ACCESS ROUTEROS USING MULTI-FACTOR AUTHENTICATION MIKROTIK USER MEETING 2018 Yogyakarta, Indonesia 20 Oktober 2018
About Me 2 Didiet Kusumadihardja 12 tahun pengalaman di IT RT/RW Net, Startup (e-commerce), Manage Service, IT Consulting, IT Auditor, Penetration Tester & Training Service Penguji UKK TKJ Mikrotik Certified Trainer Mikrotik Certified Consultant https://about.me/didiet
Services Offered 3 1. Network Assessment/Design Service 2. IT General Control Audit Service 3. Vulnerability Assessment & Penetration Testing Service 4. IT Due Diligence Service 5. Training Service UU ITE No 11 Tahun 2008 POJK 38/POJK.03/2016 SEOJK 21/SEOJK.03/2017 PBI 16/8/PBI/2014 PCI DSS ISO 27001 Additional Discovery Planning Discovery Attack Reporting
4 Background
Data Breaches News 2016 5
Data Breaches News 2017 6
Data Breaches News 2018 7
MikroTik Security Fixed 8 6.38.5 (9 Maret 2017) www - fixed http server vulnerability 6.41.3 (8 Maret 2018) smb - fixed buffer overflow vulnerability, everyone using this feature is urged to upgrade 6.42.1 (23 April 2018) winbox - fixed vulnerability that allowed to gain access to an unsecured router 6.42.7 (17 Agustus 2018) security - fixed vulnerabilities CVE-2018-1156, CVE- 2018-1157, CVE-2018-1158, CVE-2018-1159
Exploits 9
Amount of Time to Crack Passwords 10
Processing Power vs Passwords 11
Reality 12 Dictionary Attack Password Dictionary Exploits Brute Force Attack Bad Guys
Humans and Password 13
Password Tips 14
Indonesia Regulation 15
16 How we do it with RouterOS?
Multi-Factor Authentication on RouterOS 17 Something you know Password Something you have SSH Keys Somewhere you from IP Address
Create SSH Public & Private Key 18 1. Generate 2. Save Private Key 3. Copy Public Key and save to file 3 1 2 For OS X and Linux users can use ssh-keygen
RouterOS Configuration 19 1. Upload Public Key 2. Create New User 3. Import SSH Key
Login using SSH Keys 20 1 Connection > SSH > Auth 2
Only permit from specific IP address 21
Other Methods (1/3) 22 Port Knocking https://wiki.mikrotik.com/wiki/port_knocking
Other Methods (2/3) 23 VPN then remote access 1. VPN (PPTP/SSTP/OpenVPN) 2. Remote Access (Winbox/SSH) VPN Network Address
Other Methods (3/3) 24 Out of Band Network Management Network
Audit Trail / Log as Evidence 25
Audit Trail / Log using The Dude 26
Summary 27 Defense in Depth Layers 1. Policies, Procedure, and Awareness 2. Physical 3. Perimeter 4. Internal Network 5. Host 6. Application 7. Data
Reference 28 ArsTechnica. 2012. 25-GPU cluster cracks every standard Windows password in <6 hours. https://arstechnica.com/information-technology/2012/12/25-gpu-cluster-cracks-every-standard-windowspassword-in-6-hours/. BetterBuys. Estimating Password-Cracking Times. https://www.betterbuys.com/estimating-password-crackingtimes/. C# Corner. 2015. Passphrase vs Password For Security. https://www.csharpcorner.com/uploadfile/66489a/passphrase-vs-password-for-the-security/. Information is beautiful. 2018. World s Biggest Data Breaches. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/. MikroTik. 2015. Port Knocking. https://wiki.mikrotik.com/wiki/port_knocking. MikroTik. 2016. Manual: The Dude v6/syslog. https://wiki.mikrotik.com/wiki/manual:the_dude_v6/syslog. NIST. 2017. Easy Ways to Build a Better P@$5w0rd. https://www.nist.gov/blogs/taking-measure/easy-ways-buildbetter-p5w0rd. Records Management Center. 2017. Identity Theft Is It All Digital. https://rmcmaine.com/identity-theft-report/. Reuters. 2017. Yahoo says all three billion accounts hacked in 2013 data theft. https://www.reuters.com/article/usyahoo-cyber/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-iduskcn1c82o1. ScienceDirect. 2017. Towards port-knocking authentication methods for mobile cloud computing. https://www.sciencedirect.com/science/article/pii/s1084804517302813 (Accessed 2018-09-04). The Hacker News. 2018. Hackers Infect Over 200,000 MikroTik Routers With Crypto Mining Malware. https://thehackernews.com/2018/08/mikrotik-router-hacking.html. The New York Times. 2016. Yahoo Says 1 Billion User Accounts Were Hacked. https://www.nytimes.com/2016/12/14/technology/yahoo-hack.html.
Didiet Kusumadihardja Mobile: +62 813 1115 0054 e-mail: didiet@arch.web.id 29 Diijinkan menggunakan sebagian atau seluruh materi pada modul ini, baik berupa ide, foto, tulisan, konfigurasi dan diagram selama untuk kepentingan pengajaran, dan memberikan kredit kepada penulis serta link ke www.arch.web.id