Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek, himanshup@cdac.

Similar documents
Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

TCP Performance Management for Dummies

Chapter 8 Security Pt 2

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Covert Channel Analysis and Detection using Reverse Proxy Servers

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

CS5008: Internet Computing

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Host Event Based Network Monitoring

Solution of Exercise Sheet 5

Windows Filtering Platform, engine for local security

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses

CIT 380: Securing Computer Systems

How do I get to

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

First Workshop on Open Source and Internet Technology for Scientific Environment: with case studies from Environmental Monitoring

Objectives of Lecture. Network Architecture. Protocols. Contents

Introduction to Network Security Lab 1 - Wireshark

Stateful Firewalls. Hank and Foo

Network Programming TDC 561

Covert Channel Analysis and Detection with Reverse Proxy Servers using Microsoft Windows

Computer Networks/DV2 Lab

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Linux Network Security

Dinan Gunawardena Microsoft Research Cambridge MONITORING USING A WINDOWS BOX & HANDLING A DELUGE OF NETWORK DATA

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Network Traffic Analysis

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Firewall Implementation

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Networks: IP and TCP. Internet Protocol

Computer Networks/DV2 Lab

HoneyBOT User Guide A Windows based honeypot solution

Hands-on Network Traffic Analysis Cyber Defense Boot Camp

Scanning Tools. Scan Types. Network sweeping - Basic technique used to determine which of a range of IP addresses map to live hosts.

Lab VI Capturing and monitoring the network traffic

CSCE 465 Computer & Network Security

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

Intrusion Detection, Packet Sniffing

Seminar Computer Security

Network Security in Practice

Ethernet. Ethernet. Network Devices

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Algorithms and Techniques Used for Auto-discovery of Network Topology, Assets and Services

Firewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Introduction to Analyzer and the ARP protocol

Network Scanning. What is a Network scanner? Why are scanners needed? How do scanners do? Which scanner does the market provide?

Port Scanning. Objectives. Introduction: Port Scanning. 1. Introduce the techniques of port scanning. 2. Use port scanning audit tools such as Nmap.

Malicious Network Traffic Analysis

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

1! Network forensics

Post-Class Quiz: Telecommunication & Network Security Domain

General Network Security

ACHILLES CERTIFICATION. SIS Module SLS 1508

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

SOUTHERN POLYTECHNIC STATE UNIVERSITY. Snort and Wireshark. IT-6873 Lab Manual Exercises. Lucas Varner and Trevor Lewis Fall 2013

Security Technology White Paper

BASIC ANALYSIS OF TCP/IP NETWORKS

IP Network Layer. Datagram ID FLAG Fragment Offset. IP Datagrams. IP Addresses. IP Addresses. CSCE 515: Computer Network Programming TCP/IP

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Network Intrusion Analysis (Hands-on)

Host Fingerprinting and Firewalking With hping

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

TCP SYN Flood - Denial of Service Seung Jae Won University of Windsor wons@uwindsor.ca

Surviving DNS DDoS Attacks. Introducing self-protecting servers

A Very Incomplete Diagram of Network Attacks

A Protocol Based Packet Sniffer

Lecture 16: TCP/IP Vulnerabilities: IP Spoofing and Denial-of-Service Attacks. Lecture Notes on Computer and Network Security

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM

Multifaceted Approach to Understanding the Botnet Phenomenon

Introduction to IP networking

Lecture Computer Networks

Networks and Security Lab. Network Forensics

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Network Security. Internet Firewalls. Chapter 13. Network Security (WS 2002): 13 Internet Firewalls 1 Dr.-Ing G. Schäfer

Networking Test 4 Study Guide

Network sniffing packet capture and analysis

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

Network Security TCP/IP Refresher

Network sniffing packet capture and analysis

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

Networking for Caribbean Development

Denial Of Service. Types of attacks

Network Traffic Analysis and Intrusion Detection using Packet Sniffer

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

IxLoad-Attack: Network Security Testing

Network forensics 101 Network monitoring with Netflow, nfsen + nfdump

Transcription:

Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC Host based Analysis {Himanshu Pareek, himanshup@cdac.in} {C-DAC Hyderabad, www.cdachyd.in} 1

Reference to previous lecture Bots use ICMP for passing commands Covert channel hacking SYN flooding attacks Key logger attacks Current Patch Process Autorun.INF Runs as a DLL attached to svchost.exe 2

Outline Introduction Network monitoring tools Analysis for malicious activities Application level analysis Developer s Call Implementing software packet capture 3

Prerequisites What is a socket Socket is the interface between the application layer and transport layer within a host Three way TCP handshake ARP HTTP Headers for Request and Response TCP Segment and UDP Datagram 4

HTTP : Request 5

HTTP : Response 6

Three way TCP Handshake 7

States for a TCP Client CLOSED Send SYN Receive FIN, send ACK TIME_WAIT SYN_SENT Receive SYN & ACK, Send SYN FIN_WAIT_2 ESTABLISHED Receive ACK, send nothing FIN_WAIT_1 Send FIN 8

States for a TCP Server Receive ACK, Send nothing CLOSED LAST_ACK LISTENING Send FIN Receive SYN, Send SYN and ACK CLOSE_WAIT SYN_RECVD Receive FIN, Send ACK ESTABLISHED Receive ACK, Send nothing 9

TCP Segment 0 15 31 SRC PORT DST PORT SEQUENCE NUMBER ACKNOWLEDGEMENT NUMBER FLAGS RECV WINDOW CHECKSUM URGENT DATA PTR OPTIONS DATA 10

IPv4 Datagram 0 15 31 Version Header Length Identification Type of Service FLAGS Total Length Fragment Offset TTL Protocol Header Checksum 32 BIT SOURCE IP ADDRESS 32 BIT DST IP ADDRESS OPTIONS DATA 11

Ethernet Frame Preamble SRC MAC Address DST MAC Address Type Data ARP IP IPv6 IPX 0x806 0x800 0x86DD 0x8137 Trailer/CRC 12

Analysis of mal-activities Automated Analysis for detecting attacks Using HIDS / HIPS / Network Security Solution OSSEC, OSIRIS, EnSAFE, Sana, Server IPS Manual analysis Why it is important A simple case Cost of ownership should be compared. Ability to handle encryption Useful in reversing the malware No single point of failure as in case of NIDS/NIPS 13

LAN Antivirus updated IDS Infected node 1. makes a silent scan of network 2. Detects a Vista system 3. Trying to connect at 137 14

Do it regular Checked ARP entries with command arp a Found a suspicious entry x.x.x.12 Started WIRESHARK It was sending ARPs to all the hosts in a small intervals of time Allowed to scan my system Sent SYNs to 137 Use TCP View to check concerned process (to ports) on both the victim system You can carry out the manual malware cleaning then. 15

Continued Network packet monitoring WIRESHARK (wireshark.org) Network Miner (networkminer.wiki.sourceforge.net) MS Network Monitor (Microsoft) Application level Want to monitor application behavior Anomaly detection at system call level System call interception Is it feasible with growing security requirements? 16

Traffic analysis of mal-activities IP Scanner 17

Traffic analysis of mal-activities A scan of a particular system 18

Traffic analysis of mal-activities Ms04-011 vulnerability getting exploited through a system Stack overflow in LSASS service http://www.microsoft.com/technet/security/ Bulletin/MS04-011.mspx 19

20

Other Tools For Analysis PacketMon IP Sniffer Network Probe Sniff_hit UfaSoft Sniff for capturing packets at Wi-Fi links CaptureBAT (Honeynet Project) 22

Tip: help in reversing malware binary Run malware binary using virtualized OS MS Virtual PC Sun xvm VirtualBox Use any tool to monitor its network activity Use snort to monitor the activity http request packet analysis 23

Windows networking architecture Microsoft Windows sockets application (32 bit) Winsock 2.0 API Winsock 2.0 SPI Ws2_32.dll Layered Service Provider Mswsock.dll Msafd.dll User Mode 24

Contd. TDI Layer Afd.sys TDI Clients Kernel Mode NDIS exported Interface TCPIP.SYS Network protocol drivers NDIS Intermediate Driver Miniport Driver NDIS.SYS 25

Application level analysis System call interception Not supported Rootkits Documented interfaces LSP WSP APIs in the SDKs, direct mapping for network related calls. WFP Provides APIs in user mode to filter the packets Doesn t support MAC based filtering Callout Drivers Write kernel mode drivers to develop firewalls, IDS, application based filtering 26

Application level analysis Windows application (32 bit) 1. Uses IOCTL to talk TDI Client 2. Bypasses Winsock TDI Layer TDI Clients Kernel Mode 1. Use TDIMON Network stack 27

Modeling approaches Behavior based approaches Knowing the bad behavior and protecting against them Knowing the good behavior of the application FSM Artificial Neural Networks N-gram Probability Suffix Trees Anomaly Detection Issues with system call hooking Discouraged by OS vendors Used by rootkits not supported on 64 bit windows (carry patch guard) 28

Implementing packet capture NDIS IM Filter Driver Miniport Driver Protocol Driver 29

Relationships Between NDIS, Miniport Drivers, and Protocol Drivers TCP / IP Other Protocols NDIS Miniport Driver NDIS.SYS NIC Device 30

Intermediate Driver in the NDIS Driver Stack. TCP / IP Other Protocols NDIS Intermediate Driver Miniport Driver NDIS.SYS NIC Device 31

Intermediate Driver Layered Between Miniport Driver and Transport Driver Transport Driver Protocol Xxx Media X Miniport Xxx Media X Intermediate Driver Protocol Xxx Media Y Miniport Xxx Media Y Miniport Driver NDIS.SYS NIC Device 32

Simple NDIS_PACKET Illustration NDIS_PACKET ( Descriptor (Packet Private.Head NDIS Buffer ( Descriptor (Buffer Next StartVa NULL ( Bytes Packet Data ( 74 33

A More Complex NDIS_PACKET Representation NDIS_PACKET ( Descriptor (Packet Private.Head NDIS Buffer ( Descriptor (Buffer Next StartVa NDIS Buffer ( Descriptor (Buffer Next StartVa NULL ( Bytes Packet Data ( 0-13 ( Bytes Packet Data ( 14-73 34

Research opportunities Secure development practices. Apple Mac, Windows Azure. Malware with Virtualization. Type 3 Malware. 35

References Further Reading Wireshark documentation www.ietf.org Computer Networking: A Top Down Approach (Kurose/Ross) MS-Windows Platform SDK Microsoft Windows Driver Kit www.openrce.org Fighting malicious code (James, Malin) 36

References Further Reading http://www.winpcap.org/docs/docs_41b5/html/group NPF. html Windows, WFP, Callouts are trademarks and products of Microsoft, US. Reference is given to these. Information presented in the presentation is taken from freely available resources. Microsoft holds the copyright. Procexp, procmon, tcpview are freely downloadable tools from technet. NDIS was jointly developed by 3com and Microsoft. More on NDIS: DDK Documentation, www.ndis.com and www.pcausa.com 37

Thank you && Discussions queries 38

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information