Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons.

Published byLorena Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "1 COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons."— Presentation transcript:

1 1 COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons thesis and development of Columbo tool

2 2 Network Forensics Common Intrusion Scenarios Intrusion Profiling Intrusion Investigation Management Each stage will give some forensic evidence which can be gathered up. Most evidence as we have seen is in logs

3 3 Common Intrusion Scenarios Information Gathering Network and System Reconnaissance System Vulnerability exploitation

4 4 What motivates hackers Release Information Some hackers see a need for freedom of information and thus attack in order to "liberate" the information Release Software Some make copies of software that can be installed on multiple computers –they crack the licensing code for "ethical" or financial reasons Consume Unused Resources Try to access any resource – telephone line, bandwidth, disk space – which is not being used

5 5 What do Hackers do Find Vulnerabilities Find and exploit vulnerabilities – "security researchers" Find fame Just another way of seeking attention

6 6 How do hackers do this? Produce Malicious code Logic Bomb –Dormant until activated Parasite –Code added to existing program and draws information which hacker does not have privileges to access. Covert and non-destructive Trojan horse –Useful program with an alternative agenda Virus –Infects another program by replicating itself in to the host. –Mostly destructive, perhaps with logic bomb Worm –Transport mechanism for another program, utilising network

7 7 How do hackers do this? Modify Source code Eg in Linux So remove all compilers from non-development machines Dynamic loadable modules and libraries

8 8 How do hackers do this? Exploit network protocols Use the internet daemon, inetd, which listens to each port and passes control of it to the associated program Hacker can then get control of root E-mail Spoofing Hacker can telnet to system's SMTP port and input ascii commands to it, identifying someone else in the To: or From : commands IP Spoofing Remedy: border routers should drop all packets from internal network with a source address which is not part of the internal network

9 9 How do hackers do this? Source routing Should be disabled since never used by legitimate applications – use dynamic protocols Network flooding and SYN flooding Use patches Smurfing Disable IP-directed broadcasts at the router

10 10 How do hackers do this? Exploit Vulnerabilities Scanners and Profilers –Preliminary evaluation of software –Determine hardware –Identify versions and patches Sniffers and snoopers –Might watch network or disk traffic or be planted inside to watch print spooler or logins –Must monitor own system – SNORT Security Tools –If a hacker finds them on your system he can use your tools to identify your security flaws Buffer Overflows File permissions Password Crackers

11 11 How do they start Target selection – information gathering web resources Whois –http://www.networksolutions.com/cgi-bin/whois/whois – Network Solutions whois query tool (.com,.net,.org) –http://www.ripe.net/db/whois.html – European IP Address Allocations –http://whois.apnic.net – Asia Pacific IP Address Allocation –http://www.nic.mil/cgi-bin/whois – US Military –http://www.nic.gov/cgi-bin/whois – US Government –http://www.arin.net/whois – Arin IP addr ownership query

12 12

13 13 Target selection - Passive methods Dejanews.com –Search for postings –Discover infrastructure –Build profile of user for later social engineering Search engines –link:www.yoursite.com

14 14 DEJA Search

15 15

16 16 Where is evidence of this activity? In http logs and firewall logs What about social engineering (spying) –No evidence because non-technological

17 17 Target acquisition - scanning Network scanning –Automated scripts that ID active hosts –OS Fingerprinting –Port scanning –Vulnerability scanning Telco scanning

18 18

19 19 Nmap - The scanner of choice Quiet Decoys Very accurate OS fingerprinting UDP, stealth, full connect IPFrag …and more

20 20

21 21 IP scanning Solarwinds.net For a few hundred $ you get: –Cisco tools, DNS tools, TFTP, Network Discovery tools, Ping tools Vulnerable ports = RFC 1700

22 22

23 23 Scanners of all types Free –nessus www.nessus.org –nmap www.insecure.org –satan ftp.win.tue.nl (/pub/security) –Cheops www.rsh.kiev.ua ($25.00) –Sam Spade (Win 9x/NT/2K) www.samspade.org

24 24 War dialers Shareware –ToneLoc –THC scan (2.0) Commercial –Phone Sweep –SecureLogix (a.k.a. Wheelgroup) New and improved for the Palm –www.l0pht.com now at stake.comwww.l0pht.com Review PBX records!!!

25 25

26 26

27 27 TCP stack fingerprinting Different OSs respond in different ways to non- standard packets Programs use databases of these responses to determine OS & version of target machine QueSO and nmap

28 28

29 29

30 30 Where is evidence of Network and System Reconnaissance? In router logs if logging is turned on at appropriate level Ping sweeps will appear as ICMP packets on a large range of destination addresses with the same source address Evidence needs piecing together from –System logs –Temporary or hidden directories –User home directory

31 31 What do we do? Document every interaction with the host: –Who, when, which commands –Make forensic copy of system log for evidence –Collect as much system evidence as possible

32 32 Denial of Service – crashing the host Winnuke –OOB (Out of Band) attack on any unpatched 95/98 or NT box –Blue screens the box and forces reboot Ping of Death –ICMP attack using large packets Teardrop –Locks up the target Xcrush, Targa - DoS compliations New DoS attacks target routers

33 33

34 34 Distributed attacks Tribe Flood –ICMP Echo, UDP, SYN and Smurf –use ICMP_ECHOREPLY packets to communicate between master and zombie –Need to get root on master and agents –http://packetstormsecurity.org/distributed/tfn3k.txt Trin00 –UDP flood –use UDP protocol to communicate

35 35 E-mail bombing applications –Unabomber –Kaboom 3.0 –Avalanche –Ghost Mail

36 36 Packet sniffers What is it? –Application that collects TCP/IP (UDP, etc.) all packets off the wire What is it used for? –Diagnose network problems –Reading email Email security = postcard We continue to use this for business critical/personnel data transfers –Logging web usage –Usernames/passwords

37 37

38 38 Packet sniffers Commercial –Sniffer Pro – www.nai.com –Iris www.eeye.com/html/index.html Spynet TCPDUMP / WINDUMP –http://netgroup-serv.polito.it/windump/ Included in several other programs –L0phtcrack –Aggressor Wireless

39 39 Sub 7: What is it? Remote Administration trojan Client/Server architecture Server/Trojan runs on: –Windows ’98 –2K / NT (v2.2) Client runs on: –Windows 2000 –Windows NT –Windows ’98 –Port 27374

40 40 What can it do? Full remote administration of the server system: –Strip out passwords –Key-logging –Remote camera viewing –Full file and registry manipulation –Email upon discovery –Message communications (chat, IRC, popups)

41 41

42 42

43 43

44 44

45 45 Password crackers NT –l0phtcrack Unix –Crack ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/ –john the ripper 98/95 –cain –showpass Service specific –shares - legion –mail/ftp - unsecure

46 46

47 47

48 48 Intrusion Profiling Based on other kinds of criminal profiling –Time –Source –Method –List of files accessed –List of files created

49 49 Some conclusions from profiling When –Daytime might mean a time zone 8-12 away –Night time might mean local Where –Local address – internal –Dial-in – “internal “ or war dialling –Wireless –Targeted host – has inside information How –Simple – inside info –Has password – may be insider –Very technical – advanced and may be targeted

50 50 Other work Shanmugasundaram et al Integrating Digital Forensics into a Network Infra structure

51 51 Integrating Digital Forensics into a Network Infra structure Prototype system to integrate wide area network forensics Purpose –Forensics –Network Management –Compliance What to collect –Network dynamics –Traffic dynamics

52 52 Integrating Digital Forensics into a Network Infra structure How to retrieve What to store Privacy and Security Fornet – large Forensic server

Download ppt "1 COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Lesson 3-Hacker Techniques

Lesson 3-Hacker Techniques
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Forces that Have Brought the world to it’s knees over the centuries.

Forces that Have Brought the world to it’s knees over the centuries.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN 0-07-212773-2.

Hacking Linux Based on Hacking Linux Exposed Hatch, Lee, and Kurtz ISBN
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google