BCS-ISSG Practical Network Forensics Day BCS, London Practical Network Forensics Alan Woodroffe issg@securesystemssupport.co.uk www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.
Practical Network Forensics Open Source Tools Preparation Passive Discovery (and some Active) Background Information Tool Usage Practical Network Topology Practical
Open Source Tools Tools Passive Network Analysis Wireshark (Linux and Windows) packet sniffer GUI excellent filtering and re-construction facilities tcpdump, tcpreplay, tcpxtract (Linux) packet sniffer command line excellent filtering and re-construction facilities etherape (Linux) packet sniffer graphical traffic summary
Preparation - Reconnaissance Discover Network infrastructure types copper / fibre / radio / satellite Type, number and location of: Network / Server hardware / Printers Workstations Network services including: DHCP / DNS / WNS Web Servers / Internet Gateway Servers Print / File Shares / Network Storage
Preparation - Equipment Configure and update software / drivers Network interfaces Ethernet / Token Ring / copper / fibre Before connecting Date / Time synchronisation or use ntp? After connecting ifconfig eth0 up dhclient eth0 or not? tcpdump / wireshark
Passive Discovery Network address ranges Discover the corporate address ranges Search for any outside that range: tcpdump -nvtttts 0 not net 10.0.0.0/8 Look for 169.254.0.0/16 (DHCP failure) Look for 192.168.0.0/24 (domestic) Look for 192.168.1.0/24
Passive Discovery Discover Noisy operating systems Windows NetBIOS network traffic tcpdump -nvxtttts 0 udp port 138 General network traffic etherape
etherape Passive Discovery
Passive Discovery tcpdump (Linux) Command line packet sniffer / analyser Remember options: -n No DNS lookup (stay passive) -v Verbose, can use -vv -tttt Use YYYY-MM-DD HH:MM:SS.dec -s 0 Snaplen (capture packet size) 0 -e Show link layer (MAC) addresses -X Show hex and ASCII data
Active Discovery Connecting to Local Area Networks network-manager automated network interface management software attempts to connect to networks whenever it can ifconfig manually configure network interface ifconfig eth0 192.168.55.123 ifconfig eth0 up dhclient automatically configure network interface dhclient eth0 route manually network routing route add default gw 192.168.55.254
Active Discovery Ping (ICMP echo request / reply) ping 192.168.55.123 - single host ping -b 192.168.55.255 - broadcast Arp (Address Resolution Protocol) arp -an (Linux / Windows) Internet Address Physical Address Type 192.168.55.131 00-0b-cd-c1-e5-c4 dynamic 192.168.55.138 00-80-87-d4-5b-f8 dynamic 192.168.55.231 00-0c-29-87-c1-32 dynamic
Active Discovery OUI information: standards.org.ieee/regauth/oui/oui.txt Discover hardware vendors: Physical Address Vendor 00-0b-cd-c1-e5-c4 Hewlett Packard 00-80-87-d4-5b-f8 OKI Electric Industry 00-0c-29-87-c1-32 VMWare
Active Discovery Log ARP data or arp -n >>arp.log arp -n >>arp.log mv arp.log arp.log.old sort -u arp.log.old >arp.log
Background Information - Cheat Sheets Google: tcpdump cheat sheet Security Wizardry (Andy Cuff) http://www.securitywizardry.com/index.php/tools/ana lysis-crib-sheets/rawpackets.html PacketLife (unknown) http://packetlife.net/library/cheat-sheets/ Secure Systems Support (Alan Woodroffe) headers.pdf
Background Information - ISO 7 Layer Model ISO Model Layer Computing Use Perceived Direct Link Computing Use ISO Model Layer Application Web Browser, FTP, Telnet Browser Server, Telnet client telnetd Web Browser, FTP, Telnet Application Presentation Presentation Session Session Transport TCP, UDP TCP protocol TCP, UDP Transport Network IP, ICMP IP protocol IP, ICMP Network Link Device driver, NIC, ARP Ethernet protocol Device driver, NIC, ARP Link Physical Ethernet cable Electrical voltage Ethernet cable Physical
Background Information - IP protocol TCP three way handshake: SYN SYN-ACK ACK TCP FLAGS: --UAPRSF URG - Urgent (use Urgent pointer) ACK - Acknowledgement PSH - Push (flush data to receiver) RST - Reset (abort) SYN - Synchronise (start) FIN - Finish (end gracefully) SIN or FIN flag are set tcp[13] & 0x03 > 0'
tcpdump - filtering tcpdump (Linux) Command line packet sniffer / analyser Remember options: -n No DNS lookup (stay passive) -v Verbose, can use -vv -tttt Use YYYY-MM-DD HH:MM:SS.dec -s 0 Snaplen (capture packet size) 0 -e Show link layer (MAC) addresses -X Show hex and ASCII data
tcpdump - filtering Alien protocols IPX / IPv6 / Jumbo frames / AppleTalk tcpdump -nr <kismet-dumpfile> not ip and not arp Client devices unauthorised equipment using corporate network identify by MAC address? bridging your network to other networks e.g. 3G identify by abnormal data traffic patterns? identify by routed IP packet?
tcpdump - filtering Network address ranges Discover the corporate address ranges Search for any outside that range: tcpdump -nvtttts 0 not net 10.0.0.0/8 Look for 169.254.0.0/16 (DHCP failure) Look for 192.168.0.0/24 (domestic) Look for 192.168.1.0/24
tcpdump - filtering in IP address range net 10.0.0.0/8 outside IP address range not net 10.0.0.0/8 Link Local activity net 169.254.0.0/16 Windows NetBIOS traffic udp port 138 Unusual protocols not ip and not arp Save traffic from NIC eth2 i eth2 w dumpfile VLAN 12 on NIC eth1 i eth1.0012 tcp SIN or FIN flag are set tcp[13] & 0x03 > 0'
Practical Network Topology Connecting to the Network Automatic (DHCP) dhclient eth0 Manual ifconfig eth0 192.168.1.123 Passive (no output) ifconfig eth0 up Disable ifconfig eth0 0.0.0.0 ifconfig eth0 down Specify Gateway route add default gw 192.168.1.234
172.30.68.0 /22 XP3 DHCP 69.30 71.50 71.70 XP1 DHCP XP2 DHCP Practical Network Topology 192.168.1.0 /24.1.101.102.103.202.201 100Mbps Hub 100Mbps Hub
Practical Tasks Running tcpdump Launch a terminal window Run tcpdump: tcpdump ni eth0 (Ctrl-C to stop) Run tcpdump: tcpdump ni eth0 w dump1.tcpd (Ctrl-C to stop)
Practical Tasks Generating data to capture Launch Firefox Browse to http://192.168.1.1 Close Firefox
Practical Tasks Examining captured data ls ltr tcpdump nr dump1.tcpd tcpdump nr dump1.tcpd tcp
Practical Tasks Examining captured data ls ltr tcpxtract f dump1.tcpd ls ltr cat <file>.html display <file>.gif
Practical Tasks Full packet capture Log all packets on NIC eth1, writing to files named e.g. 20120516103456.tcpd2, starting a new file after every 100MB of logged packets tcpdump ni eth1 C 100 w `date +%Y%m%d%H%M%S `.tcpd
Practical Tasks IP Time to Live (hop count) Analyse pre-recorded tcpdump file and examine the TTL values for web browsing packets tcpdump nvr 3s.web.tcpd
Practical Tasks Typical TTL initial values Linux 64 Windows 128 Cisco Router 255
Practical Tasks Web site traffic (HTTP) Analyse pre-recorded tcpdump file and examine web browsing packets tcpdump nr bbc.web.tcpd tcp port 80
Practical Tasks Secure web site traffic (HTTPS) Analyse pre-recorded tcpdump file and examine web browsing packets tcpdump nr https.web.tcpd tcp port 443
Practical Tasks Other investigations?
172.30.68.0 /22 XP3 DHCP 69.30 71.50 71.70 XP1 DHCP XP2 DHCP Practical Network Topology 192.168.1.0 /24.1.101.102.103.202.201 100Mbps Hub 100Mbps Hub
BCS-ISSG Practical Network Forensics Day BCS, London Questions?. Alan Woodroffe issg@securesystemssupport.co.uk www.securesystemssupport.co.uk Copyright Secure Systems Support Limited.