1! Network forensics

(1)

COMP 2555: Principles of Computer Forensics

Autumn 2014 http://www.cs.du.edu/2555

Network Forensics

1

Network Forensics Overview

! 

Network forensics

!  Systematic tracking of incoming and outgoing traffic

!  To ascertain how an attack was carried out or how an event

occurred on a network ! 

Intruders leave a trail behind

!  Knowing your network’s typical traffic patterns is important

! 

Determine the cause of the abnormal traffic

!  Internal bug !  Attackers L15: N etw ork Fo rens ics

2

Securing a Network

! 

Layered network defense strategy

!  Sets up layers of protection to hide the most valuable data at

the innermost part of the network

!  Deeper resources are difficult to get to

!  More safeguards in place

! 

Defense in depth (DiD)

!  Similar layered approach developed by the NSA

!  Modes of protection !  People !  Technology !  Operations etw ork Fo rens ics

3

Securing a Network (contd.)

! 

Testing networks is as important as testing servers

! 

You need to be up to date on the latest methods

intruders use to infiltrate networks

!  As well as methods internal employees use to sabotage

networks

! 

You should be proactive in this game

!  Ensuring that network activities are normal

!  Having enough data to analyze a compromised network

etw

ork

Fo

rens

(2)

4

Procedures for Network Forensics

! 

Computer forensics

!  Work from the image to find what has changed

! 

Network forensics

!  Restore drives to understand attack

! 

Work on an isolated system

!  Prevents malware from affecting other systems

L15: N etw ork Fo rens ics

5

Network Logs

! 

Record incoming and outgoing traffic

!  Network servers

!  Routers

!  Firewalls

! 

Tcpdump tool for examining network traffic

!  Can generate top 10 lists

!  Can identify patterns

6

Sample Record in a Network Log

12:22:41.019630 IP (tos 0x0, ttl 64, id 15979, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->f0fd)!)

130.253.190.122.60086 > 74.125.127.102.80: Flags [F.], cksum 0x0b82 (incorrect -> 0xa091), seq 3907206118, ack 447866512, win 65535, options [nop,nop,TS val 677501972 ecr 940801331], length 0

0x0000: 4500 0034 3e6b 4000 4006 0000 82fd be7a E..4>k@[email protected] 0x0010: 4a7d 7f66 eab6 0050 e8e3 3be6 1ab1 e690 J}.f...P..;... 0x0020: 8011 ffff 0b82 0000 0101 080a 2861 dc14 ...(a.. 0x0030: 3813 7d33 8.}3 etw ork Fo rens ics

7

Using Network Tools

! 

Sysinternals

!  A collection of free tools for examining Windows products

! 

Examples of the Sysinternals tools:

!  RegMon shows Registry data in real time

!  Process Explorer shows what is loaded

!  Handle shows open files and processes using them

!  Filemon shows file system activity

etw

ork

Fo

rens

(3)

8

Using Network Tools (contd.)

! 

Tools from PsTools suite created by Sysinternals

!  PsExec runs processes remotely

!  PsGetSid displays security identifier (SID)

!  PsKill kills process by name or ID

!  PsList lists details about a process

!  PsLoggedOn shows who’s logged locally

!  PsPasswd changes account passwords

!  PsService controls and views services

!  PsShutdown shuts down and restarts PCs

!  PsSuspend suspends processes

9

Using UNIX/Linux Tools

! 

Knoppix Security Tools Distribution (STD)

!  Bootable Linux CD intended for computer and network

forensics

! 

Knoppix-STD tools

!  dcfldd - the U.S. DoD dd version

!  memfetch - forces a memory dump

!  photorec - grabs files from a digital camera

!  snort - an intrusion detection system

!  oinkmaster - helps manage your snort rules

!  john - a passwork cracker

!  chntpw - resets passwords on a Windows PC

!  tcpdump and ethereal - packet sniffers

10

Networking in a Nutshell

TCP/IP Model TCP/IP Model packets etw ork Fo rens ics

11

TCP/IP Model

Application Layer Handles application level communications – how does a FTP client talk to another?

Transport Layer Packages data so that they can be sent in chunks, application addressing, etc.

Internet Layer Handles route discovery – how to reach the destination machine?

Link Layer Move packets between two hosts over a physical medium

etw

ork

Fo

rens

(4)

12

A Packet

Link Layer

Header Internet Layer Header Transport Layer Header Application Layer Header Application Data Link Layer Payload

Internet Layer Payload

Transport Layer Payload A Packet L15: N etw ork Fo rens ics

13

Transport Layer Header

Source Port Destination port

Sequence Number Acknowledgement Number Data

Offset Reserved Flags Window Size

Checksum Urgent Pointer

Options a TCP header L15: N etw ork Fo rens ics

14

Internet Layer Header

Version Header _Length Type of Service Total Length Identification Flags Fragment Offset Time To Live Protocol Header Checksum

Source IP Address Destination IP Address Options an IP header etw ork Fo rens ics

15

Link Layer Header

Preamble Start-of-Frame-Delimiter MAC Destination MAC Source 802.1Q Header EthernetType

Link Layer Payload

CRC-32 a 802.3 Frame hea der etw ork Fo rens ics

(5)

16

TCP/IP Flags

! 

Starts at offset 0x0D (14) in the TCP header

! 

SYN packet has the corresponding bit set

!  Flag = 0b00000010 = 0x02

! 

SYN/ACK packet

!  Flag = 0b00010010 = 0x12

! 

ACK packet

!  Flag = 0b00010000 = 0x10

CWR ECE URG ACK PSH RST SYN FIN

8 bits L15: N etw ork Fo rens ics

17

TCP/IP Handshake

! 

Three step process to establish a connection

!  Client sends a SYN packet to the server

!  Server responds with a SYN/ACK packet

!  Client acknowledges receipt of the packet with a ACK packet

!  Connection is established

! 

Connection stays open until

!  Client sends a FIN packet or a RST packet

!  Connection times out

!  Either side has been silent for a long time

18

SYN Flood Attack

! 

SYN flood attack

!  A simple denial-of-service attack

!  Attacker initiates the handshake but does not complete it

!  Legitimate clients may have to wait if resources are allocated

during the handshaking phase

etw

ork

Fo

rens

ics

19

Understanding a TCP/IP Packet

14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->4fdb)!)

130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum 0x7d4a (correct), seq 949075525, win 65535, options [mss

1460,nop,wscale 3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], length 0

0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@[email protected] 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}...P8..E.... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J... 0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000 ...

timestamp destination IP.Port source IP.Port etw ork Fo rens ics

(6)

20

Understanding a TCP/IP Packet (contd.)

0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@[email protected] 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}...P8..E.... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J... 0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000 ...

IP version

IP header size (in number of 32-bit words)

Size = 5 x 32 = 160 bits = 20 bytes

IP header

TCP header

TCP header size (in number of 32-bit words)

Size = 11 x 4 = 44 bytes L15: N etw ork Fo rens ics

21

Understanding a TCP/IP Packet (contd.)

0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@[email protected] 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}...P8..E.... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J... 0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000 ... Offset 0x0D: Flags

0x02 = 00000010

sequence number: randomly generated initially First step of handshake

This is a SYN packet sent from

130.253.190.122 to Google while opening gmail.com L15: N etw ork Fo rens ics

22

Understanding a TCP/IP Packet (contd.)

14:49:54.713335 IP (tos 0x0, ttl 51, id 43889, offset 0, flags [none], proto TCP (6), length 60)

74.125.127.19.80 > 130.253.190.122.56223: Flags [S.], cksum 0x363e (correct), seq 3167645671, ack 949075526, win 5672, options [mss 1380,sackOK,TS val 1190383227 ecr 553564903,nop,wscale 6], length 0

0x0000: 4500 003c ab71 0000 3306 d142 4a7d 7f13 E..<.q..3..BJ}.. 0x0010: 82fd be7a 0050 db9f bcce 6fe7 3891 be46 ...z.P....o.8..F 0x0020: a012 1628 363e 0000 0204 0564 0402 080a ...(6>...d.... 0x0030: 46f3 ce7b 20fe bae7 0103 0306 F..{...

Offset 0x0E: Flags 0x12 = 00010010

SYN/ACK from Google in response to the SYN packet

acknowledgment number: seq. no. in SYN packet + 1

Second step of handshake

etw

ork

Fo

rens

ics

23

Understanding a TCP/IP Packet (contd.)

14:49:54.713699 IP (tos 0x0, ttl 64, id 32705, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->affa)!)

130.253.190.122.56223 > 74.125.127.19.80: Flags [.], cksum 0x7ae1 (correct), seq 949075526, ack 3167645672, win 65535, options [nop,nop,TS val 553564903 ecr 1190383227], length 0

0x0000: 4500 0034 7fc1 4000 4006 0000 82fd be7a E..4..@[email protected] 0x0010: 4a7d 7f13 db9f 0050 3891 be46 bcce 6fe8 J}...P8..F..o. 0x0020: 8010 ffff 7ae1 0000 0101 080a 20fe bae7 ....z... 0x0030: 46f3 ce7b F..{

Offset 0x0E: Flags 0x10 = 00010000

ACK from 130.253.190.122 to Google

acknowledgment number: seq. no. in SYN/ACK packet + 1

Third step of handshake

etw

ork

Fo

rens

(7)

24

Exercise

! 

Open coursesite.pcap (download from the course

website) in Wireshark

!  https://www.wireshark.org/download.html

!  This is a capture of a session where a browser was used to

open our course website

! 

Understand the communication going between the

client and the web server

!  Use Statistics > Flow Graph

!  Choose TCP flow

!  What is going on with the Seq./Ackw. numbers?

25

Using Port Scanners

! 

A port is an endpoint of communication in a network

!  Much like an electrical socket

!  Appliances are plugged into it

!  One machine connects to another through an open port

! 

Port scanners allow an investigator to determine which

ports are open on a remote system (or the local

system)

! 

Unusual open ports may be indicative of suspicious

activity

!  A rootkit allowing remote access to the system

! 

Tools

!  Netcat !  Portqry !  Nmap L15: N etw ork Fo rens ics

26

Using Port Scanners (contd.)

! 

Port scanning involves

!  Sending a SYN packet to a system at a port number

!  If port is open (a server is waiting for connections on the

port), the server will respond with a SYN/ACK packet

!  Send the ACK packet, followed by a FIN packet to terminate

the connection

! 

All discovered open ports must be accounted for

!  Which software is listening on which port

etw

ork

Fo

rens

ics

27

Using Port Scanners (contd.)

! 

Stealth scanning

!  Follows steps as in a regular port scanning, but instead of

sending an ACK packet, the scanner sends a RST packet

!  Server immediately terminates the TCP connection upon receipt of

an RST packet

!  Stealthy because most systems log incoming connection

requests only when all three steps of the handshaking completes

! 

Banner grabbing

!  Send a legitimate request at the identified port after

successful handshaking

!  Elicits a response having information about the kind of

service running at that port

etw

ork

Fo

rens

(8)

28

Using Nmap

! 

Network mapper utility for network exploration or

security auditing

! 

Includes

!  Port scanning !  OS detection !  Service detection !  Version detection

! 

Available for almost all popular operating systems

!  www.nmap.org L15: N etw ork Fo rens ics

29

Using Nmap (contd.)

! 

Some options

!  -sT : a regular SYN scan

!  -sS : a stealth scan

!  -sV : attempt to identify service

!  -O : attempt to identify OS

!  -p <range> : scan ports specified in range

!  E.g. –p 1-1024,1078, 1090

!  -v : verbose mode

!  -P0 : do not ping hosts before scanning

!  -sF, -sN, -sX : FIN scan, null scan, Christmas scan

!  -sA : ACK scan

!  And many more: see http://nmap.org/bennieston-tutorial/

30

Using Nmap (contd.)

! 

-sF, -sX, -sN

!  Scanning using SYN packets may not work if an IDS is in

place

!  Closed ports will send a RST back

!  Open ports will drop these packets since they are waiting for

SYN packets

!  MS Windows will drop even if port is closed

!  Combined with a regular scan, you can know there is likely a

Windows machine on the other side ! 

-sA

!  Is the firewall stateless (just blocking incoming SYN packets)

or stateful (tracks the connections)

!  A RST packet in reply points at a stateless firewall

etw

ork

Fo

rens

ics

31

Using Packet Sniffers

! 

Packet sniffers

!  Devices or software that monitor network traffic

!  Log (capture) incoming and outgoing packets

!  See what various systems are “saying” to each other

! 

Most tools follow the PCAP format to store the data

! 

Tools

!  Tcpdump

!  Windump

!  Netcap

!  Wireshark (previously known as Ethereal)

etw

ork

Fo

rens

(9)

32

Using Packet Sniffers (contd.)

! 

Captured packets can reveal who has connected to an

identified Trojan in a system

!  Including the commands and data exchanged through the

Trojan

!  Useful, in general, to see who is making connections to your

system

! 

Captured packets can reveal the entire communication

sequence between two systems

!  Too many initiated connections without any data exchange

!  Perhaps someone is trying a port scan!

!  SYN flood attack

33

Analyzing Packet Traces

! 

Packet sniffers will log packets; analyzing them to obtain

useful information is your task

! 

FTP traffic capture

!  What is the name and version of the FTP server?

!  What password was used during an anonymous login?

!  What files were transferred?

!  What are the contents of those files?

! 

Netcat traffic capture

!  Netcat is a flexible utility that facilitates reading/writing data

using TCP/UDP network connections

!  What port is the netcat listener running?

!  What commands were issued?

34

Analyzing Packet Traces (contd.)

! 

IIS traffic capture

!  Microsoft Internet Information Services web server

!  What version of IIS is running?

!  What browser and OS is a client using?

!  What commands were sent by the browser?

!  Is there any known vulnerability that is being exploited?

! 

Nmap traffic capture

!  What type of nmap scan was run?

!  Which system(s) is(are) being scanned?

! 

Lets look at some examples using Wireshark!

etw

ork

Fo

rens

ics

35

The Honeynet Project

! 

Attempt to thwart Internet and network hackers

!  Provides information about attacks methods

! 

Objectives

!  Awareness: threats do exist out there

!  Information: how do attackers operate and how to protect

against their tactics

!  Tools: methods to protect resources

etw

ork

Fo

rens

(10)

36

The Honeynet Project (contd.)

! 

Distributed denial-of-service (DDoS) attacks

!  A recent major threat

!  Hundreds or even thousands of machines (zombies) can be

used

! 

Zero day attacks

!  Another major threat

!  Attackers look for holes in networks and OSs and exploit

these weaknesses before patches are available

! 

Honeypot

!  Normal looking computer that lures attackers to it

! 

Honeywalls

!  Monitor what’s happening to honeypots on your network

and record what attackers are doing

37

References

! 