1! Network forensics



Similar documents
Guide to Computer Forensics and Investigations, Second Edition

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

CS5008: Internet Computing

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Project 4: (E)DoS Attacks

Solution of Exercise Sheet 5

What is a DoS attack?

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Chapter 8 Security Pt 2

Host Fingerprinting and Firewalking With hping

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

CIT 380: Securing Computer Systems

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

NETWORK SECURITY WITH OPENSOURCE FIREWALL

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Introduction to Network Security Lab 2 - NMap

Firewalls, Tunnels, and Network Intrusion Detection

An Introduction to Nmap with a Focus on Information Gathering. Ionuț Ambrosie

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek,

Unverified Fields - A Problem with Firewalls & Firewall Technology Today

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

Remote Network Analysis

Security: Attack and Defense

Network Forensics: Detection and Analysis of Stealth Port Scanning Attack

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Linux Network Security

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

CSCE 465 Computer & Network Security

P Principles of Network Forensics P Terms & Log-based Tracing P Application Layer Log Analysis P Lower Layer Log Analysis

Secure Software Programming and Vulnerability Analysis

Practical Network Forensics

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

Chapter 6 Phase 2: Scanning

Firewall Testing. Cameron Kerr Telecommunications Programme University of Otago. May 16, 2005

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Abstract. Introduction. Section I. What is Denial of Service Attack?

Penetration Testing. What Is a Penetration Testing?

Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?

Firewalls. Chapter 3

Introduction. Nmap from an Ethical Hacker's View Part 1. By Kirby Tucker

Chapter 14 Analyzing Network Traffic. Ed Crowley

Network and Services Discovery

Stop that Big Hack Attack Protecting Your Network from Hackers.

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Network Forensics: Log Analysis

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

CS155: Computer and Network Security

Computer forensics

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring Kevin Timm,

Network Traffic Analysis

TCP Performance Management for Dummies

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Firewalls, IDS and IPS

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Attacks and Defense. Phase 1: Reconnaissance

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Lecture 5: Network Attacks I. Course Admin

How To Classify A Dnet Attack

[ X OR DDoS T h r e a t A d v i sory] akamai.com

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Network/Internet Forensic and Intrusion Log Analysis

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Network Incident Report

Exercise 7 Network Forensics

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Looking for Trouble: ICMP and IP Statistics to Watch

Firewalls and Intrusion Detection

60467 Project 1. Net Vulnerabilities scans and attacks. Chun Li

Lab 7: Introduction to Pen Testing (NMAP)

Using SYN Flood Protection in SonicOS Enhanced

FILE TRANSFER PROTOCOL INTRODUCTION TO FTP, THE INTERNET'S STANDARD FILE TRANSFER PROTOCOL

Firewalls and Software Updates

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Digital Forensic Tool for Decision Making in Computer Security Domain

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

AC : TEACHING NETWORK SECURITY THROUGH SIGNA- TURE ANALYSIS OF COMPUTER NETWORK ATTACKS

Network Monitoring Tool to Identify Malware Infected Computers

PROFESSIONAL SECURITY SYSTEMS

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

CMPT 471 Networking II

Network Intrusion Detection Systems. Beyond packet filtering

Outline. Outline. Outline

HONEYPOT SECURITY. February The Government of the Hong Kong Special Administrative Region

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Firewalls Netasq. Security Management by NETASQ

Safeguards Against Denial of Service Attacks for IP Phones

Transcription:

Network Forensics COMP 2555: Principles of Computer Forensics Autumn 2014 http://www.cs.du.edu/2555 1! Network forensics Network Forensics Overview! Systematic tracking of incoming and outgoing traffic! To ascertain how an attack was carried out or how an event occurred on a network! Intruders leave a trail behind! Knowing your network s typical traffic patterns is important! Determine the cause of the abnormal traffic! Internal bug! Attackers 2! Layered network defense strategy Securing a Network! Sets up layers of protection to hide the most valuable data at the innermost part of the network! Deeper resources are difficult to get to! More safeguards in place! Defense in depth (DiD)! Similar layered approach developed by the NSA! Modes of protection! People! Technology! Operations 3 Securing a Network (contd.)! Testing networks is as important as testing servers! You need to be up to date on the latest methods intruders use to infiltrate networks! As well as methods internal employees use to sabotage networks! You should be proactive in this game! Ensuring that network activities are normal! Having enough data to analyze a compromised network

4 Procedures for Network Forensics! Computer forensics! Work from the image to find what has changed! Network forensics! Restore drives to understand attack! Work on an isolated system! Prevents malware from affecting other systems 5! Record incoming and outgoing traffic! Network servers! Routers! Firewalls! Tcpdump tool for examining network traffic! Can generate top 10 lists! Can identify patterns Network Logs 6 Sample Record in a Network Log 12:22:41.019630 IP (tos 0x0, ttl 64, id 15979, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->f0fd)!) 130.253.190.122.60086 > 74.125.127.102.80: Flags [F.], cksum 0x0b82 (incorrect -> 0xa091), seq 3907206118, ack 447866512, win 65535, options [nop,nop,ts val 677501972 ecr 940801331], length 0 0x0000: 4500 0034 3e6b 4000 4006 0000 82fd be7a E..4>k@.@...z 0x0010: 4a7d 7f66 eab6 0050 e8e3 3be6 1ab1 e690 J}.f...P..;... 0x0020: 8011 ffff 0b82 0000 0101 080a 2861 dc14...(a.. 0x0030: 3813 7d33 8.}3 7! Sysinternals Using Network Tools! A collection of free tools for examining Windows products! Examples of the Sysinternals tools:! RegMon shows Registry data in real time! Process Explorer shows what is loaded! Handle shows open files and processes using them! Filemon shows file system activity

8 Using Network Tools (contd.)! Tools from PsTools suite created by Sysinternals! PsExec runs processes remotely! PsGetSid displays security identifier (SID)! PsKill kills process by name or ID! PsList lists details about a process! PsLoggedOn shows who s logged locally! PsPasswd changes account passwords! PsService controls and views services! PsShutdown shuts down and restarts PCs! PsSuspend suspends processes 9 Using UNIX/Linux Tools! Knoppix Security Tools Distribution (STD)! Bootable Linux CD intended for computer and network forensics! Knoppix-STD tools! dcfldd - the U.S. DoD dd version! memfetch - forces a memory dump! photorec - grabs files from a digital camera! snort - an intrusion detection system! oinkmaster - helps manage your snort rules! john - a passwork cracker! chntpw - resets passwords on a Windows PC! tcpdump and ethereal - packet sniffers 10 Networking in a Nutshell 11 TCP/IP Model Application Layer Handles application level communications how does a FTP client talk to another? Transport Layer Packages data so that they can be sent in chunks, application addressing, etc. TCP/IP Model TCP/IP Model Internet Layer Handles route discovery how to reach the destination machine? Link Layer Move packets between two hosts over a physical medium packets

12 A Packet 13 Transport Layer Header A Packet Source Port Destination port Sequence Number Link Layer Header Link Layer Payload Internet Layer Header Internet Layer Payload Transport Layer Header Transport Layer Payload Application Layer Header Application Data Data Offset Acknowledgement Number Reserved Flags Window Size Checksum Urgent Pointer Options a TCP header 14 Internet Layer Header 15 Link Layer Header Version Header Length Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum Source IP Address header Preamble Start-of-Frame-Delimiter MAC Destination MAC Source 802.1Q Header Destination IP Address EthernetType Options Link Layer Payload CRC-32 an IP header a 802.3 Frame

16! Starts at offset 0x0D (14) in the TCP header CWR ECE URG ACK PSH RST SYN FIN! SYN packet has the corresponding bit set! Flag = 0b00000010 = 0x02! SYN/ACK packet! Flag = 0b00010010 = 0x12! ACK packet! Flag = 0b00010000 = 0x10 8 bits TCP/IP Flags 17 TCP/IP Handshake! Three step process to establish a connection! Client sends a SYN packet to the server! Server responds with a SYN/ACK packet! Client acknowledges receipt of the packet with a ACK packet! Connection is established! Connection stays open until! Client sends a FIN packet or a RST packet! Connection times out! Either side has been silent for a long time 18! SYN flood attack! A simple denial-of-service attack SYN Flood Attack! Attacker initiates the handshake but does not complete it! Legitimate clients may have to wait if resources are allocated during the handshaking phase 19 timestamp Understanding a TCP/IP Packet source IP.Port destination IP.Port 14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) 130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum 0x7d4a (correct), seq 949075525, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], length 0 0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}...P8..E... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303...}J... 0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000...

Understanding a TCP/IP Packet (contd.) 20 IP header size (in number of 32-bit words) Size = 5 x 32 = 160 bits = 20 bytes 14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) 130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum 0x7d4a (correct), seq 949075525, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], IP header IP version length 0 0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}...P8..E... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303...}J... 0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000... TCP header size (in number of 32-bit words) Size = 11 x 4 = 44 bytes TCP header Understanding a TCP/IP Packet (contd.) 21 First step of handshake sequence number: randomly generated initially 14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!) 130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum 0x7d4a (correct), seq 949075525, win 65535, options [mss 1460,nop,wscale 3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], length 0 0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@...z 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}...P8..E... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303...}J... 0x0030: 0101 080a 20fe bae7 Offset 00000x0D: 0000 Flags 0402 0000... 0x02 = 00000010 This is a SYN packet sent from 130.253.190.122 to Google while opening gmail.com Understanding a TCP/IP Packet (contd.) 22 Second step of handshake Understanding a TCP/IP Packet (contd.) 23 Third step of handshake acknowledgment number: seq. no. in SYN packet + 1 14:49:54.713335 IP (tos 0x0, ttl 51, id 43889, offset 0, flags [none], proto TCP (6), length 60) 74.125.127.19.80 > 130.253.190.122.56223: Flags [S.], cksum 0x363e (correct), seq 3167645671, ack 949075526, win 5672, options [mss 1380,sackOK,TS val 1190383227 ecr 553564903,nop,wscale 6], length 0 0x0000: 4500 003c ab71 0000 3306 d142 4a7d 7f13 E..<.q..3..BJ}.. 0x0010: 82fd be7a 0050 db9f bcce 6fe7 3891 be46...z.p...o.8..f 0x0020: a012 1628 363e 0000 0204 Offset 05640x0E: 0402 Flags 080a...(6>...d... 0x0030: 46f3 ce7b 20fe bae7 01030x12 0306 = 00010010 F..{... SYN/ACK from Google in response to the SYN packet acknowledgment number: seq. no. in SYN/ACK packet + 1 14:49:54.713699 IP (tos 0x0, ttl 64, id 32705, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->affa)!) 130.253.190.122.56223 > 74.125.127.19.80: Flags [.], cksum 0x7ae1 (correct), seq 949075526, ack 3167645672, win 65535, options [nop,nop,ts val 553564903 ecr 1190383227], length 0 0x0000: 4500 0034 7fc1 4000 4006 0000 82fd be7a E..4..@.@...z 0x0010: 4a7d 7f13 db9f 0050 3891 be46 bcce 6fe8 J}...P8..F..o. 0x0020: 8010 ffff 7ae1 0000 0101 Offset 080a 0x0E: 20fe Flags bae7...z... 0x0030: 46f3 ce7b 0x10 = 00010000 F..{ ACK from 130.253.190.122 to Google

24! Open coursesite.pcap (download from the course website) in Wireshark! https://www.wireshark.org/download.html Exercise! This is a capture of a session where a browser was used to open our course website! Understand the communication going between the client and the web server! Use Statistics > Flow Graph! Choose TCP flow! What is going on with the Seq./Ackw. numbers? 25 Using Port Scanners! A port is an endpoint of communication in a network! Much like an electrical socket! Appliances are plugged into it! One machine connects to another through an open port! Port scanners allow an investigator to determine which ports are open on a remote system (or the local system)! Unusual open ports may be indicative of suspicious activity! A rootkit allowing remote access to the system! Tools! Netcat! Portqry! Nmap 26! Port scanning involves Using Port Scanners (contd.)! Sending a SYN packet to a system at a port number! If port is open (a server is waiting for connections on the port), the server will respond with a SYN/ACK packet! Send the ACK packet, followed by a FIN packet to terminate the connection! All discovered open ports must be accounted for! Which software is listening on which port 27! Stealth scanning Using Port Scanners (contd.)! Follows steps as in a regular port scanning, but instead of sending an ACK packet, the scanner sends a RST packet! Server immediately terminates the TCP connection upon receipt of an RST packet! Stealthy because most systems log incoming connection requests only when all three steps of the handshaking completes! Banner grabbing! Send a legitimate request at the identified port after successful handshaking! Elicits a response having information about the kind of service running at that port

28 Using Nmap! Network mapper utility for network exploration or security auditing! Includes! Port scanning! OS detection! Service detection! Version detection! Available for almost all popular operating systems! www.nmap.org 29! Some options! -st : a regular SYN scan! -ss : a stealth scan! -sv : attempt to identify service! -O : attempt to identify OS Using Nmap (contd.)! -p <range> : scan ports specified in range! E.g. p 1-1024,1078, 1090! -v : verbose mode! -P0 : do not ping hosts before scanning! -sf, -sn, -sx : FIN scan, null scan, Christmas scan! -sa : ACK scan! And many more: see http://nmap.org/bennieston-tutorial/ 30! -sf, -sx, -sn Using Nmap (contd.)! Scanning using SYN packets may not work if an IDS is in place! Closed ports will send a RST back! Open ports will drop these packets since they are waiting for SYN packets! MS Windows will drop even if port is closed! Combined with a regular scan, you can know there is likely a Windows machine on the other side! -sa! Is the firewall stateless (just blocking incoming SYN packets) or stateful (tracks the connections)! A RST packet in reply points at a stateless firewall 31! Packet sniffers Using Packet Sniffers! Devices or software that monitor network traffic! Log (capture) incoming and outgoing packets! See what various systems are saying to each other! Most tools follow the PCAP format to store the data! Tools! Tcpdump! Windump! Netcap! Wireshark (previously known as Ethereal)

32 Using Packet Sniffers (contd.)! Captured packets can reveal who has connected to an identified Trojan in a system! Including the commands and data exchanged through the Trojan! Useful, in general, to see who is making connections to your system! Captured packets can reveal the entire communication sequence between two systems! Too many initiated connections without any data exchange! Perhaps someone is trying a port scan!! SYN flood attack 33 Analyzing Packet Traces! Packet sniffers will log packets; analyzing them to obtain useful information is your task! FTP traffic capture! What is the name and version of the FTP server?! What password was used during an anonymous login?! What files were transferred?! What are the contents of those files?! Netcat traffic capture! Netcat is a flexible utility that facilitates reading/writing data using TCP/UDP network connections! What port is the netcat listener running?! What commands were issued? 34! IIS traffic capture Analyzing Packet Traces (contd.)! Microsoft Internet Information Services web server! What version of IIS is running?! What browser and OS is a client using?! What commands were sent by the browser?! Is there any known vulnerability that is being exploited?! Nmap traffic capture! What type of nmap scan was run?! Which system(s) is(are) being scanned?! Lets look at some examples using Wireshark! 35 The Honeynet Project! Attempt to thwart Internet and network hackers! Provides information about attacks methods! Objectives! Awareness: threats do exist out there! Information: how do attackers operate and how to protect against their tactics! Tools: methods to protect resources

36 The Honeynet Project (contd.)! Distributed denial-of-service (DDoS) attacks! A recent major threat! Hundreds or even thousands of machines (zombies) can be used! Zero day attacks! Another major threat! Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available! Honeypot! Normal looking computer that lures attackers to it! Honeywalls! Monitor what s happening to honeypots on your network and record what attackers are doing 37 References! Ch 11: B. Nelson, A. Phillips and C. Steuart, Guide to Computer Forensics and Investigations. ISBN: 978-1-435-49883-9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information