of 107/107
COEN 252 Computer Forensics Network Protocols

COEN 252 Computer Forensics Network Protocols. Network Protocols: Layering TCP/IP stack has four levels. OSI has seven

  • View
    215

  • Download
    0

Embed Size (px)

Text of COEN 252 Computer Forensics Network Protocols. Network Protocols: Layering TCP/IP stack has four...

  • Slide 1
  • COEN 252 Computer Forensics Network Protocols
  • Slide 2
  • Network Protocols: Layering TCP/IP stack has four levels. OSI has seven.
  • Slide 3
  • Network Protocols: Layering
  • Slide 4
  • Each layer adds a header. Application TCP IP Link
  • Slide 5
  • Link Layer Network Interface Cards (NIC) Unique Medium Access Control (MAC) number Format 48b written as 6B in hex. NICs either select based on MAC address or are in promiscuous mode (capture every packet).
  • Slide 6
  • Link Layer Address Resolution Protocol (ARP) Resolves IP addresses to MAC addresses RFC 826
  • Slide 7
  • Link Layer: ARP Resolution Protocol Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 All devices on the link capture the packet and pass it to the IP layer. 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 A caches the value in its arp cache.
  • Slide 8
  • IP Uses IP addresses of source and destination. IP datagrams are moved from hop to hop. Best Effort service. Corrupted datagrams are detected and dropped.
  • Slide 9
  • IP Addresses contain IP address and port number. IPv4 addresses are 32 bit longs IPv6 addresses are longer.
  • Slide 10
  • IP: ICMP Internet Control Message Protocol Created to deal with non-transient problems. Fragmentation is necessary, but the No Frag flag is set. UPD datagram sent to a non-listening port. Ping.
  • Slide 11
  • IP: ICMP ICMP error messages should not be sent, For any but the first fragment. A source address of broadcast or loopback address. Are probably malicious, anyway.
  • Slide 12
  • IP: ICMP ICMP errors are not sent, In response to an ICMP error message. Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-ponging. A destination broadcast address. Dont answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
  • Slide 13
  • Transport Layer: TCP and UDP Transmission Control Protocol (TCP) Reliable Connection-Oriented. Slow User Datagram Protocol (UDP) Unreliable Connectionless. Fast.
  • Slide 14
  • TCP Only supports unicasting. Full duplex connection. Message numbers to prevent loss of messages.
  • Slide 15
  • TCP: Three Way Handshake Initiator to responder: Syn s Responder to initator: Ack s, Syn t Initiator to responder: Ack t Sets up two connections with initial message numbers s and t.
  • Slide 16
  • TCP: Three Way Handshake 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 (DF) 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 (DF) 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23:. ack 1 win 17520 (DF)
  • Slide 17
  • TCP: Terminating Connections Graceful shutdown Party 1 to Party 2: Fin Party 2 to Party 1: Ack Party 2 to Party 1: Fin Party 1 to Party 2: Ack Abrupt shutdown Party 1 to Party 2: Res
  • Slide 18
  • TCP: Shutting down a connection 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 23 win 16940 (DF) 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 24 win 16940 (DF) 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570:. ack 6 win 32767 (DF)
  • Slide 19
  • TCP Exchanging Data Each packet has a sequence number. (One for each direction.) Initial sequence numbers are created during initial three way handshake. NMap uses the creation of these sequence numbers to determine the OS. OS are now much better with truly random sequence numbers.
  • Slide 20
  • TCP Exchanging Data Party that receives packet sends an acknowledgement. Acknowledgement consists in Ack flag. Sequence number of the next package to be expected.
  • Slide 21
  • TCP Exchanging Data If a package is lost, then the ack number will not change: Duplicate acknowledgement Depending on settings, sender will resend, after at most three stationary ack numbers. Also, resend after timeout.
  • Slide 22
  • TCP Exchanging Data 20:48:45.087563 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 4 win 16959 (DF) 20:48:45.087583 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) 20:48:45.096443 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23:. ack 23 win 16940 (DF)
  • Slide 23
  • TCP flags Part of TCP header F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced
  • Slide 24
  • UDP Send and pray No connection. No special header like TCP. Protocol field in the IP header is 0x11 Another field in the IP header contains UDP specific header information
  • Slide 25
  • Fragmentation IP datagram can come across smaller maximum transmission units than its own size. Resender chops up the IP datagram into many IP datagrams, the fragments.
  • Slide 26
  • Fragmentation Fragments are reassembled at the destination. Fragments carry: Fragment identifier Offset in original data portion Length of data payload in fragment Flag that indicates whether or not this is the final fragment.
  • Slide 27
  • Fragmentation Example Large Echo Request ping -l 1480 129.218.19.198 Assume MTU is 1500
  • Slide 28
  • Fragmentation
  • Slide 29
  • Fragmentation: First Fragment
  • Slide 30
  • Fragmentation: Second Fragment
  • Slide 31
  • Fragmentation: Last Fragment
  • Slide 32
  • Fragmentation ping l 65500 129.218.19.198 12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:[email protected]+) 12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+) 12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:[email protected]+)
  • Slide 33
  • Fragmentation DF (Dont Fragment) Flag If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable need to fragment. Useful to find minimum MTU on a link.
  • Slide 34
  • Fragmentation Stateless firewalls look only at individual packages. Protocol header is only in the first fragment. Stealth attacks / scans have evil payload only in the second and following fragments.
  • Slide 35
  • Fragments: Teardrop and Friends Teardrop (1997) Fragments with overlapping offset fields. Many contemporary OS crash, hang, reboot. Jolt2 Single fragment with non-zero offset. Receiving system allocates resources to reconstruct a datagram that never arrives.
  • Slide 36
  • Fragments: Teardrop and Friends Create fragments that seem to come from a GB datagram. Trusting OS tries to allocate memory and dies. Ping of Death Win95 allowed to send a ping that was just a tad too long. Receiving host would crash. Unnamed Attacks Missing fragments lead to resource allocation.
  • Slide 37
  • ICMP ICMP has no port numbers. No acks, no message delivery guarantee http://www.iana.org/assignments/icmp- parameters http://www.iana.org/assignments/icmp- parameters First Byte Type Second Byte Code
  • Slide 38
  • ICMP Mapping Techniques. Detect up host. Detect OS through responses.
  • Slide 39
  • ICMP Tireless Mapper Sends ICMP echo requests messages to all possible IP addresses Many IDS might not capture this scan if the number of packages per hour is small. Firewalls should filter incoming ping requests.
  • Slide 40
  • ICMP Efficient Mapper Use the ICMP echo request with a broadcast address. Ping 129.210.19.255
  • Slide 41
  • ICMP Clever Mapper Use a different ICMP message such as ICMP address mask. Determines the class of the network
  • Slide 42
  • ICMP Normal messages Host unreachable Port unreachable Admin prohibited Need to fragment Time exceeded in transit
  • Slide 43
  • Malicious ICMP: Smurf Attack Smurf attack on victim 129.219.19.198 Step 1: Send ICMP echo request to a broadcast address with spoofed IP of 129.219.19.198 Step 2: Router allows in ICMP echo request to broadcast address Step 3: All live hosts respond with ICMP echo reply to real source IP
  • Slide 44
  • Malicious ICMP: Smurf Attack Denial of Service Attack. Effort of Attacker
  • Malicious TCP Use: Mitnick Attack (obsolete) Attacker sends another TCP packet with payload: rsh victim echo ++ >>.rhosts Victim trusts B B Attacker Bad stuff
  • Slide 62
  • Malicious TCP Use: Mitnick Attack (obsolete) Now victim trusts everyone. Victim trusts everyone. B Attacker
  • Slide 63
  • Malicious TCP Use: Mitnick Attack (obsolete) Attacker terminates connection with a FIN exchange Victim trusts everyone B Attacker FIN ACK
  • Slide 64
  • Malicious TCP Use: Mitnick Attack (obsolete) To wake up B, attacker sends it a bunch of RES to free B from the SYN flood. Victim trusts everyone B Attacker RES
  • Slide 65
  • Malicious TCP Use: Mitnick Attack (obsolete) Attacker now starts a new connection with the victim. Victim trusts everyone B Attacker Yak yak yak
  • Slide 66
  • Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID) can find the original site mapping. NID can find the reconnaissance by finding finger showmount etc. commands. Directed to the same port (111). This is a dangerous port. Frequent.
  • Slide 67
  • Malicious TCP Use: Mitnick Attack Detection Host scans log instances where a single system accesses multiple hosts at the same time. Host-based Intrusion Detection (HID) can find access to a single port. HID / Tripwire could find changes to.rhosts.
  • Slide 68
  • Malicious TCP Use: Mitnick Attack Detection Computer Forensics can detect the attack by Logging network traffic. Examining MAC of important files (.rhosts)
  • Slide 69
  • Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain type of traffic. Network mapping. SYN flooding. Access to dangerous ports. Host-based firewall blocks Access to dangerous ports. Security policy Disallows reconnaissance tools. Enforces better authentication.
  • Slide 70
  • Domain Name Servers Provide mapping from host names to IP addresses. DNS resolution process Client sends a gethostbyname message to the local domain name server. Local domain name server sends back ip address. Uses UDP (almost exclusively)
  • Slide 71
  • DNS: Resolution protocol 1. Client to local DNS server gethostbyname 2. Local DNS server sends forwards request to root server. 3. Root server returns with name of remote DNS server. 4. Local DNS server queries remote DNS server. 5. Remote DNS server answers with IP address. 6. Local DNS server gives data to client.
  • Slide 72
  • DNS Use caching to prevent overload by root servers. DNS records have a TTL Responding DNS server sets TTL. Receiving DNS server caches record for TTL time.
  • Slide 73
  • DNS: Reverse Lookup IP-address to host-name Query for 1.2.3.4 send to 4.3.2.1.in- addr.arpa
  • Slide 74
  • DNS: Master - Slave Name Servers Each domain has a single master DNS server. Add slaves for redundancy. Slave server periodically contacts master to see whether there are changes. Older BIND download all data from domain, even if only one record has changed.
  • Slide 75
  • DNS Zone Transfer Slave server restarts zone transfer from master to slave Uses TCP, port 53. Attackers like zone transfer Gives all IP addresses and names in subnet. Newer versions of BIND limit transfers based on IP address.
  • Slide 76
  • DNS: Abuse for Reconnaissance nslookup: Get name servers.
  • Slide 77
  • DNS: Abuse for Reconnaissance HINFO: host information.
  • Slide 78
  • DNS: Abuse for Reconnaissance List the zone map information. > ls d engr.scu.edu in nslookup
  • Slide 79
  • DNS: Abuses and Problems DNS cache poisoning Affects BIND versions before 8.1.1. Based on lack of authentication Some BIND versions cache every DNS data they see.
  • Slide 80
  • DNS Cache Poisoning Attack on Hillary Clintons Run for Senate Website Traffic to www.hillary2000.org (IP address 206.245.150.74) redirected to www.hillaryno.com (IP address 206.245.150.74.)
  • Slide 81
  • DNS Cache Poisoning Step 1: Evil sends a bogus query to the victims name server that contains data www.hillary2000.org at 206.245.150.74
  • Slide 82
  • DNS Cache Poisoning Step 2: Name server accepts the bogus information (even though it is contained in a query). Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com. Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.
  • Slide 83
  • DNS Cache Poisoning Birthday Attack Attacker sends large number of queries to a vulnerable name server asking for hillary2000. Attacker sends an equal number of phony replies (with the poisoned data). Name server will generate requests to resolve hillary2000. With high probability, one of the phony answers will have the same transaction number as the name servers query.
  • Slide 84
  • DNS: The Bind Birthday Attack
  • Slide 85
  • DNS Cache Poisoning Redirect traffic to a fake Pay-Pal or other e- commerce site. Set-up Man in the Middle Attacks Defenses: Domain Owner has to rely on the DNS system. ISP name server admin needs to protect by Updating BIND or replacing it with djbdns Two name servers, one for the public domain information to the outside, another for internal use. End user has to rely on the DNS system.
  • Slide 86
  • Routing Local Routing Table: netstat -r
  • Slide 87
  • Static Routing IP Layer searches the routing table in the following order Search for a matching destination host address Search for a matching destination network address Search for a default entry
  • Slide 88
  • Routing Static routes are typically added during the boot process. Administrative changes with a routing command. ICMP routing discovery messages
  • Slide 89
  • Routing Changes A host might have inefficient entries in the routing table. ICMP Router Discovery Protocol (IRDP) ICMP redirect messages ICMP routing discovery messages IRDP needs to be enabled.
  • Slide 90
  • Routing Changes ICMP Redirect Message A sends message to D. Routing table says to send to B first.
  • Slide 91
  • Routing Changes ICMP Redirect Message B forwards to C B informs A that there is a direct route to C ICMP Redirect Message
  • Slide 92
  • Routing Changes ICMP Redirect Message C forwards package to target. A updates routing table.
  • Slide 93
  • IRDP DoS Exploit Attacker (E) sends spoofed IRDP message to A A updates routing table to reflect bogus default value. A looses connectivity
  • Slide 94
  • IRDP Windows Exploit Windows (95, 98, 2000) and some Solaris systems are vulnerable. If a Windows hosts runs a Dynamic Host Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server. ICMP router advertisement can be spoofed. First router advertisement is checked for correct IP address. Second router advertisement is erroneously not.
  • Slide 95
  • IRDP Windows Exploit Attacker sends two ICMP router advertisements to victim. Victim updates its default gateway to IP determined by attacker. Use for man in the middle attacks or DoS.
  • Slide 96
  • ARP Poisoning Address resolution protocol associates MAC addresses with IP addresses. Four Messages ARP Request: Who has this IP? ARP Reply: I have this IP. My MAC is Reverse ARP Request: Who has that MAC? Reverse ARP Request Reply: I have that MAC, my IP is
  • Slide 97
  • ARP Poisoning ARP is very efficient, but does not do any authentication. Many OS still accept ARP replies even without making an ARP request. ARP poisoning: Spoofing an ARP package with false ARP data.
  • Slide 98
  • ARP Poisoning Denial of Service: Spoofed ARP message can associate the default gateway address with a non- existing MAC. Traffic to the outside is no longer picked up.
  • Slide 99
  • ARP Poisoning Man in the Middle Intercept traffic between devices A and B. A has IP I A and MAC M A. B has IP I B and MAC M B. Attacker has machine C with MAC M C. Attacker sends an ARP reply to B: I A is at M C. B updates its ARP cache entry: I A is at M C. Attacker sends an ARP reply to A: I B is at M C. A updates its ARP cache entry: I B is at M C. A sends traffic to I B on a level 1 frame to M C. C intercepts the package and forwards it to M B. Traffic from A to B (and vice versa) now flows through C.
  • Slide 100
  • ARP Poisoning MAC flooding Switches maintain a MAC to port table. Traffic only flows to destination. Attacker sends lots of bogus ARP data to switch. Switchs ARP table is flooded. Switches either stop functioning (DoS attack) or drop to hub mode. Switch in hub mode forwards a package to all ports. Allows traffic to be sniffed.
  • Slide 101
  • ARP Poisoning Small networks: Could use a static ARP table. Disables ARP messaging. All ARP entries need to be put in by hand and maintained. Will not work with DHCP. Maintenance becomes quickly impossible with larger size of network. Some Win OS will still accept and use dynamic ARP updates, even if all routes are statically encoded.
  • Slide 102
  • ARP Poisoning Large Networks Use Port Security features on higher-end switches. Allow only one MAC address. Prevents hackers from embedding their MAC address more than once. All networks Monitor ARP traffic (ARP monitoring tool)
  • Slide 103
  • IP Options IP options enhance the IP protocol. Security Stream Identification Internet Timestamp Loose Source Routing Strict Source Routing Record Route These are security risks
  • Slide 104
  • IP Route Options Loose Source Routing specifies a route that includes a list of required nodes. Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely. Record Route: does not alter the routing but requires that all nodes are recorded.
  • Slide 105
  • Detecting IP Source Routing IP header is larger than 20B IP option field has a hex value of 83: loose source routing 89: strict source routing ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 89)
  • Slide 106
  • Source Route Exploit Spoofing host requires source routing through a host trusted by the victim. Victim decides that the traffic comes from a trusted host. Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.
  • Slide 107
  • Internet Group Management Protocol (IGMP) Defined by RFC 1112. IGMP messages use IP Protocol 2 IGMP are used to join and leave multicast groups.