Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion
OSI Layers Taken from Forouzan: TCP/IP Protocol Suite
Source to Destination Delivery Taken from Forouzan: TCP/IP Protocol Suite
Physical Addresses A node with physical address 10 sends a frame to a node with physical address 87. The two nodes are connected by a link. At the data link level this frame contains physical (link) addresses in the header. These are the only addresses needed. The rest of the header contains other information needed at this level. The trailer usually contains bits needed for error detection. Taken from Forouzan: TCP/IP Protocol Suite
Physical Addresses Also called mac addresses... Most local area networks use a 48-bit (6 bytes) physical address written as 12 hexadecimal digits, with every byte separated by a colon as shown below: 7B : 05 : 4C : A9 : 62 : 83
IP Addresses As the message moves through the Internet, notice how the IP addresses stay the same, but the physical addresses change. Why are physical addresses not sufficient? Taken from Forouzan: TCP/IP Protocol Suite
IP Addresses Also called network address, logical address An Internet address (network address, logical address) is 32 bits in length, normally written as four decimal numbers, with each number representing 1 byte. The numbers are separated by a dot, thus the notation is often called dotted decimal notation
Port Addresses A port address uniquely identifies a network application such as http, , ftp, etc. and is a 16-bit decimal number such as 176. Taken from Forouzan: TCP/IP Protocol Suite
Collecting Network-Based Evidence Types of NBE Full content data Every packet is captured Excellent for analysis, but requires much work Session data Summaries of data transfer, including time and duration of transfer, and parties involved Alert data Responding to occurrence of a keyword (shipment) Statistical data Examining which services or protocols are being used more and for longer periods of time
Evidence Collection NBE collected: Before a compromise: proactive network security monitoring (NSM) During a compromise: reactive NSM
Standard Intrusion Attack Intrusion Phases 1.Reconnaissance: intruder (1 st IP address) checks connectivity and vulnerabilities of Web server (victim) 2.Exploitation: launch attack from 2 nd IP address against Web server 3.Reinforcement: store tools at 3 rd IP address, connect to Web server (backdoor) 4.Consolidation: intruder communicates with backdoor using 4 th IP address 5.Pillage: sensitive information is stolen, or base built for further attacks Taken from Jones, et al Real Digital Forensics
Attack Phases IP Address 5? IP Address 4 IP Address 3 IP Address 2 IP Address 1 Victim Phase 1: Reconnaissance Phase 5: Pillage Phase 4: Consolidation Phase 3: Reinforcement Phase 2: Exploitation
Gaining access to network traffic Hubs A hub forwards a packet to all ports other than the one that received it, thus, all traffic passing by can be seen and collected Taps Test Access Ports are placed between a firewall and router or between switches; cost is ~ 4 or 5 times that of hubs Inline device – homemade tap; computer that supports bridging Switched Port Analyzer (SPAN port) – copy to a mirror port on the switch
Tools Full Content: Tcpdump, Ethereal, Flowgrep, hexdump Session: Argus can also run in live mode, Tcptrace Alert: Snort, Bro Statistical: Tcpdstat, Tcpstat
Windows Intrusion Situation BankTwo collected network-based evidence while troubleshooting a network problem. The bank did not have a full suite of security monitoring tools, but it was collecting full content data to learn about the network’s performance. Tcpdump was running on a Linux monitoring platform sitting on a hub with visibility to the victim system
Using Tcpdump The command used: tcpdump –n –i eth0 –s 1515 –w capture_file.lpc -n disables translation of IP addresses to host names and port numbers to service names -i eth0 specifies running against the promiscuous interface (receives all packets on the network segment) -w capture_file.lps writes the output to a file on the monitoring station’s hard drive
Statistical Data using Tcpdstat The command: tcpdstat s2a.lpc > s2a.tcpdstat.txt Generates: number of packets, average rate, # of source and destination pairs and protocols used DumpFile: s2a.lpc FileSize: 8.21MB Id: StartTime: Tue Apr 08 12:03: EndTime: Tue Apr 08 12:03: TotalTime: # of packets: (7.81MB) AvgRate: 1.10Mbps stddev:0.56M ### IP address information ### # of IPv4 addresses: 4 File size Rate
Statistical Data using Tcpdstat ### Protocol Breakdown ### protocolpacketsbytesbytes/pkt [0]total26084 (100%) (100%) [1]ip26084 (100%) (100%) [2]tcp26077 (99.97%) (99.9%) [3] http(s)11344 (43.49%) (84.46%) [3]http(c)11491 (44.05%) (13.15%) [3]squid 4 (0.02%) 240 (0.00%) [3]smtp 3 (0.01%) 180 (0.00%) [3]ftp 2 (0.01%) 120 (0.00%) [3]telnet 2 (0.01%) 120 (0.00%) [3]other 3213 (12.32%) (2.36%) [3]udp 4 (0.02%) 618 (0.01%) Notice web servers sending 43.49% of packets, web clients sending 44.05%, and “other” sending 12.32%.
Alert data using Snort [**] [1:1668:5] WEB-CGI /cgi/bin/ access [**] [Classification: Web Application Attack] [Priority:1] 04/08-12:03: : > :80 TCP TTL:63 TOS:0x0 ID:13538 IpLen:20 DgmLen:181 DF ***AP*** Seq: 0xA50D689C Ack: 0x1EDB04F1 Win: 0x8218 TcpLen:32 TCP Options (3) => NOP NOP TS: [**] [1:1201:6] ATTACK RESPONSES 403 FORBIDDEN [**] [Classification: Attempted Information Leak] [Priority:2] 04/08-12:03: :80 -> : > :80 TCP TTL:128 TOS:0x0 ID:516 IpLen:20 DgmLen:386 DF ***AP*** Seq: 0x1EDFB033 Ack: 0x7E945F39 Win: 0x43EF TcpLen:32 TCP Options (3) => NOP NOP TS: Source is and destination is – the victim Web server. This looks like pre-attack reconnaissance against the Web server.
Session data using Argus Transform the data into session data: argus –d -r s2a.lpc –w s2a.argus// -d run in background // -r read from filename //-w write Argus results to file Next, run Argus’ ra client to view it in text-based form: ra –a –c –n –r s2a.argus | grep –v drops > s2a.argus.all.txt // -a give summary statistics // -c count bytes in packets // grep –v remove status rpt DateTimeProtoSourceIP.PortDestIP.Port SrcPktsDstPkts SrcBytes DestBytes Session Close 08 Apr 09 12:03:29tcp > EST 08 Apr 09 12:04:41tcp > FIN...scanning for web vulnerabilities
Session data using Argus...later DateTimeProtoSourceIP.PortDestIP.Port SrcPktsDstPkts SrcBytes DestBytes Session Close 08 Apr 09 12:04:41tcp > RST 08 Apr 09 12:04:41tcp > RST 08 Apr 09 12:04:41tcp > RST 08 Apr 09 12:04:41tcp > RST... Notice that only the port number differs in each transmission. This pattern indicates port scanning, searching for open ports. If one is found open, the sender could try to make a connection...