168.1.2]:ssl-ldap

May 16 15:40:42 epson tcplogd: "Syn probe"

notebook[192.168.1.4]:[8426]->epson[192.168.1.2]:[637]

May 16 15:40:42 epson tcplogd: "Syn probe"

notebook[192.168.1.4]:[8429]->epson[192.168.1.2]:[638]