• No results found

Networks & Security Course. Web of Trust and Network Forensics

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Networks & Security Course. Web of Trust and Network Forensics"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

Networks & Security Course

Web of Trust and Network

Forensics

(2)

Virtual Machine

• Virtual Machine – Internet connection

• You need to connect the VM to the Internet for some of the ‘Web of Trust’ exercises.

• Make sure the Firewall does not restrict connections coming from Virtualbox / VMware.

• Ensure time in VM is set (approximately) correctly (see next slide)

− Needed for some services

• Some exercises require sharing files

• can use the TU/e FTP server (see below) • or USB sticks

(3)

Virtual Machine – Enable Network Time

If date/time is off in your virtual machine:

1. Right click the date in the bar, select ‘Adjust Date and

Time’

2. Click ‘Unlock’ in the Date and Time screen

• You will be prompted for password when trying to change the settings (‘secnet’ by default). 3. Turn on ‘Network Time’

[1]

[2] [3]

(4)

TU/e FTP Server

• An unsafe and public medium where files are visible to everyone.

• Can use Debian’s own file browser to connect.

• Places > Connect to Server • Server: ftp.tue.nl

(5)

Web of trust

PGP & OpenPGP GnuPG

Seahorse

Introduction to Network Forensics

Wireshark basics

Recognizing attacks

(6)

OpenPGP and GnuPG

OpenPGP (PGP=`Pretty Good Privacy’) is a common asymmetric

encryption standard and GnuPG is an implementation of OpenPGP used for encryption and signing of messages.

Web of trust: Decentralized method of establishing authenticity of

public keys (as opposed to using a certificate authority). Participants issue certificates; they digitally sign (public key, user name) pairs for user’s they known to verify the connection. This can happen e.g. at a `key signing party’; people meet physically to check and sign each others keys (like the one in this lab).

• Tool required:

• GPG, command-line tool

(7)

OpenPGP and GnuPG

Background information:

• Section 8.5 of the textbook

• http://cryptnet.net/fdp/crypto/keysigning_party/en/keysigning_party.html

(8)

Seahorse – a GUI for GnuPG

03-Jun-15

• Can be used to create keys and view the keys available in your

‘keyring’.

• Is helpful, but you still need to use the

command line tool, ‘gpg’ to interact with the key server, and

encryption/decrypting files.

(9)

Exercise 1.1

• Generate a public key.

• File > New > PGP key

• Enter your details and click ‘Create’.

(10)

Exercise 1.1

• Your key should appear in the GnuPG keys list.

• You can use ‘View’

menu to filter the public keys (those created by you / those you signed etc.)

• The RSA public key is long. There will be a key ID and a fingerprint to identify it more easily. Right click and select ‘Properties for details’.

(11)

Exercise 1.2

• Share your public key with others. You can use a key

server to do it. Alternatively you can upload it somewhere, share via USB stick, etc.

• Use the command-line tool ‘gpg’ to upload your key to the server (don’t use the graphic front-end – it does not play nice with key servers)

(12)

Exercise 1.3

• Import some keys to your keyring and sign them (after verifying the identity of the owner).

• This builds the web of trust. Try to create a connected web rather than isolated clusters.

• If your classmates shared their keyring via the key server:

(13)

Exercise 1.3

• The keys you imported will show up in the front-end. By default the front-end only shows the keys you created, so make sure to select View > Show any to display all keys.

• You can sign the keys via command-line or the graphical interface. Command line:

• gpg -u <your key ID> --sign-key <imported key ID>

• After signing your peer’s key, update the key server:

gpg --send-keys <peer signed key ID>

(might take a minute or two for the key server to reflect the update)

• Update your keyring by adding some keys that are signed by other classmates:

(14)

Exercise 1.4

• Create a text file and sign it with your public key.

Transfer it to a public medium (e.g. TU/e FTP server). Verify the signatures of your peers.

Sign a file: gpg -u <key ID> --sign <filename>

Decrypt file & verify sender: gpg -u <key ID> --decrypt <filename>

Verify sender only: gpg -u <key ID> --verify <filename>

(15)

Exercise 1.5

• Create a text file and encrypt it with a recipient’s public key. Transfer it to a public medium (e.g. TU/e FTP

server). Decrypt a message sent to you and attempt to decrypt a message intended for someone else.

Signing: gpg -u <key ID> --sign <filename>

You’ll be prompted for the recipient’s key ID

(16)

Conclusions Web of Trust

• You’ve established a web of trust for the class

• The stronger the connection between you and some key the greater the level of trust.

− full trust in directly checked keys

− can also place trust in keys signed by keys you trust

• You’ve used the trusted keys to securely share files

• where secure = confidentiality/integrity/authenticity of file • can also use to send secure e-mails

(17)

Network Forensics

Forensics:

• Analysis of logs or network trace files after the attack has happened.

Tools needed:

• Wireshark and your favorite search engine

(18)

PCAP Files

• Network traffic data captured during the attacks.

• Relatively small and filtered, contains information

relevant to the attacker and victim only. A PCAP from an actual personal computer will have much more variety in traffic.

• In some of the PCAPs, the attacker uses exploits and malware to break into the victim’s system.

• If you choose to use your own PC instead of the virtual

machine, the malware binaries in the files could trigger your anti-virus, but you are safe as long as you don’t convert

them into .EXE files and run them on a Windows XP machine.

(19)

Wireshark

• Analyzes network traffic and decodes a variety of protocols.

• Can be used for real-time monitoring as well. We use it for offline forensics in the current lab.

• Decoding does not work perfectly: Wireshark can miss if the packet capture started in the middle of a transaction, or if the parser has a problem.

• Commands particularly useful for this exercise:

• Statistics (Summary, Conversations, Endpoint List, etc.), Analyze (Decode As, Follow TCP Stream)

(20)

Wireshark - Filtering

• Allows to focus on relevant parts of the traffic. Packets can be filtered according to host, protocol, time, TCP flags, session id, etc.

• More about filters:

https://www.wireshark.org/docs/wsug_html_chunke d/ChWorkBuildDisplayFilterSection.html

• Filter reference (per protocol):

(21)

Wireshark – Filter examples

• All packets from the IP 10.10.0.1:

• ip.src eq 10.10.0.1

• All TCP packets:

• tcp

• All TCP packets with the source 443:

• tcp.srcport eq 443

• All HTTP traffic:

(22)

Wireshark – Filter examples

• All TCP packets except HTTP traffic:

• tcp and (not http)

• All HTTP communication between 10.10.10.10 and 10.10.0.1:

• (ip.addr eq 10.10.10.10) and (ip.addr eq 10.10.0.1) and http

• TCP packets with SYN flag set to 1

(23)

Wireshark – Statistics

• Statistics menu is useful for getting an overview of the traffic.

• Statistics>Conversations

to list TCP sessions • Statistics>Protocol

hierarchy to find out the protocols commonly used in the conversation.

• Statistics >Endpoints to list the hosts.

(24)

Wireshark - Stream

• Right click on a packet and click

‘Follow TCP/UDP/.. Stream’ to view the conversation in a specific session.

• Particularly helpful with the text-based protocols.

(25)

Exercise 2: Classify the attacks

• Four PCAP files are given in the folder: ~/PCAP.

• Each containing traffic capture from an attack. Identify the attack in each file as one of the following:

1. Spear phishing (by user clicking on a malicious link) 2. TCP port scan

3. Buffer overflow over a Windows service 4. Malicious PHP query against a Web server

References

Download now ( PDF - 25 Page - 0.92 MB )

Related documents

Calidad del sueño y factores asociados entre los adolescentes

25 This work is under a license from Creative Com m ons Reconocim iento -NoCom ercial-Com partirIgual 4.0 Internacional needed to clarify the multiple mechanisms involved

Site to Site Virtual Private Networks (VPNs):

Secure VPNs use cryptographic tunnelling protocols to provide the confidentiality, integrity and authentication of data to achieve the intended level of privacy.. Secure VPN

Table of Contents. Glossary. Copyright OpenSourceSixSigma.com. OSSS LSS Yellow Belt Manual

of this phase are Process Maps, Voice of the Customer, Cost of Poor Quality and Process Metrics3. We will examine the meaning of each of these and show you how to

Advanced Integration Method (AIM) Card-Not-Present Transactions

You can specify the period (“window”) of time after a transaction is submitted during which the payment gateway checks for a duplicate transaction (based on credit card number,

Hardware Security Modules for Protecting Embedded Systems

Prevent software security vulnerabilities – An HSM can check the integrity and authenticity of the software layers above (e.g., via secure boot) and provide low-level

Exam Questions SY0-401

H: SFTP stands for stands for Secure File Transfer Protocol and is used for transferring files using FTP over a secure network connectionA. SFTP uses SSH to secure the connection

Securing the Exchange of Information Inside and Outside the Organisation. Joe Combs EMEA Solution Consultant, edocs

Send messages and files using the Secure Mail Outlook Plugin Use any web browser to send a messages and files through Webmail. Use the API to automatically send messages