BCS-ISSG Practical Network Forensics Day
BCS, London
Practical Network Forensics
Alan Woodroffe
Practical Network Forensics
Open Source Tools
Preparation
Passive Discovery (and some Active)
Background Information
Tool Usage
Open Source Tools
Tools – Passive Network Analysis
Wireshark (Linux and Windows) packet sniffer – GUI
excellent filtering and re-construction facilities tcpdump, tcpreplay, tcpxtract (Linux)
packet sniffer – command line
excellent filtering and re-construction facilities etherape – (Linux)
Preparation - Reconnaissance
Discover
Network infrastructure types
copper / fibre / radio / satellite Type, number and location of:
Network / Server hardware / Printers Workstations
Network services including: DHCP / DNS / WNS
Preparation - Equipment
Configure and update software / drivers
Network interfaces
Ethernet / Token Ring / copper / fibre Before connecting
Date / Time synchronisation – or use ntp? After connecting
ifconfig eth0 up
Passive Discovery
Network address ranges
Discover the corporate address ranges Search for any outside that range:
tcpdump -nvtttts 0 not net 10.0.0.0/8
Look for 169.254.0.0/16 (DHCP failure) Look for 192.168.0.0/24 (domestic)
Passive Discovery
Discover
Noisy operating systems
Windows NetBIOS network traffic
tcpdump -nvXtttts 0 udp port 138
Passive Discovery
tcpdump (Linux)
Command line packet sniffer / analyser Remember options:
“-n” No DNS lookup (stay passive) “-v” Verbose, can use “-vv”
“-tttt” Use “YYYY-MM-DD HH:MM:SS.dec” “-s 0” Snaplen (capture packet size) 0
Active Discovery
Connecting to Local Area Networks
network-manager
automated network interface management software attempts to connect to networks whenever it can
ifconfig – manually configure network interface
ifconfig eth0 192.168.55.123 ifconfig eth0 up
dhclient – automatically configure network interface
dhclient eth0
route – manually network routing
Active Discovery
Ping (ICMP echo request / reply)
ping 192.168.55.123 - single host
ping -b 192.168.55.255 - broadcast
Arp (Address Resolution Protocol)
arp -an (Linux / Windows)
Internet Address Physical Address Type
Active Discovery
OUI information:
standards.org.ieee/regauth/oui/oui.txt
Discover hardware vendors:
Physical Address
Vendor
00-0b-cd-c1-e5-c4 Hewlett Packard
Active Discovery
Log ARP data
arp -n >>arp.log
or
arp -n >>arp.log
mv arp.log arp.log.old
Background Information - “Cheat Sheets”
Google: tcpdump cheat sheet
Security Wizardry (Andy Cuff)
http://www.securitywizardry.com/index.php/tools/ana lysis-crib-sheets/rawpackets.html
PacketLife (unknown
)http://packetlife.net/library/cheat-sheets/
Background Information - ISO 7 Layer Model Physical Ethernet cable Electrical voltage Ethernet cable Physical Link Device driver, NIC, ARP Ethernet protocol Device driver, NIC, ARP Link Network IP, ICMP IP protocol IP, ICMP Network Transport TCP, UDP TCP protocol TCP, UDP Transport Session Session Presentation Presentation Application Web Browser, FTP, Telnet Browser – Server, Telnet client – telnetd
Web Browser, FTP, Telnet Application ISO Model Layer Computing Use
Perceived Direct Link
Computing Use
TCP three way handshake: SYN SYN-ACK ACK
TCP FLAGS: --UAPRSF
URG - Urgent (use Urgent pointer) ACK - Acknowledgement
PSH - Push (flush data to receiver) RST - Reset (abort)
SYN - Synchronise (start)
FIN - Finish (end gracefully)
SIN or FIN flag are set ‘tcp[13] & 0x03 > 0'
tcpdump - filtering
tcpdump (Linux)
Command line packet sniffer / analyser Remember options:
“-n” No DNS lookup (stay passive) “-v” Verbose, can use “-vv”
“-tttt” Use “YYYY-MM-DD HH:MM:SS.dec” “-s 0” Snaplen (capture packet size) 0
Alien protocols
IPX / IPv6 / Jumbo frames / AppleTalk
tcpdump -nr <kismet-dumpfile> not ip and not arp
Client devices
unauthorised equipment using corporate network identify by MAC address?
bridging your network to other networks e.g. 3G identify by abnormal data traffic patterns? identify by routed IP packet?
Network address ranges
Discover the corporate address ranges Search for any outside that range:
tcpdump -nvtttts 0 not net 10.0.0.0/8
Look for 169.254.0.0/16 (DHCP failure) Look for 192.168.0.0/24 (domestic)
Look for 192.168.1.0/24
in IP address range net 10.0.0.0/8
outside IP address range not net 10.0.0.0/8
‘Link Local’ activity net 169.254.0.0/16
Windows NetBIOS traffic udp port 138
Unusual protocols not ip and not arp
Save traffic from NIC eth2 –i eth2 –w dumpfile
VLAN 12 on NIC eth1 –i eth1.0012 tcp
SIN or FIN flag are set ‘tcp[13] & 0x03 > 0'
Practical Network Topology
Connecting to the Network
Automatic (DHCP) dhclient eth0
Manual ifconfig eth0 192.168.1.123
Passive (no output) ifconfig eth0 up
Disable ifconfig eth0 0.0.0.0 ifconfig eth0 down
Specify Gateway
100Mbps Hub
100Mbps Hub
192.168.1.0 /24
.1
.101
.102
.103
XP1 DHCP.201
172.30.68.0 /22
69.30 71.50 71.70
.202
Practical Network Topology
XP2 DHCP XP3
Practical Tasks
Running tcpdump
Launch a terminal window
Run tcpdump: tcpdump –ni eth0
(Ctrl-C to stop)
Run tcpdump: tcpdump –ni eth0 –w dump1.tcpd
Practical Tasks
Generating data to capture
Launch Firefox
Practical Tasks
Examining captured data
ls –ltr
tcpdump –nr dump1.tcpd
Practical Tasks
Examining captured data
ls –ltr
tcpxtract –f dump1.tcpd ls –ltr
Practical Tasks
Full packet capture
Log all packets on NIC eth1, writing to files
named e.g. 20120516103456.tcpd2, starting a new file after every 100MB of logged packets
Practical Tasks
IP “Time to Live” (hop count)
Analyse pre-recorded tcpdump file and examine the TTL values for web browsing packets …
Practical Tasks
Typical TTL initial values
Linux 64
Practical Tasks
Web site traffic (HTTP)
Analyse pre-recorded tcpdump file and examine web browsing packets …
Practical Tasks
Secure web site traffic (HTTPS)
Analyse pre-recorded tcpdump file and examine web browsing packets …
Practical Tasks
100Mbps Hub
100Mbps Hub
192.168.1.0 /24
.1
.101
.102
.103
XP1 DHCP.201
172.30.68.0 /22
69.30 71.50 71.70
.202
Practical Network Topology
XP2 DHCP XP3
