Networks & Security Course. Web of Trust and Network Forensics

Transcription

1 Networks & Security Course Web of Trust and Network Forensics

2 Virtual Machine Virtual Machine Internet connection You need to connect the VM to the Internet for some of the Web of Trust exercises. Make sure the Firewall does not restrict connections coming from Virtualbox / VMware. Ensure time in VM is set (approximately) correctly (see next slide) Needed for some services Some exercises require sharing files can use the TU/e FTP server (see below) or USB sticks or...

3 Virtual Machine Enable Network Time [1] If date/time is off in your virtual machine: [2] [3] 1. Right click the date in the bar, select Adjust Date and Time 2. Click Unlock in the Date and Time screen You will be prompted for password when trying to change the settings ( secnet by default). 3. Turn on Network Time

4 TU/e FTP Server An unsafe and public medium where files are visible to everyone. Can use Debian s own file browser to connect. Places > Connect to Server Server: ftp.tue.nl Folder: /upload/2ic60_2015

5 Lab session overview Web of trust PGP & OpenPGP GnuPG Seahorse Introduction to Network Forensics Wireshark basics Recognizing attacks

6 OpenPGP and GnuPG OpenPGP (PGP=`Pretty Good Privacy ) is a common asymmetric encryption standard and GnuPG is an implementation of OpenPGP used for encryption and signing of messages. Web of trust: Decentralized method of establishing authenticity of public keys (as opposed to using a certificate authority). Participants issue certificates; they digitally sign (public key, user name) pairs for user s they known to verify the connection. This can happen e.g. at a `key signing party ; people meet physically to check and sign each others keys (like the one in this lab). Tool required: GPG, command-line tool Seahorse, graphical front-end for GPG

7 OpenPGP and GnuPG source: xkcd.com Background information: Section 8.5 of the textbook

8 Seahorse a GUI for GnuPG Can be used to create keys and view the keys available in your keyring. Is helpful, but you still need to use the command line tool, gpg to interact with the key server, and encryption/decrypting files. 03-Jun-15

9 Exercise 1.1 Generate a public key. File > New > PGP key Enter your details and click Create.

10 Exercise 1.1 Your key should appear in the GnuPG keys list. You can use View menu to filter the public keys (those created by you / those you signed etc.) The RSA public key is long. There will be a key ID and a fingerprint to identify it more easily. Right click and select Properties for details. 03-Jun-15

11 Exercise 1.2 Share your public key with others. You can use a key server to do it. Alternatively you can upload it somewhere, share via USB stick, etc. Use the command-line tool gpg to upload your key to the server (don t use the graphic front-end it does not play nice with key servers) gpg --send-keys <Your key ID>

12 Exercise 1.3 Import some keys to your keyring and sign them (after verifying the identity of the owner). This builds the web of trust. Try to create a connected web rather than isolated clusters. If your classmates shared their keyring via the key server: gpg --recv-keys <peer key id> to import them

13 Exercise 1.3 The keys you imported will show up in the front-end. By default the front-end only shows the keys you created, so make sure to select View > Show any to display all keys. You can sign the keys via command-line or the graphical interface. Command line: gpg -u <your key ID> --sign-key <imported key ID> After signing your peer s key, update the key server: gpg --send-keys <peer signed key ID> (might take a minute or two for the key server to reflect the update) Update your keyring by adding some keys that are signed by other classmates: gpg --recv-keys <peer key id>

14 Exercise 1.4 Create a text file and sign it with your public key. Transfer it to a public medium (e.g. TU/e FTP server). Verify the signatures of your peers. Sign a file: gpg -u <key ID> --sign <filename> Decrypt file & verify sender: gpg -u <key ID> --decrypt <filename> Verify sender only: gpg -u <key ID> --verify <filename>

15 Exercise 1.5 Create a text file and encrypt it with a recipient s public key. Transfer it to a public medium (e.g. TU/e FTP server). Decrypt a message sent to you and attempt to decrypt a message intended for someone else. Signing: gpg -u <key ID> --sign <filename> You ll be prompted for the recipient s key ID Decrypting: gpg -u <key ID> --decrypt <filename>

16 Conclusions Web of Trust You ve established a web of trust for the class The stronger the connection between you and some key the greater the level of trust. full trust in directly checked keys can also place trust in keys signed by keys you trust You ve used the trusted keys to securely share files where secure = confidentiality/integrity/authenticity of file can also use to send secure s 03-Jun-15

17 Network Forensics Forensics: Analysis of logs or network trace files after the attack has happened. Tools needed: Wireshark and your favorite search engine

18 PCAP Files Network traffic data captured during the attacks. Relatively small and filtered, contains information relevant to the attacker and victim only. A PCAP from an actual personal computer will have much more variety in traffic. In some of the PCAPs, the attacker uses exploits and malware to break into the victim s system. If you choose to use your own PC instead of the virtual machine, the malware binaries in the files could trigger your anti-virus, but you are safe as long as you don t convert them into.exe files and run them on a Windows XP machine.

19 Wireshark Analyzes network traffic and decodes a variety of protocols. Can be used for real-time monitoring as well. We use it for offline forensics in the current lab. Decoding does not work perfectly: Wireshark can miss if the packet capture started in the middle of a transaction, or if the parser has a problem. Commands particularly useful for this exercise: Statistics (Summary, Conversations, Endpoint List, etc.), Analyze (Decode As, Follow TCP Stream) Filtering, with expressions such as tcp.port==4445

20 Wireshark - Filtering Allows to focus on relevant parts of the traffic. Packets can be filtered according to host, protocol, time, TCP flags, session id, etc. More about filters: d/chworkbuilddisplayfiltersection.html Filter reference (per protocol):

21 Wireshark Filter examples All packets from the IP : ip.src eq All TCP packets: tcp All TCP packets with the source 443: tcp.srcport eq 443 All HTTP traffic: http

22 Wireshark Filter examples All TCP packets except HTTP traffic: tcp and (not http) All HTTP communication between and : (ip.addr eq ) and (ip.addr eq ) and http TCP packets with SYN flag set to 1 tcp.flags.syn eq 1

23 Wireshark Statistics Statistics menu is useful for getting an overview of the traffic. Statistics>Conversations to list TCP sessions Statistics>Protocol hierarchy to find out the protocols commonly used in the conversation. Statistics >Endpoints to list the hosts.

24 Wireshark - Stream Right click on a packet and click Follow TCP/UDP/.. Stream to view the conversation in a specific session. Particularly helpful with the text-based protocols.

25 Exercise 2: Classify the attacks Four PCAP files are given in the folder: ~/PCAP. Each containing traffic capture from an attack. Identify the attack in each file as one of the following: 1. Spear phishing (by user clicking on a malicious link) 2. TCP port scan 3. Buffer overflow over a Windows service 4. Malicious PHP query against a Web server