COEN 252: Computer Forensics Router Investigation

Significance of Routers Targets of attacks, esp. DoS. Stepping stones for attacks. Routers store Passwords Routing tables Network block information. Tools for investigation.

Characteristics of Routers Have little storage. Most information comes from logs or is volatile. Use Non-Volatile RAM (NVRAM) Saves configuration files Use normal RAM Current routing tables Listening services Current Passwords Forensics exam needs to get the volatile data!

Gather Volatile Router Data Connect to console port. Need cable and laptop with terminal emulation software. Gather Volatile Data Record System Time Determine who is logged on

Gather Volatile Router Data Gather Volatile Data Determine the uptime and other data on the router since last boot-up Determine listening sockets Routers run a few services such as telnet that are vulnerabilities. Determining listening sockets lists all current services that might be vulnerable. For example, port 80 (http) is often used for router administration, but port 80 is not normally protected by a firewall.

Gather Volatile Router Data Gather Volatile Data Save the router configuration. Review the routing table. This detects malicious static routes. Modified by attacker at the router. Modified with Routing Information Protocol (RIP) spoofing. Check the interface configuration Lots of easy to read data.

Gather Volatile Router Data Gather Volatile Data View the ARP cache Evidence for IP or MAC spoofing

Incidence Investigation Direct Compromise Routing Table Manipulation Theft of Information Denial of Service

Incidence Investigation: Direct Compromise Many ways to access a router. Telnet, SSH, SMTP, … Physical Access. Modem Access. Investigate via listening services. Listening Services. Provide potential attack points. Password Guessing

Incidence Investigation: Direct Compromise Passwords Password cracking stealing from configuration files sniffing from net snmp, telnet, HTTP, TFTP Console Access Reboot to get access

Incidence Investigation: Direct Compromise Modem Last user did not log off. TFTP Used to store and reload configuration files. UDP, no security Attacker scans network for router and TFTP server, then guesses configuration file name, and receives it via TFTP. This gives all passwords needed to access a router. Alternatively, router uploads a changed configuration file to the TFTP server and waits for a network reload.

Incidence Investigation: Routing Table Manipulations Routers use a variety of protocols to update their routing tables. RIP Open Shortest Path First Enhanced Interior Gateway Routing Protocol (EIGRP) Interior Gateway Routing Protocol (IGRP) Some have no authentication!

Incidence Investigation: Routing Table Manipulations Review routing table with “show ip route” For recovery: Remove static routing entries. Reboot router. Switch to authenticating router updates. (Easier said than done.)

Incident Investigation Theft of Information Routers contain network topology and access control. For recovery: change all passwords avoid password reuse

Incident Investigation DoS Destruction of router’s capability to function. Resource consumption reduces functionality of router. Bandwidth consumption overwhelms the network bandwidth.

Incident Investigation DoS Recovery: Elimination of listening services Upgrade of software Access restriction Authentication

Router Authentication Routers use Access Control Lists (ACL) Restrict traffic based on packet attributes Protocol Source / Destination IP address Port TCP flag ICMP message type Time of day

Routers as Monitors Can log traffic based on ACL Logs stored at a remote site.