1! Network forensics

Transcription

1 Network Forensics COMP 2555: Principles of Computer Forensics Autumn ! Network forensics Network Forensics Overview! Systematic tracking of incoming and outgoing traffic! To ascertain how an attack was carried out or how an event occurred on a network! Intruders leave a trail behind! Knowing your network s typical traffic patterns is important! Determine the cause of the abnormal traffic! Internal bug! Attackers 2! Layered network defense strategy Securing a Network! Sets up layers of protection to hide the most valuable data at the innermost part of the network! Deeper resources are difficult to get to! More safeguards in place! Defense in depth (DiD)! Similar layered approach developed by the NSA! Modes of protection! People! Technology! Operations 3 Securing a Network (contd.)! Testing networks is as important as testing servers! You need to be up to date on the latest methods intruders use to infiltrate networks! As well as methods internal employees use to sabotage networks! You should be proactive in this game! Ensuring that network activities are normal! Having enough data to analyze a compromised network

2 4 Procedures for Network Forensics! Computer forensics! Work from the image to find what has changed! Network forensics! Restore drives to understand attack! Work on an isolated system! Prevents malware from affecting other systems 5! Record incoming and outgoing traffic! Network servers! Routers! Firewalls! Tcpdump tool for examining network traffic! Can generate top 10 lists! Can identify patterns Network Logs 6 Sample Record in a Network Log 12:22: IP (tos 0x0, ttl 64, id 15979, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->f0fd)!) > : Flags [F.], cksum 0x0b82 (incorrect -> 0xa091), seq , ack , win 65535, options [nop,nop,ts val ecr ], length 0 0x0000: e6b fd be7a E..4>k@.@...z 0x0010: 4a7d 7f66 eab e8e3 3be6 1ab1 e690 J}.f...P..;... 0x0020: 8011 ffff 0b a 2861 dc14...(a.. 0x0030: d33 8.}3 7! Sysinternals Using Network Tools! A collection of free tools for examining Windows products! Examples of the Sysinternals tools:! RegMon shows Registry data in real time! Process Explorer shows what is loaded! Handle shows open files and processes using them! Filemon shows file system activity

3 8 Using Network Tools (contd.)! Tools from PsTools suite created by Sysinternals! PsExec runs processes remotely! PsGetSid displays security identifier (SID)! PsKill kills process by name or ID! PsList lists details about a process! PsLoggedOn shows who s logged locally! PsPasswd changes account passwords! PsService controls and views services! PsShutdown shuts down and restarts PCs! PsSuspend suspends processes 9 Using UNIX/Linux Tools! Knoppix Security Tools Distribution (STD)! Bootable Linux CD intended for computer and network forensics! Knoppix-STD tools! dcfldd - the U.S. DoD dd version! memfetch - forces a memory dump! photorec - grabs files from a digital camera! snort - an intrusion detection system! oinkmaster - helps manage your snort rules! john - a passwork cracker! chntpw - resets passwords on a Windows PC! tcpdump and ethereal - packet sniffers 10 Networking in a Nutshell 11 TCP/IP Model Application Layer Handles application level communications how does a FTP client talk to another? Transport Layer Packages data so that they can be sent in chunks, application addressing, etc. TCP/IP Model TCP/IP Model Internet Layer Handles route discovery how to reach the destination machine? Link Layer Move packets between two hosts over a physical medium packets

4 12 A Packet 13 Transport Layer Header A Packet Source Port Destination port Sequence Number Link Layer Header Link Layer Payload Internet Layer Header Internet Layer Payload Transport Layer Header Transport Layer Payload Application Layer Header Application Data Data Offset Acknowledgement Number Reserved Flags Window Size Checksum Urgent Pointer Options a TCP header 14 Internet Layer Header 15 Link Layer Header Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source IP Address header Preamble Start-of-Frame-Delimiter MAC Destination MAC Source 802.1Q Header Destination IP Address EthernetType Options Link Layer Payload CRC-32 an IP header a Frame

5 16! Starts at offset 0x0D (14) in the TCP header CWR ECE URG ACK PSH RST SYN FIN! SYN packet has the corresponding bit set! Flag = 0b = 0x02! SYN/ACK packet! Flag = 0b = 0x12! ACK packet! Flag = 0b = 0x10 8 bits TCP/IP Flags 17 TCP/IP Handshake! Three step process to establish a connection! Client sends a SYN packet to the server! Server responds with a SYN/ACK packet! Client acknowledges receipt of the packet with a ACK packet! Connection is established! Connection stays open until! Client sends a FIN packet or a RST packet! Connection times out! Either side has been silent for a long time 18! SYN flood attack! A simple denial-of-service attack SYN Flood Attack! Attacker initiates the handshake but does not complete it! Legitimate clients may have to wait if resources are allocated during the handshaking phase 19 timestamp Understanding a TCP/IP Packet source IP.Port destination IP.Port 14:49: IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) > : Flags [S], cksum 0x7d4a (correct), seq , win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val ecr 0,sackOK,eol], length 0 0x0000: dfd fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f be J}...P8..E... 0x0020: b002 ffff 7d4a b }J... 0x0030: a 20fe bae

6 Understanding a TCP/IP Packet (contd.) 20 IP header size (in number of 32-bit words) Size = 5 x 32 = 160 bits = 20 bytes 14:49: IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) > : Flags [S], cksum 0x7d4a (correct), seq , win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val ecr 0,sackOK,eol], IP header IP version length 0 0x0000: dfd fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f be J}...P8..E... 0x0020: b002 ffff 7d4a b }J... 0x0030: a 20fe bae TCP header size (in number of 32-bit words) Size = 11 x 4 = 44 bytes TCP header Understanding a TCP/IP Packet (contd.) 21 First step of handshake sequence number: randomly generated initially 14:49: IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) > : Flags [S], cksum 0x7d4a (correct), seq , win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val ecr 0,sackOK,eol], length 0 0x0000: dfd fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f be J}...P8..E... 0x0020: b002 ffff 7d4a b }J... 0x0030: a 20fe bae7 Offset 00000x0D: 0000 Flags x02 = This is a SYN packet sent from to Google while opening gmail.com Understanding a TCP/IP Packet (contd.) 22 Second step of handshake Understanding a TCP/IP Packet (contd.) 23 Third step of handshake acknowledgment number: seq. no. in SYN packet :49: IP (tos 0x0, ttl 51, id 43889, offset 0, flags [none], proto TCP (6), length 60) > : Flags [S.], cksum 0x363e (correct), seq , ack , win 5672, options [mss 1380,sackOK,TS val ecr ,nop,wscale 6], length 0 0x0000: c ab d142 4a7d 7f13 E..<.q..3..BJ}.. 0x0010: 82fd be7a 0050 db9f bcce 6fe be46...z.p...o.8..f 0x0020: a e Offset 05640x0E: 0402 Flags 080a...(6>...d... 0x0030: 46f3 ce7b 20fe bae x = F..{... SYN/ACK from Google in response to the SYN packet acknowledgment number: seq. no. in SYN/ACK packet :49: IP (tos 0x0, ttl 64, id 32705, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->affa)!) > : Flags [.], cksum 0x7ae1 (correct), seq , ack , win 65535, options [nop,nop,ts val ecr ], length 0 0x0000: fc fd be7a E..4..@.@...z 0x0010: 4a7d 7f13 db9f be46 bcce 6fe8 J}...P8..F..o. 0x0020: 8010 ffff 7ae Offset 080a 0x0E: 20fe Flags bae7...z... 0x0030: 46f3 ce7b 0x10 = F..{ ACK from to Google

7 24! Open coursesite.pcap (download from the course website) in Wireshark! Exercise! This is a capture of a session where a browser was used to open our course website! Understand the communication going between the client and the web server! Use Statistics > Flow Graph! Choose TCP flow! What is going on with the Seq./Ackw. numbers? 25 Using Port Scanners! A port is an endpoint of communication in a network! Much like an electrical socket! Appliances are plugged into it! One machine connects to another through an open port! Port scanners allow an investigator to determine which ports are open on a remote system (or the local system)! Unusual open ports may be indicative of suspicious activity! A rootkit allowing remote access to the system! Tools! Netcat! Portqry! Nmap 26! Port scanning involves Using Port Scanners (contd.)! Sending a SYN packet to a system at a port number! If port is open (a server is waiting for connections on the port), the server will respond with a SYN/ACK packet! Send the ACK packet, followed by a FIN packet to terminate the connection! All discovered open ports must be accounted for! Which software is listening on which port 27! Stealth scanning Using Port Scanners (contd.)! Follows steps as in a regular port scanning, but instead of sending an ACK packet, the scanner sends a RST packet! Server immediately terminates the TCP connection upon receipt of an RST packet! Stealthy because most systems log incoming connection requests only when all three steps of the handshaking completes! Banner grabbing! Send a legitimate request at the identified port after successful handshaking! Elicits a response having information about the kind of service running at that port

8 28 Using Nmap! Network mapper utility for network exploration or security auditing! Includes! Port scanning! OS detection! Service detection! Version detection! Available for almost all popular operating systems! 29! Some options! -st : a regular SYN scan! -ss : a stealth scan! -sv : attempt to identify service! -O : attempt to identify OS Using Nmap (contd.)! -p <range> : scan ports specified in range! E.g. p ,1078, 1090! -v : verbose mode! -P0 : do not ping hosts before scanning! -sf, -sn, -sx : FIN scan, null scan, Christmas scan! -sa : ACK scan! And many more: see 30! -sf, -sx, -sn Using Nmap (contd.)! Scanning using SYN packets may not work if an IDS is in place! Closed ports will send a RST back! Open ports will drop these packets since they are waiting for SYN packets! MS Windows will drop even if port is closed! Combined with a regular scan, you can know there is likely a Windows machine on the other side! -sa! Is the firewall stateless (just blocking incoming SYN packets) or stateful (tracks the connections)! A RST packet in reply points at a stateless firewall 31! Packet sniffers Using Packet Sniffers! Devices or software that monitor network traffic! Log (capture) incoming and outgoing packets! See what various systems are saying to each other! Most tools follow the PCAP format to store the data! Tools! Tcpdump! Windump! Netcap! Wireshark (previously known as Ethereal)

9 32 Using Packet Sniffers (contd.)! Captured packets can reveal who has connected to an identified Trojan in a system! Including the commands and data exchanged through the Trojan! Useful, in general, to see who is making connections to your system! Captured packets can reveal the entire communication sequence between two systems! Too many initiated connections without any data exchange! Perhaps someone is trying a port scan!! SYN flood attack 33 Analyzing Packet Traces! Packet sniffers will log packets; analyzing them to obtain useful information is your task! FTP traffic capture! What is the name and version of the FTP server?! What password was used during an anonymous login?! What files were transferred?! What are the contents of those files?! Netcat traffic capture! Netcat is a flexible utility that facilitates reading/writing data using TCP/UDP network connections! What port is the netcat listener running?! What commands were issued? 34! IIS traffic capture Analyzing Packet Traces (contd.)! Microsoft Internet Information Services web server! What version of IIS is running?! What browser and OS is a client using?! What commands were sent by the browser?! Is there any known vulnerability that is being exploited?! Nmap traffic capture! What type of nmap scan was run?! Which system(s) is(are) being scanned?! Lets look at some examples using Wireshark! 35 The Honeynet Project! Attempt to thwart Internet and network hackers! Provides information about attacks methods! Objectives! Awareness: threats do exist out there! Information: how do attackers operate and how to protect against their tactics! Tools: methods to protect resources

10 36 The Honeynet Project (contd.)! Distributed denial-of-service (DDoS) attacks! A recent major threat! Hundreds or even thousands of machines (zombies) can be used! Zero day attacks! Another major threat! Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available! Honeypot! Normal looking computer that lures attackers to it! Honeywalls! Monitor what s happening to honeypots on your network and record what attackers are doing 37 References! Ch 11: B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. ISBN: