1 / 107

COEN 252 Computer Forensics

COEN 252 Computer Forensics. Network Protocols. Network Protocols: Layering. TCP/IP stack has four levels. OSI has seven. Network Protocols: Layering. Network Protocols: Layering. Each layer adds a header. Application TCP IP Link. Link Layer. Network Interface Cards (NIC)

ronia
Download Presentation

COEN 252 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 252 Computer Forensics Network Protocols

  2. Network Protocols: Layering • TCP/IP stack has four levels. • OSI has seven.

  3. Network Protocols: Layering

  4. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

  5. Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as 6B in hex. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

  6. Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

  7. Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

  8. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

  9. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are longer.

  10. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping.

  11. IP: ICMP • ICMP error messages should not be sent, • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway.

  12. IP: ICMP • ICMP errors are not sent, • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-ponging. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

  13. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

  14. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.

  15. TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.

  16. TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF)

  17. TCP:Terminating Connections • Graceful shutdown • Party 1 to Party 2: Fin • Party 2 to Party 1: Ack • Party 2 to Party 1: Fin • Party 1 to Party 2: Ack • Abrupt shutdown • Party 1 to Party 2: Res

  18. TCP:Shutting down a connection • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF) • 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) • 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF) • 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) • 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)

  19. TCPExchanging Data • Each packet has a sequence number. • (One for each direction.) • Initial sequence numbers are created during initial three way handshake. • NMap uses the creation of these sequence numbers to determine the OS. • OS are now much better with truly random sequence numbers.

  20. TCP Exchanging Data • Party that receives packet sends an acknowledgement. • Acknowledgement consists in • Ack flag. • Sequence number of the next package to be expected.

  21. TCP Exchanging Data • If a package is lost, then the ack number will not change: • “Duplicate acknowledgement” • Depending on settings, sender will resend, after at most three stationary ack numbers. • Also, resend after timeout.

  22. TCP Exchanging Data • 20:48:45.087563 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 4 win 16959 (DF) • 20:48:45.087583 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) • 20:48:45.096443 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)

  23. TCP flags • Part of TCP header • F : FIN - Finish; end of session • S : SYN - Synchronize; indicates request to start session • R : RST - Reset; drop a connection • P : PUSH - Push; packet is sent immediately • A : ACK - Acknowledgement • U : URG - Urgent • E : ECE - Explicit Congestion Notification Echo • W : CWR - Congestion Window Reduced

  24. UDP • “Send and pray” • No connection. • No special header like TCP. • Protocol field in the IP header is 0x11 • Another field in the IP header contains UDP specific header information

  25. Fragmentation • IP datagram can come across smaller maximum transmission units than its own size. • Resender chops up the IP datagram into many IP datagrams, the fragments.

  26. Fragmentation • Fragments are reassembled at the destination. • Fragments carry: • Fragment identifier • Offset in original data portion • Length of data payload in fragment • Flag that indicates whether or not this is the final fragment.

  27. Fragmentation Example • Large Echo Request • ping -l 1480 129.218.19.198 • Assume MTU is 1500

  28. Fragmentation

  29. Fragmentation: First Fragment

  30. Fragmentation: Second Fragment

  31. Fragmentation: Last Fragment

  32. Fragmentation ping –l 65500 129.218.19.198 12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+) 12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+) 12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+) 12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+) 12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+) 12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+) 12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+) 12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+) 12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+) 12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+) 12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)

  33. Fragmentation • DF (Don’t Fragment) Flag • If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment. • Useful to find minimum MTU on a link.

  34. Fragmentation • Stateless firewalls look only at individual packages. • Protocol header is only in the first fragment. • “Stealth attacks / scans” have evil payload only in the second and following fragments.

  35. Fragments:Teardrop and Friends • Teardrop (1997) • Fragments with overlapping offset fields. • Many contemporary OS crash, hang, reboot. • Jolt2 • Single fragment with non-zero offset. • Receiving system allocates resources to reconstruct a datagram that never arrives.

  36. Fragments:Teardrop and Friends • Create fragments that seem to come from a GB datagram. • Trusting OS tries to allocate memory and dies. • Ping of Death • Win95 allowed to send a ping that was just a tad too long. Receiving host would crash. • Unnamed Attacks • Missing fragments lead to resource allocation.

  37. ICMP • ICMP has no port numbers. • No acks, no message delivery guarantee • http://www.iana.org/assignments/icmp-parameters • First Byte Type • Second Byte Code

  38. ICMP • Mapping Techniques. • Detect up host. • Detect OS through responses.

  39. ICMP Tireless Mapper • Sends ICMP echo requests messages to all possible IP addresses • Many IDS might not capture this scan if the number of packages per hour is small. • Firewalls should filter incoming ping requests.

  40. ICMP Efficient Mapper • Use the ICMP echo request with a broadcast address. • Ping 129.210.19.255

  41. ICMP Clever Mapper • Use a different ICMP message such as ICMP address mask. • Determines the class of the network

  42. ICMP Normal messages • Host unreachable • Port unreachable • Admin prohibited • Need to fragment • Time exceeded in transit

  43. Malicious ICMP: Smurf Attack Smurf attack on victim 129.219.19.198 • Step 1: Send ICMP echo request to a broadcast address with spoofed IP of 129.219.19.198 • Step 2: Router allows in ICMP echo request to broadcast address • Step 3: All live hosts respond with ICMP echo reply to real source IP

  44. Malicious ICMP: Smurf Attack • Denial of Service Attack. • Effort of Attacker << Effort of Victim. • Uses ICMP replies from network as an amplifier. • Works well if victim has a slow connection.

  45. Malicious ICMP: Tribal Flood Network • Based on Smurf • Creates zombies out of compromised machines • Compromised machines use a trigger to start bombarding a victim with requests • Many variations on this theme

  46. Malicious ICMP:Winfreeze (obsolete) • Uses the ICMP redirect message. • Legal use is to update routing information. • Flood of redirect message causes the victim (Win95 / Win98) to redirect traffic to itself via random hosts. • Victim spends too much time updating routing table.

  47. Malicious ICMP: Loki • Uses ICMP packages for covert channel • A compromised host with a Loki server responds to requests from a Loki client. • Requests are sent via ping messages with data embedded in ICMP pings. • Originally used bytes 6 and 7.

  48. Malicious ICMP: Conclusions • Limit ICMP messages at the firewall. • Leads to inefficiencies, such as trying a TCP connection to a host that is down. • Need to admit path MTU discovery. • Log those that are let through.

  49. FTP • Uses TCP • Active / Passive FTP • Both use port 21 to issue FTP commands. • Active FTP: • Uses port 20 for data. • FTP server establishes connection to client

  50. FTP: Active FTP Example: • Command channel between server8.engr.scu.edu.21 and dhcp-19-211.engr.scu.edu.3268 • Dir command creates a new connection between server8.engr.scu.edu.20 and dhcp-19-211.engr.scu.edu.5003

More Related