1! Network forensics
|
|
- August Hunt
- 8 years ago
- Views:
Transcription
1 Network Forensics COMP 2555: Principles of Computer Forensics Autumn ! Network forensics Network Forensics Overview! Systematic tracking of incoming and outgoing traffic! To ascertain how an attack was carried out or how an event occurred on a network! Intruders leave a trail behind! Knowing your network s typical traffic patterns is important! Determine the cause of the abnormal traffic! Internal bug! Attackers 2! Layered network defense strategy Securing a Network! Sets up layers of protection to hide the most valuable data at the innermost part of the network! Deeper resources are difficult to get to! More safeguards in place! Defense in depth (DiD)! Similar layered approach developed by the NSA! Modes of protection! People! Technology! Operations 3 Securing a Network (contd.)! Testing networks is as important as testing servers! You need to be up to date on the latest methods intruders use to infiltrate networks! As well as methods internal employees use to sabotage networks! You should be proactive in this game! Ensuring that network activities are normal! Having enough data to analyze a compromised network
2 4 Procedures for Network Forensics! Computer forensics! Work from the image to find what has changed! Network forensics! Restore drives to understand attack! Work on an isolated system! Prevents malware from affecting other systems 5! Record incoming and outgoing traffic! Network servers! Routers! Firewalls! Tcpdump tool for examining network traffic! Can generate top 10 lists! Can identify patterns Network Logs 6 Sample Record in a Network Log 12:22: IP (tos 0x0, ttl 64, id 15979, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->f0fd)!) > : Flags [F.], cksum 0x0b82 (incorrect -> 0xa091), seq , ack , win 65535, options [nop,nop,ts val ecr ], length 0 0x0000: e6b fd be7a E..4>k@.@...z 0x0010: 4a7d 7f66 eab e8e3 3be6 1ab1 e690 J}.f...P..;... 0x0020: 8011 ffff 0b a 2861 dc14...(a.. 0x0030: d33 8.}3 7! Sysinternals Using Network Tools! A collection of free tools for examining Windows products! Examples of the Sysinternals tools:! RegMon shows Registry data in real time! Process Explorer shows what is loaded! Handle shows open files and processes using them! Filemon shows file system activity
3 8 Using Network Tools (contd.)! Tools from PsTools suite created by Sysinternals! PsExec runs processes remotely! PsGetSid displays security identifier (SID)! PsKill kills process by name or ID! PsList lists details about a process! PsLoggedOn shows who s logged locally! PsPasswd changes account passwords! PsService controls and views services! PsShutdown shuts down and restarts PCs! PsSuspend suspends processes 9 Using UNIX/Linux Tools! Knoppix Security Tools Distribution (STD)! Bootable Linux CD intended for computer and network forensics! Knoppix-STD tools! dcfldd - the U.S. DoD dd version! memfetch - forces a memory dump! photorec - grabs files from a digital camera! snort - an intrusion detection system! oinkmaster - helps manage your snort rules! john - a passwork cracker! chntpw - resets passwords on a Windows PC! tcpdump and ethereal - packet sniffers 10 Networking in a Nutshell 11 TCP/IP Model Application Layer Handles application level communications how does a FTP client talk to another? Transport Layer Packages data so that they can be sent in chunks, application addressing, etc. TCP/IP Model TCP/IP Model Internet Layer Handles route discovery how to reach the destination machine? Link Layer Move packets between two hosts over a physical medium packets
4 12 A Packet 13 Transport Layer Header A Packet Source Port Destination port Sequence Number Link Layer Header Link Layer Payload Internet Layer Header Internet Layer Payload Transport Layer Header Transport Layer Payload Application Layer Header Application Data Data Offset Acknowledgement Number Reserved Flags Window Size Checksum Urgent Pointer Options a TCP header 14 Internet Layer Header 15 Link Layer Header Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source IP Address header Preamble Start-of-Frame-Delimiter MAC Destination MAC Source 802.1Q Header Destination IP Address EthernetType Options Link Layer Payload CRC-32 an IP header a Frame
5 16! Starts at offset 0x0D (14) in the TCP header CWR ECE URG ACK PSH RST SYN FIN! SYN packet has the corresponding bit set! Flag = 0b = 0x02! SYN/ACK packet! Flag = 0b = 0x12! ACK packet! Flag = 0b = 0x10 8 bits TCP/IP Flags 17 TCP/IP Handshake! Three step process to establish a connection! Client sends a SYN packet to the server! Server responds with a SYN/ACK packet! Client acknowledges receipt of the packet with a ACK packet! Connection is established! Connection stays open until! Client sends a FIN packet or a RST packet! Connection times out! Either side has been silent for a long time 18! SYN flood attack! A simple denial-of-service attack SYN Flood Attack! Attacker initiates the handshake but does not complete it! Legitimate clients may have to wait if resources are allocated during the handshaking phase 19 timestamp Understanding a TCP/IP Packet source IP.Port destination IP.Port 14:49: IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) > : Flags [S], cksum 0x7d4a (correct), seq , win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val ecr 0,sackOK,eol], length 0 0x0000: dfd fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f be J}...P8..E... 0x0020: b002 ffff 7d4a b }J... 0x0030: a 20fe bae
6 Understanding a TCP/IP Packet (contd.) 20 IP header size (in number of 32-bit words) Size = 5 x 32 = 160 bits = 20 bytes 14:49: IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) > : Flags [S], cksum 0x7d4a (correct), seq , win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val ecr 0,sackOK,eol], IP header IP version length 0 0x0000: dfd fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f be J}...P8..E... 0x0020: b002 ffff 7d4a b }J... 0x0030: a 20fe bae TCP header size (in number of 32-bit words) Size = 11 x 4 = 44 bytes TCP header Understanding a TCP/IP Packet (contd.) 21 First step of handshake sequence number: randomly generated initially 14:49: IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) > : Flags [S], cksum 0x7d4a (correct), seq , win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val ecr 0,sackOK,eol], length 0 0x0000: dfd fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f be J}...P8..E... 0x0020: b002 ffff 7d4a b }J... 0x0030: a 20fe bae7 Offset 00000x0D: 0000 Flags x02 = This is a SYN packet sent from to Google while opening gmail.com Understanding a TCP/IP Packet (contd.) 22 Second step of handshake Understanding a TCP/IP Packet (contd.) 23 Third step of handshake acknowledgment number: seq. no. in SYN packet :49: IP (tos 0x0, ttl 51, id 43889, offset 0, flags [none], proto TCP (6), length 60) > : Flags [S.], cksum 0x363e (correct), seq , ack , win 5672, options [mss 1380,sackOK,TS val ecr ,nop,wscale 6], length 0 0x0000: c ab d142 4a7d 7f13 E..<.q..3..BJ}.. 0x0010: 82fd be7a 0050 db9f bcce 6fe be46...z.p...o.8..f 0x0020: a e Offset 05640x0E: 0402 Flags 080a...(6>...d... 0x0030: 46f3 ce7b 20fe bae x = F..{... SYN/ACK from Google in response to the SYN packet acknowledgment number: seq. no. in SYN/ACK packet :49: IP (tos 0x0, ttl 64, id 32705, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->affa)!) > : Flags [.], cksum 0x7ae1 (correct), seq , ack , win 65535, options [nop,nop,ts val ecr ], length 0 0x0000: fc fd be7a E..4..@.@...z 0x0010: 4a7d 7f13 db9f be46 bcce 6fe8 J}...P8..F..o. 0x0020: 8010 ffff 7ae Offset 080a 0x0E: 20fe Flags bae7...z... 0x0030: 46f3 ce7b 0x10 = F..{ ACK from to Google
7 24! Open coursesite.pcap (download from the course website) in Wireshark! Exercise! This is a capture of a session where a browser was used to open our course website! Understand the communication going between the client and the web server! Use Statistics > Flow Graph! Choose TCP flow! What is going on with the Seq./Ackw. numbers? 25 Using Port Scanners! A port is an endpoint of communication in a network! Much like an electrical socket! Appliances are plugged into it! One machine connects to another through an open port! Port scanners allow an investigator to determine which ports are open on a remote system (or the local system)! Unusual open ports may be indicative of suspicious activity! A rootkit allowing remote access to the system! Tools! Netcat! Portqry! Nmap 26! Port scanning involves Using Port Scanners (contd.)! Sending a SYN packet to a system at a port number! If port is open (a server is waiting for connections on the port), the server will respond with a SYN/ACK packet! Send the ACK packet, followed by a FIN packet to terminate the connection! All discovered open ports must be accounted for! Which software is listening on which port 27! Stealth scanning Using Port Scanners (contd.)! Follows steps as in a regular port scanning, but instead of sending an ACK packet, the scanner sends a RST packet! Server immediately terminates the TCP connection upon receipt of an RST packet! Stealthy because most systems log incoming connection requests only when all three steps of the handshaking completes! Banner grabbing! Send a legitimate request at the identified port after successful handshaking! Elicits a response having information about the kind of service running at that port
8 28 Using Nmap! Network mapper utility for network exploration or security auditing! Includes! Port scanning! OS detection! Service detection! Version detection! Available for almost all popular operating systems! 29! Some options! -st : a regular SYN scan! -ss : a stealth scan! -sv : attempt to identify service! -O : attempt to identify OS Using Nmap (contd.)! -p <range> : scan ports specified in range! E.g. p ,1078, 1090! -v : verbose mode! -P0 : do not ping hosts before scanning! -sf, -sn, -sx : FIN scan, null scan, Christmas scan! -sa : ACK scan! And many more: see 30! -sf, -sx, -sn Using Nmap (contd.)! Scanning using SYN packets may not work if an IDS is in place! Closed ports will send a RST back! Open ports will drop these packets since they are waiting for SYN packets! MS Windows will drop even if port is closed! Combined with a regular scan, you can know there is likely a Windows machine on the other side! -sa! Is the firewall stateless (just blocking incoming SYN packets) or stateful (tracks the connections)! A RST packet in reply points at a stateless firewall 31! Packet sniffers Using Packet Sniffers! Devices or software that monitor network traffic! Log (capture) incoming and outgoing packets! See what various systems are saying to each other! Most tools follow the PCAP format to store the data! Tools! Tcpdump! Windump! Netcap! Wireshark (previously known as Ethereal)
9 32 Using Packet Sniffers (contd.)! Captured packets can reveal who has connected to an identified Trojan in a system! Including the commands and data exchanged through the Trojan! Useful, in general, to see who is making connections to your system! Captured packets can reveal the entire communication sequence between two systems! Too many initiated connections without any data exchange! Perhaps someone is trying a port scan!! SYN flood attack 33 Analyzing Packet Traces! Packet sniffers will log packets; analyzing them to obtain useful information is your task! FTP traffic capture! What is the name and version of the FTP server?! What password was used during an anonymous login?! What files were transferred?! What are the contents of those files?! Netcat traffic capture! Netcat is a flexible utility that facilitates reading/writing data using TCP/UDP network connections! What port is the netcat listener running?! What commands were issued? 34! IIS traffic capture Analyzing Packet Traces (contd.)! Microsoft Internet Information Services web server! What version of IIS is running?! What browser and OS is a client using?! What commands were sent by the browser?! Is there any known vulnerability that is being exploited?! Nmap traffic capture! What type of nmap scan was run?! Which system(s) is(are) being scanned?! Lets look at some examples using Wireshark! 35 The Honeynet Project! Attempt to thwart Internet and network hackers! Provides information about attacks methods! Objectives! Awareness: threats do exist out there! Information: how do attackers operate and how to protect against their tactics! Tools: methods to protect resources
10 36 The Honeynet Project (contd.)! Distributed denial-of-service (DDoS) attacks! A recent major threat! Hundreds or even thousands of machines (zombies) can be used! Zero day attacks! Another major threat! Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available! Honeypot! Normal looking computer that lures attackers to it! Honeywalls! Monitor what s happening to honeypots on your network and record what attackers are doing 37 References! Ch 11: B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. ISBN:
Guide to Computer Forensics and Investigations, Second Edition
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics Objectives Understand Internet fundamentals Understand network basics Acquire data on a Linux computer Guide
More informationPort Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.
Port Scanning Objectives 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap. Introduction: All machines connected to a LAN or connected to Internet via a modem
More informationPresented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important
Presented By: Holes in the Fence Dave Engebretson, Contributing Technology writer, SDM Magazine Industry Instructor in Fiber and Networking Prevention of Security System breaches of networked Edge Devices
More informationOverview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks
More informationNetwork Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?
Network Scanning What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide? Where will our research go? Page : 1 Function - attacker view What hosts
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationSY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.
system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped
More informationPort Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology
Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance
More informationScanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.
Scanning Tools The goal of the scanning phase is to learn more information about the target environment and discover openings by interacting with that target environment. This paper will look at some of
More informationProject 4: (E)DoS Attacks
Project4 EDoS Instructions 1 Project 4: (E)DoS Attacks Secure Systems and Applications 2009 Ben Smeets (C) Dept. of Electrical and Information Technology, Lund University, Sweden Introduction A particular
More informationSolution of Exercise Sheet 5
Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????
More informationWhat is a DoS attack?
CprE 592-YG Computer and Network Forensics Log-based Signature Analysis Denial of Service Attacks - from analyst s point of view Yong Guan 3216 Coover Tel: (515) 294-8378 Email: guan@ee.iastate.edu October
More informationCYBER ATTACKS EXPLAINED: PACKET CRAFTING
CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationHost Fingerprinting and Firewalking With hping
Host Fingerprinting and Firewalking With hping Naveed Afzal National University Of Computer and Emerging Sciences, Lahore, Pakistan Email: 1608@nu.edu.pk Naveedafzal gmail.com Abstract: The purpose
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationCIT 380: Securing Computer Systems
CIT 380: Securing Computer Systems Scanning CIT 380: Securing Computer Systems Slide #1 Topics 1. Port Scanning 2. Stealth Scanning 3. Version Identification 4. OS Fingerprinting 5. Vulnerability Scanning
More informationSecure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions
Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components Network Admission Control (NAC)
More informationNETWORK SECURITY WITH OPENSOURCE FIREWALL
NETWORK SECURITY WITH OPENSOURCE FIREWALL Vivek Kathayat,Dr Laxmi Ahuja AIIT Amity University,Noida vivekkathayat@gmail.com lahuja@amity.edu ATTACKER SYSTEM: Backtrack 5r3( 192.168.75.10 ) HOST: Backtrack
More informationHands-on Network Traffic Analysis. 2015 Cyber Defense Boot Camp
Hands-on Network Traffic Analysis 2015 Cyber Defense Boot Camp What is this about? Prerequisite: network packet & packet analyzer: (header, data) Enveloped letters inside another envelope Exercises Basic
More informationIntroduction to Network Security Lab 2 - NMap
Introduction to Network Security Lab 2 - NMap 1 Introduction: Nmap as an Offensive Network Security Tool Nmap, short for Network Mapper, is a very versatile security tool that should be included in every
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationAn Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie
An Introduction to Nmap with a Focus on Information Gathering Ionuț Ambrosie January 12, 2015 During the information gathering phase of a penetration test, tools such as Nmap can be helpful in allowing
More informationWorkshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek, himanshup@cdac.
Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC Host based Analysis {Himanshu Pareek, himanshup@cdac.in} {C-DAC Hyderabad, www.cdachyd.in} 1 Reference to previous lecture Bots
More informationUnverified Fields - A Problem with Firewalls & Firewall Technology Today
Unverified Fields - A Problem with Firewalls & Firewall Technology Today Ofir Arkin The Sys-Security Group ofir.arkin@sys-security.com October 2000 1 Introduction The following problem (as discussed in
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationRemote Network Analysis
Remote Network Analysis Torsten Hoefler htor@cs.tu-chemnitz.de (DMZ), mostly between two packet filters and application gateways. The different possibilities to connect DMZ-hosts are also shown in Figure
More informationSecurity: Attack and Defense
Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing
More informationNetwork Forensics: Detection and Analysis of Stealth Port Scanning Attack
International Journal of Computer Networks and Communications Security VOL. 3, NO. 2, FEBRUARY 2015, 33 42 Available online at: www.ijcncs.org E-ISSN 2308-9830 (Online) / ISSN 2410-0595 (Print) Network
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities
More informationP Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis
Agenda Richard Baskerville P Principles of P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Principles Kim, et al (2004) A fuzzy expert system for
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview
More informationPractical Network Forensics
BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe issg@securesystemssupport.co.uk www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.
More informationOverview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP
Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2
More informationChapter 6 Phase 2: Scanning
Chapter 6 Phase 2: Scanning War Dialer Tool used to automate dialing of large pools of telephone numbers in an effort to find unprotected THC-Scan 2.0 Full-featured, free war dialing tool Runs on Win9x,
More informationFirewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005
Firewall Testing Cameron Kerr Telecommunications Programme University of Otago May 16, 2005 Abstract Writing a custom firewall is a complex task, and is something that requires a significant amount of
More informationNetwork Traffic Evolution. Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig
Network Traffic Evolution Prof. Anja Feldmann, Ph.D. Dr. Steve Uhlig 1 Example trace Name port % bytes % packets bytes per packet world-wide-web 80???????????? netnews 119???????????? pop-3 mail 110????????????...
More informationMake a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
More informationAbstract. Introduction. Section I. What is Denial of Service Attack?
Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss
More informationPenetration Testing. What Is a Penetration Testing?
Penetration Testing 1 What Is a Penetration Testing? Testing the security of systems and architectures from the point of view of an attacker (hacker, cracker ) A simulated attack with a predetermined goal
More informationSecurity Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?
Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? This paper presents a scenario in which an attacker attempts to hack into the internal network
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationIntroduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker
Nmap from an Ethical Hacker's View Part 1 By Kirby Tucker Editor's Note: Kirby is a long time contributor and supporter of EH-Net. So when he came to me with the idea to do a more approachable tutorial
More informationChapter 14 Analyzing Network Traffic. Ed Crowley
Chapter 14 Analyzing Network Traffic Ed Crowley 10 Topics Finding Network Based Evidence Network Analysis Tools Ethereal Reassembling Sessions Using Wireshark Network Monitoring Intro Once full content
More informationNetwork and Services Discovery
A quick theorical introduction to network scanning January 8, 2016 Disclaimer/Intro Disclaimer/Intro Network scanning is not exact science When an information system is able to interact over the network
More informationStop that Big Hack Attack Protecting Your Network from Hackers. www.lauraknapp.com
Stop that Big Hack Attack Protecting Your Network from Hackers Laura Jeanne Knapp Technical Evangelist 1-919-224-2205 laura@lauraknapp.com www.lauraknapp.com NetSec_ 010 Agenda Components of security threats
More informationMONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN
MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India
More informationDateless and DNS Desperate! Stateless. Geoff Huston APNIC
Dateless and DNS Desperate! Stateless Geoff Huston APNIC Can I do both at once? This is definitely a Bad Idea with that intriguing possibility that it just might be made to work making it a Useless Tool
More informationNetwork Forensics: Log Analysis
Network Forensics: Analysis Richard Baskerville Agenda P Terms & -based Tracing P Application Layer Analysis P Lower Layer Analysis Georgia State University 1 2 Two Important Terms PPromiscuous Mode
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationCS155: Computer and Network Security
CS155: Computer and Network Security Programming Project 3 Spring 2005 Shayan Guha sguha05@stanford.edu (with many slides borrowed from Matt Rubens) Project Overview 1) Use standard network monitoring
More informationComputer forensics 2015-12-01
Computer forensics Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics
More informationPassive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,
Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm, Network IDS devices use passive network monitoring extensively to detect possible threats. Through passive
More informationNetwork Traffic Analysis
2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing
More informationTCP Performance Management for Dummies
TCP Performance Management for Dummies Nalini Elkins Inside Products, Inc. Monday, August 8, 2011 Session Number 9285 Our SHARE Sessions Orlando 9285: TCP/IP Performance Management for Dummies Monday,
More informationCSCI 4250/6250 Fall 2015 Computer and Networks Security
CSCI 4250/6250 Fall 2015 Computer and Networks Security Network Security Goodrich, Chapter 5-6 Tunnels } The contents of TCP packets are not normally encrypted, so if someone is eavesdropping on a TCP
More informationFirewalls, IDS and IPS
Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not
More informationOutline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg
Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright
More informationIntrusion Detection System Based Network Using SNORT Signatures And WINPCAP
Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP Aakanksha Vijay M.tech, Department of Computer Science Suresh Gyan Vihar University Jaipur, India Mrs Savita Shiwani Head Of
More informationAttacks and Defense. Phase 1: Reconnaissance
Attacks and Defense Phase 1: Reconnaissance Phase 2: Port Scanning Phase 3: Gaining Access Using Application and Operating System Using Networks Phase 1: Reconnaissance Known as information gathering.
More informationFirewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles
Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations
More informationLecture 5: Network Attacks I. Course Admin
Lecture 5: Network Attacks I CS 336/536: Computer Network Security Fall 2013 Nitesh Saxena Adopted from previous lectures by Keith Ross Course Admin HW/Lab 1 Due Coming Monday 11am Lab sessions are active
More informationHow To Classify A Dnet Attack
Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril
More information[ X OR DDoS T h r e a t A d v i sory] akamai.com
[ X OR DDoS T h r e a t A d v i sory] akamai.com What is the XOR DDoS threat The XOR DDoS botnet has produced DDoS attacks from a few Gbps to 150+ Gbps The gaming sector has been the primary target, followed
More information1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
More informationSession Hijacking Exploiting TCP, UDP and HTTP Sessions
Session Hijacking Exploiting TCP, UDP and HTTP Sessions Shray Kapoor shray.kapoor@gmail.com Preface With the emerging fields in e-commerce, financial and identity information are at a higher risk of being
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More informationNetwork/Internet Forensic and Intrusion Log Analysis
Course Introduction Enterprises all over the globe are compromised remotely by malicious hackers each day. Credit card numbers, proprietary information, account usernames and passwords, and a wealth of
More informationWe will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall
Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,
More informationNetwork Incident Report
To submit copies of this form via facsimile, please FAX to 202-406-9233. Network Incident Report United States Secret Service Financial Crimes Division Electronic Crimes Branch Telephone: 202-406-5850
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationIntroduction to Firewalls Open Source Security Tools for Information Technology Professionals
Introduction to Firewalls Open Source Security Tools for Information Technology Professionals School of Professional Studies (SPS) The City University of New York (CUNY) Aron Trauring Adjunct Professor
More informationAlgorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services
Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services CS4983 Senior Technical Report Brian Chown 0254624 Faculty of Computer Science University of New Brunswick Canada
More informationGuide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP
Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe
More informationLooking for Trouble: ICMP and IP Statistics to Watch
Looking for Trouble: ICMP and IP Statistics to Watch Laura Chappell, Senior Protocol Analyst Protocol Analysis Institute [lchappell@packet-level.com] www.packet-level.com www.podbooks.com HTCIA Member,
More informationAn Analysis of Network Attacks and their Countermeasures
An Analysis of Network Attacks and their Countermeasures Ahmed Obied Department of Computer Science University of Calgary April 15, 2005 Abstract Malicious attacks are getting smarter, more widespread
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More information60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li
60467 Project 1 Net Vulnerabilities scans and attacks Chun Li Hardware used: Desktop PC: Windows Vista service pack Service Pack 2 v113 Intel Core 2 Duo 3GHz CPU, 4GB Ram, D-Link DWA-552 XtremeN Desktop
More informationLab 7: Introduction to Pen Testing (NMAP)
Lab 7: Introduction to Pen Testing (NMAP) Aim: To provide a foundation in understanding of email with a focus on NMAP. Time to complete: Up to 60 minutes. Activities: Complete Lab 7: NMAP. Complete Test
More informationUsing SYN Flood Protection in SonicOS Enhanced
SonicOS Using SYN Flood Protection in SonicOS Enhanced Introduction This TechNote will describe SYN Flood protection can be activated on SonicWALL security appliance to protect internal networks. It will
More informationSecurity Mgt. Tools and Subsystems
Security Mgt. Tools and Subsystems some attack and defense security tools at work Reconaissance Passive Active Penetration Classes of tools (network-bound) Passive Reconaissance Passively listen and analyze
More informationFILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL
FTP FILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL Peter R. Egli INDIGOO.COM 1/22 Contents 1. FTP versus TFTP 2. FTP principle of operation 3. FTP trace analysis
More informationFirewalls and Software Updates
Firewalls and Software Updates License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents General
More information[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS
TLP: GREEN Issue Date: 2015.10.28 Risk Factor- Medium Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS 1.0 / OVERVIEW / In the third quarter of 2015, Akamai mitigated and
More informationDigital Forensic Tool for Decision Making in Computer Security Domain
Digital Forensic Tool for Decision Making in Computer Security Domain S. K. Khode 1,V. N. Pahune 2 and M. R. Sayankar 3 1, 2, 3 Computer Engineering Department of Bapurao Deshmukh College of Engineering,
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationAC 2012-3856: TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS
AC 2012-3856: TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS Dr. Te-Shun Chou, East Carolina University Te-Shun Chou received his bachelor s degree in electronics engineering
More informationNetwork Monitoring Tool to Identify Malware Infected Computers
Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationTCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca
TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca Abstract TCP SYN flooding attack is a kind of denial-of-service attack. This SYN flooding attack is using the weakness
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationNetwork Intrusion Detection Systems. Beyond packet filtering
Network Intrusion Detection Systems Beyond packet filtering Goal of NIDS Detect attacks as they happen: Real-time monitoring of networks Provide information about attacks that have succeeded: Forensic
More informationOutline. Outline. Outline
Network Forensics: Network Prefix Scott Hand September 30 th, 2011 1 What is network forensics? 2 What areas will we focus on today? Basics Some Techniques What is it? OS fingerprinting aims to gather
More informationHONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region
HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationDos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
More informationFirewalls Netasq. Security Management by NETASQ
Firewalls Netasq Security Management by NETASQ 1. 0 M a n a g e m e n t o f t h e s e c u r i t y b y N E T A S Q 1 pyright NETASQ 2002 Security Management is handled by the ASQ, a Technology developed
More informationSafeguards Against Denial of Service Attacks for IP Phones
W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)
More information