Embed Size (px)
Citation preview
Network Forensics
Networking BasicsCollecting Network-Based Evidence (NBE)Collection of Packets using ToolsWindows IntrusionUNIX Intrusion
OSI Layers
Taken from Forouzan: TCP/IP Protocol Suite
Source to Destination Delivery
Taken from Forouzan: TCP/IP Protocol Suite
Physical Addresses
A node with physical address 10 sends a frame to a node with physical address 87. The two nodes are connected by a link. At the data link level this frame contains physical (link) addresses in the header. These are the only addresses needed. The rest of the header contains other information needed at this level. The trailer usually contains bits needed for error detection.
Taken from Forouzan: TCP/IP Protocol Suite
Physical AddressesAlso called mac addresses...
Most local area networks use a 48-bit (6 bytes) physical address written as 12 hexadecimal digits, with every byte separated by a colon as shown below:
7B : 05 : 4C : A9 : 62 : 83
IP Addresses
As the message moves through the Internet, notice how the IP addresses stay the same, but the physical addresses change.
Why are physical addressesnot sufficient?
Taken from Forouzan: TCP/IP Protocol Suite
IP AddressesAlso called network address, logical address
An Internet address (network address, logical address) is 32 bits in length, normally written as four decimal numbers, with each number representing 1 byte. The numbers are separated by a dot, thus the notation is often called dotted decimal notation.
179. 84. 31. 8
Port Addresses
A port address uniquely identifies a network application such as http, email, ftp, etc. and is a 16-bit decimal number such as 176.Taken from Forouzan: TCP/IP Protocol Suite
Collecting Network-Based Evidence Types of NBE
Full content data Every packet is captured Excellent for analysis, but requires much work
Session data Summaries of data transfer, including time and
duration of transfer, and parties involved Alert data
Responding to occurrence of a keyword (shipment)
Statistical data Examining which services or protocols are being
used more and for longer periods of time
Evidence Collection
NBE collected: Before a compromise: proactive network
security monitoring (NSM) During a compromise: reactive NSM
Standard Intrusion Attack Intrusion Phases
1. Reconnaissance: intruder (1st IP address) checks connectivity and vulnerabilities of Web server (victim)
2. Exploitation: launch attack from 2nd IP address against Web server
3. Reinforcement: store tools at 3rd IP address, connect to Web server (backdoor)
4. Consolidation: intruder communicates with backdoor using 4th IP address
5. Pillage: sensitive information is stolen, or base built for further attacks
Taken from Jones, et al Real Digital Forensics
Attack Phases
IP Address 5?
IP Address 4
IP Address 3
IP Address 2IP Address 1
Victim
Phase 1:Reconnaissance
Phase 5:Pillage
Phase 4:Consolidation
Phase 3:Reinforcement
Phase 2:Exploitation
Gaining access to network traffic Hubs
A hub forwards a packet to all ports other than the one that received it, thus, all traffic passing by can be seen and collected
Taps Test Access Ports are placed between a firewall
and router or between switches; cost is ~ 4 or 5 times that of hubs
Inline device – homemade tap; computer that supports bridging
Switched Port Analyzer (SPAN port) – copy to a mirror port on the switch
Tools
Full Content: Tcpdump, Ethereal, Flowgrep, hexdump
Session: Argus can also run in live mode, Tcptrace
Alert: Snort, Bro
Statistical: Tcpdstat, Tcpstat
Windows Intrusion Situation
BankTwo collected network-based evidence while troubleshooting a network problem. The bank did not have a full suite of security monitoring tools, but it was collecting full content data to learn about the network’s performance.
Tcpdump was running on a Linux monitoring platform sitting on a hub with visibility to the victim system 103.98.91.41.
Using Tcpdump
The command used:tcpdump –n –i eth0 –s 1515 –w
capture_file.lpc-n disables translation of IP addresses to host
names and port numbers to service names-i eth0 specifies running against the promiscuous
interface (receives all packets on the network segment)
-w capture_file.lps writes the output to a file on the monitoring station’s hard drive
Statistical Data using Tcpdstat
The command:tcpdstat s2a.lpc > s2a.tcpdstat.txt
Generates: number of packets, average rate, # of source and destination pairs and protocols used
DumpFile: s2a.lpcFileSize: 8.21MBId: 200309231852StartTime: Tue Apr 08 12:03:29 2009EndTime: Tue Apr 08 12:03:29 2009TotalTime:# of packets: 26084 (7.81MB)AvgRate: 1.10Mbps stddev:0.56M
### IP address information #### of IPv4 addresses: 4
File size
Rate
Statistical Data using Tcpdstat### Protocol Breakdown ###protocol packets bytes bytes/pkt
-----------------------------------[0] total 26084 (100%) 8187014 (100%) 313.87[1] ip 26084 (100%) 8187014 (100%) 313.87[2] tcp 26077 (99.97%) 8186206 (99.9%) 313.92[3] http(s) 11344 (43.49%) 6914617 (84.46%) 609.54[3] http(c) 11491 (44.05%) 1076775 (13.15%) 93.71[3] squid 4 (0.02%) 240 (0.00%) 60.00[3] smtp 3 (0.01%) 180 (0.00%) 60.00[3] ftp 2 (0.01%) 120 (0.00%) 60.00[3] telnet 2 (0.01%) 120 (0.00%) 60.09...[3] other 3213 (12.32%) 193074 (2.36%) 60.00[3] udp 4 (0.02%) 618 (0.01%) 154.50...Notice web servers sending 43.49% of packets, web clients sending 44.05%, and “other” sending
12.32%.
Alert data using Snort[**] [1:1668:5] WEB-CGI /cgi/bin/ access [**][Classification: Web Application Attack] [Priority:1]04/08-12:03:29 322441 95.16.3.79:51767 -> 103.98.91.41:80TCP TTL:63 TOS:0x0 ID:13538 IpLen:20 DgmLen:181 DF***AP*** Seq: 0xA50D689C Ack: 0x1EDB04F1 Win: 0x8218 TcpLen:32TCP Options (3) => NOP NOP TS: 1462497415 0
[**] [1:1201:6] ATTACK RESPONSES 403 FORBIDDEN [**][Classification: Attempted Information Leak] [Priority:2]04/08-12:03:29 421027 103.98.91.41:80 -> 95.16.3.79:51773 -> 103.98.91.41:80TCP TTL:128 TOS:0x0 ID:516 IpLen:20 DgmLen:386 DF***AP*** Seq: 0x1EDFB033 Ack: 0x7E945F39 Win: 0x43EF TcpLen:32TCP Options (3) => NOP NOP TS: 120360 1462497415
Source IP @ is 95.16.3.79 and destination is 103.98.91.41 – the victim Web server. This looks like pre-attack reconnaissance against the Web server.
Session data using Argus Transform the data into session data:
argus –d -r s2a.lpc –w s2a.argus // -d run in background// -r read from filename//-w write Argus results to file
Next, run Argus’ ra client to view it in text-based form:ra –a –c –n –r s2a.argus | grep –v drops > s2a.argus.all.txt // -a give summary statistics
// -c count bytes in packets
// grep –v remove status rpt
Date Time Proto SourceIP.Port DestIP.Port SrcPkts DstPkts SrcBytes DestBytes Session Close
08 Apr 09 12:03:29 tcp 95.16.3.23.1044 -> 103.98.91.41.80 6 7 906 4909 EST08 Apr 09 12:04:41 tcp 95.16.3.70.53236 -> 103.98.91.41.80 6 6 545 3791 FIN
...scanning for web vulnerabilities
Session data using Argus...later
Date Time Proto SourceIP.Port DestIP.Port SrcPkts DstPkts SrcBytes DestBytes Session Close
08 Apr 09 12:04:41 tcp 95.16.3.23.47990 -> 103.98.91.41.1359 1 1 54 54 RST08 Apr 09 12:04:41 tcp 95.16.3.70.47990 -> 103.98.91.41.305 1 1 54 54 RST08 Apr 09 12:04:41 tcp 95.16.3.23.47990 -> 103.98.91.41.698 1 1 54 54 RST08 Apr 09 12:04:41 tcp 95.16.3.70.47990 -> 103.98.91.41.155 1 1 54 54 RST
... Notice that only the port number differs in each transmission. This pattern indicates port scanning, searching for open ports. If one is found open, the sender could try to make a connection...
