COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

Slides:

Advertisements

Similar presentations

COEN 252 Computer Forensics Tools for Package Analysis.

Advertisements

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

TCP/IP Christopher Zacky. lolwut Decimal Numbers.

Interconnecting Networks with TCP/IP

Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer.

COEN 252 Computer Forensics Tools for Package Analysis.

Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.

CSE551: Computer Network Review r Network Layers r TCP/UDP r IP.

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

TCPDUMP Network-Based Intrusion Detection. Description  Packet sniffing is the heart of intrusion detection and of understanding what is actually occurring.

Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated

Lecture 5: TCP/IP OSI layers 3 (IP) and 4 (TCP/UDP) IPv4 – addresses and routing, “best-effort” service Ethernet, Appletalk, etc wrap IP packets with their.

Transport Layer – TCP (Part1) Dr. Sanjay P. Ahuja, Ph.D. Fidelity National Financial Distinguished Professor of CIS School of Computing, UNF.

TRANSPORT LAYER  Session multiplexing  Segmentation  Flow control (TCP)  Connection-oriented (TCP)  Reliability (TCP)

The Network Layer Chapter 5. The IP Protocol The IPv4 (Internet Protocol) header.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.

ECE Prof. John A. Copeland fax Office: Klaus 3362.

Packet Analysis with Wireshark

Midterm Review These slides contain 90% recycled content.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Chapter 4 TCP/IP Overview Connecting People To Information.

TCP/IP Basic Theory V1.2. Course Outline OSI model and layer function TCP/IP protocol suite Transfer Control Protocol Internet Protocol Address Resolution.

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.

 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.

Internet 1) Internet basic concepts 2) The IP protocol stack 3) The IP datagram header (IPv4 and IPv6) 4) Addressing and routing 5) Example: downloading.

Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version

Network Security: Lab#5 Port Scanners and Intrusion Detection System

Networked Graphics Building Networked Virtual Environments and Networked Games Chapter 3: Overview of the Internet.

Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.

Decoding an IP Header (1)

1 Introduction to TCP/IP. 2 OSI and Protocol Stack OSI: Open Systems Interconnect OSI ModelTCP/IP HierarchyProtocols 7 th Application Layer 6 th Presentation.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

Sniffer, tcpdump, Ethereal, ntop

Slide #1 CIT 380: Securing Computer Systems TCP/IP.

Hands-On Ethical Hacking and Network Defense

1 CSE 5346 Spring Network Simulator Project.

1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,

or call for office visit,

WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 

IP Fragmentation. Network layer transport segment from sending to receiving host on sending side encapsulates segments into datagrams on rcving side,

Victoria Manfredi September 13, 2016.

Port Scanning James Tate II

Dr. Richard Spillman Fall 2006

COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.

CITA 352 Chapter 5 Port Scanning.

Introduction to TCP/IP

or call for office visit, or call Kathy Cheek,

or call for office visit,

Internet Protocol Formats

Process-to-Process Delivery

© 2003, Cisco Systems, Inc. All rights reserved.

Wireshark Lab#3.

Module 18 (More Network Discovery)

Overview of Networking & Operating System Security

What does this packet do?

Internet Protocol Formats

COEN 252 Computer Forensics

46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.

IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )

ITIS 6167/8167: Network and Information Security

Transport Layer 9/22/2019.

Presentation transcript:

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

TCPDump / Windump Low level package sniffer. Good, if you see a new type of attack or try to diagnose a problem Bad, since you have to look at all these packages and learn how to interpret them.

TCPDump / Windump: The Good Provides an audit trail of network activity. Provides absolute fidelity. Universally available and cheap.

TCPDump / Windump: The Bad Does not collect the payload by default. Does not scale well. State / connections are hidden. Very Limited analysis of packages.

Versions Unix Version 3.4. ftp.ee.lbl.gov/tcpdump.tar.Z ftp.ee.lbl.gov/tcpdump.tar.Z Windump

Shadow Collects tcpdump data in hourly files. Analyzes for anomalies Formates anomalous data in HTML Comes with Scripts Download it for free for UNIX

Running TCPDump tcpdump –x looks at packages in hex format

Running tcpdump IP Header ICMP Header 20:20: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq d0f 81d2 13d3 81d2 13c d5ee a 6b6c 6d6e 6f a6b 6c6d 6e6f

tcpdump Use reference card to identify fields IP Version 4 Header Length (Nr * 4B) 20:20: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq d0f 81d2 13d3 81d2 13c d5ee a 6b6c 6d6e 6f a6b 6c6d 6e6f

tcpdump 20B header Type of Service Total Length: 0x80 = 128 decimal 20:20: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq d0f 81d2 13d3 81d2 13c d5ee a 6b6c 6d6e 6f a6b 6c6d 6e6f

tcpdump Length of capture: tcpdump –s 68 Default is 68B We see only 54B, because the ethernet header is 14B long.

tcpdump tcpdump –e host bobadilla Shows Source MAC Destination MAC Protocol 20:37: :8:74:3f:2:46 0:d:56:8:e4:db ip 142: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq 5376

Tcpdump Fragmentation Total Length Total Length: Number of Bytes in Packet 20:42: IP Bobadilla.scu.edu.137 > : udp e 892b aae1 81d2 13c6 efff fffa a adb9 8ce b

Tcpdump Fragmentation Offset Header Length 0x33c = 828 Offset: 1ce8  = 7400 Multiply by 8: Offset = :53: IP Bobadilla.scu.edu > dhcp engr.scu.edu: icmp (frag c ce d2 13c6 81d2 13d3 6e6f a 6b6c 6d6e 6f a6b 6c6d 6e6f

TCPDump Filters Capture only packages that are useful. Specify in the filter what items are interesting. Filters use common fields such as host or port. Filters also for individual bytes and bits in the datagram

TCPDump Filters Format 1: macro and value “tcpdump port 23” Only displays packages going to or from port 23.

TCPDump Filters Format 2: [offset:length] “ip[9] = 1” Selects any record with the IP protocol of 1. “icmp[0] = 8” Selects any record that is an ICMP echo requests.

TCPDump Filters Reference single bits through bit masking. An example is TCP flag bits Byte 13 in a TCP header has the 8 flag fields. CWR,ECE,URG,ACK,PSH,RST,SYN,FIN

TCPDump Filters Assume we want to mask out the PSH field. Translate the mask into binary. 0x04

TCPDump Filters Set filter to tcp[13] & 0x40 != 0. Your turn: Filter for packets that have the Syn or the Ack flag set.

TCPDump Filters Your turn: Filter for packets that have the Syn or the Ack flag set. tcp[13] & 0x12 != 0

TCPDump Filters We can of course use exact values for filtering. tcp[13] = 0x20 looks only for tcp-packets that have the urg flag set.

TCPDump Filters Can combine filters with the and, or, not operators (tcp and tcp[13]&0x0f != 0 and not port 25) or port 20 Filter can be written in file, specified with the –F flag.

NMap Available in Windows and Unix version. Scans host with many different connections. Uses responses to determine OS. Target Acquisition. Network mapping.

TCPDump Use Filters to check for NMap activity. For example, send a TCP packet with SYN|FIN|URG|PSH options set. Use packages with the first two TCP flags set of OS-mapping