Practical Network Forensics

Transcription

1 BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe Copyright Secure Systems Support Limited.

2 Practical Network Forensics Open Source Tools Preparation Passive Discovery (and some Active) Background Information Tool Usage Practical Network Topology Practical

3 Open Source Tools Tools Passive Network Analysis Wireshark (Linux and Windows) packet sniffer GUI excellent filtering and re-construction facilities tcpdump, tcpreplay, tcpxtract (Linux) packet sniffer command line excellent filtering and re-construction facilities etherape (Linux) packet sniffer graphical traffic summary

4 Preparation - Reconnaissance Discover Network infrastructure types copper / fibre / radio / satellite Type, number and location of: Network / Server hardware / Printers Workstations Network services including: DHCP / DNS / WNS Web Servers / Internet Gateway Servers Print / File Shares / Network Storage

5 Preparation - Equipment Configure and update software / drivers Network interfaces Ethernet / Token Ring / copper / fibre Before connecting Date / Time synchronisation or use ntp? After connecting ifconfig eth0 up dhclient eth0 or not? tcpdump / wireshark

6 Passive Discovery Network address ranges Discover the corporate address ranges Search for any outside that range: tcpdump -nvtttts 0 not net /8 Look for /16 (DHCP failure) Look for /24 (domestic) Look for /24

7 Passive Discovery Discover Noisy operating systems Windows NetBIOS network traffic tcpdump -nvxtttts 0 udp port 138 General network traffic etherape

8 etherape Passive Discovery

9 Passive Discovery tcpdump (Linux) Command line packet sniffer / analyser Remember options: -n No DNS lookup (stay passive) -v Verbose, can use -vv -tttt Use YYYY-MM-DD HH:MM:SS.dec -s 0 Snaplen (capture packet size) 0 -e Show link layer (MAC) addresses -X Show hex and ASCII data

10 Active Discovery Connecting to Local Area Networks network-manager automated network interface management software attempts to connect to networks whenever it can ifconfig manually configure network interface ifconfig eth ifconfig eth0 up dhclient automatically configure network interface dhclient eth0 route manually network routing route add default gw

11 Active Discovery Ping (ICMP echo request / reply) ping single host ping -b broadcast Arp (Address Resolution Protocol) arp -an (Linux / Windows) Internet Address Physical Address Type b-cd-c1-e5-c4 dynamic d4-5b-f8 dynamic c c1-32 dynamic

12 Active Discovery OUI information: standards.org.ieee/regauth/oui/oui.txt Discover hardware vendors: Physical Address Vendor 00-0b-cd-c1-e5-c4 Hewlett Packard d4-5b-f8 OKI Electric Industry 00-0c c1-32 VMWare

13 Active Discovery Log ARP data or arp -n >>arp.log arp -n >>arp.log mv arp.log arp.log.old sort -u arp.log.old >arp.log

14 Background Information - Cheat Sheets Google: tcpdump cheat sheet Security Wizardry (Andy Cuff) lysis-crib-sheets/rawpackets.html PacketLife (unknown) Secure Systems Support (Alan Woodroffe) headers.pdf

15 Background Information - ISO 7 Layer Model ISO Model Layer Computing Use Perceived Direct Link Computing Use ISO Model Layer Application Web Browser, FTP, Telnet Browser Server, Telnet client telnetd Web Browser, FTP, Telnet Application Presentation Presentation Session Session Transport TCP, UDP TCP protocol TCP, UDP Transport Network IP, ICMP IP protocol IP, ICMP Network Link Device driver, NIC, ARP Ethernet protocol Device driver, NIC, ARP Link Physical Ethernet cable Electrical voltage Ethernet cable Physical

16 Background Information - IP protocol TCP three way handshake: SYN SYN-ACK ACK TCP FLAGS: --UAPRSF URG - Urgent (use Urgent pointer) ACK - Acknowledgement PSH - Push (flush data to receiver) RST - Reset (abort) SYN - Synchronise (start) FIN - Finish (end gracefully) SIN or FIN flag are set tcp[13] & 0x03 > 0'

17 tcpdump - filtering tcpdump (Linux) Command line packet sniffer / analyser Remember options: -n No DNS lookup (stay passive) -v Verbose, can use -vv -tttt Use YYYY-MM-DD HH:MM:SS.dec -s 0 Snaplen (capture packet size) 0 -e Show link layer (MAC) addresses -X Show hex and ASCII data

18 tcpdump - filtering Alien protocols IPX / IPv6 / Jumbo frames / AppleTalk tcpdump -nr <kismet-dumpfile> not ip and not arp Client devices unauthorised equipment using corporate network identify by MAC address? bridging your network to other networks e.g. 3G identify by abnormal data traffic patterns? identify by routed IP packet?

19 tcpdump - filtering Network address ranges Discover the corporate address ranges Search for any outside that range: tcpdump -nvtttts 0 not net /8 Look for /16 (DHCP failure) Look for /24 (domestic) Look for /24

20 tcpdump - filtering in IP address range net /8 outside IP address range not net /8 Link Local activity net /16 Windows NetBIOS traffic udp port 138 Unusual protocols not ip and not arp Save traffic from NIC eth2 i eth2 w dumpfile VLAN 12 on NIC eth1 i eth tcp SIN or FIN flag are set tcp[13] & 0x03 > 0'

21 Practical Network Topology Connecting to the Network Automatic (DHCP) dhclient eth0 Manual ifconfig eth Passive (no output) ifconfig eth0 up Disable ifconfig eth ifconfig eth0 down Specify Gateway route add default gw

22 /22 XP3 DHCP XP1 DHCP XP2 DHCP Practical Network Topology / Mbps Hub 100Mbps Hub

23 Practical Tasks Running tcpdump Launch a terminal window Run tcpdump: tcpdump ni eth0 (Ctrl-C to stop) Run tcpdump: tcpdump ni eth0 w dump1.tcpd (Ctrl-C to stop)

24 Practical Tasks Generating data to capture Launch Firefox Browse to Close Firefox

25 Practical Tasks Examining captured data ls ltr tcpdump nr dump1.tcpd tcpdump nr dump1.tcpd tcp

26 Practical Tasks Examining captured data ls ltr tcpxtract f dump1.tcpd ls ltr cat <file>.html display <file>.gif

27 Practical Tasks Full packet capture Log all packets on NIC eth1, writing to files named e.g tcpd2, starting a new file after every 100MB of logged packets tcpdump ni eth1 C 100 w `date +%Y%m%d%H%M%S `.tcpd

28 Practical Tasks IP Time to Live (hop count) Analyse pre-recorded tcpdump file and examine the TTL values for web browsing packets tcpdump nvr 3s.web.tcpd

29 Practical Tasks Typical TTL initial values Linux 64 Windows 128 Cisco Router 255

30 Practical Tasks Web site traffic (HTTP) Analyse pre-recorded tcpdump file and examine web browsing packets tcpdump nr bbc.web.tcpd tcp port 80

31 Practical Tasks Secure web site traffic (HTTPS) Analyse pre-recorded tcpdump file and examine web browsing packets tcpdump nr https.web.tcpd tcp port 443

32 Practical Tasks Other investigations?

33 /22 XP3 DHCP XP1 DHCP XP2 DHCP Practical Network Topology / Mbps Hub 100Mbps Hub

34 BCS-ISSG Practical Network Forensics Day BCS, London Questions?. Alan Woodroffe Copyright Secure Systems Support Limited.