1 / 165

Computer Forensics

Computer Forensics. Network Protocols Overview for Network Forensics. Focus of this presentation. Protocols With a few anecdotes, how-to-dos and previews thrown in. Network Protocols: Layering. Complexity of networking leads to layered architectures. TCP/IP stack has four levels.

stephaniestewart
Download Presentation

Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics Network Protocols Overview for Network Forensics

  2. Focus of this presentation Protocols With a few anecdotes, how-to-dos and previews thrown in.

  3. Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.

  4. Network Protocols: Layering

  5. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

  6. Repetition:Capturing Data on a Network • Develop a threat model before deploying Network Security Monitoring • Internal / External Attacker • Wireless / Wired / … • Develop Monitoring zoning • Demilitarized zone • Wireless zone • Intranet zones

  7. Repetition: Capturing Data on a Network • Wired monitoring • Hubs • SPAN ports • Taps • Inline devices

  8. Repetition: Capturing Data on a Network • Hubs • Broadcasts incoming data on all interfaces. • Be careful about NIC capacity (10/100/1000 Mb/sec) • Be careful about hub quality • Are inexpensive, but can introduce collisions on the links where the hub sits.

  9. Repetition: Capturing Data on a Network • Switched Port Analyzer (SPAN) • A.k.a. Port mirroring, Port monitoring. • SPAN port located on enterprise class switches. • Copy traffic between certain ports to SPAN port. • Configurable • Easy access to traffic. • Can make mistakes with configuration. • Under heavy load, SPAN port might not get all traffic. • SPAN only allows monitoring of a single switch.

  10. Repetition: Capturing Data on a Network • Test Access Port (TAP) • Networking device specifically designed for monitoring applications. • Typically four ports: • Router • Firewall • Monitor traffic on remaining ports. • One port sees incoming, the other outgoing traffic. • Moderately high costs.

  11. Repetition: Capturing Data on a Network • Specialized inline devices: • Server or hardware device • Filtering bridges • Server with OpenBSD and two NICs

  12. Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

  13. Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

  14. Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

  15. Link Layer: ARP Resolution Protocol ARP requests:

  16. Link Layer: ARP Resolution Protocol

  17. Link Layer Forensics Network monitoring tools such as Argus or Ethereal log MAC addresses.

  18. Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

  19. Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.

  20. ATM • ATM • uses fiber optic cables and ATM switches. • encapsulates data into ATM cells. • number identifies the circuit that ATM has established between two computers. • ATMARP allows machines to discover MAC addresses. • ATMARP has a central server that responds to ARP requests. • ATM forensics is similar.

  21. Link Layer Evidence • Sniffers in promiscuous mode. • Intruders also use sniffers. • Typically monitor traffic to / from compromised system. • Sometimes they monitor themselves coming back to look at the sniffer logs. • Intruders sometimes encrypt their traffic. • But the sniffers still see the packets, they just cannot read them. • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive. • FreeBSD / OpenBSD seem to be the best platforms.

  22. Link Layer Evidence • Sniffer location: • On compromised machine. • Evidence not trustworthy. • Nearby host. • Switched Port Analyzer (SPAN) • Copies network traffic from one switch port to another • Only copy valid ethernet packets. • Do not duplicate all error information. • Copying process has lower priority and some packets might not be mirrored. • Misses out on traffic on the local link.

  23. Link Layer Evidence • Sniffer configuration • Can capture entire frames. • Or only first part. • Tcpdump default setting.

  24. Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.

  25. Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

  26. Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.

  27. Link Layer Evidence NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence

  28. ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  29. ARP Package Ethereal deassembly of ARP package

  30. Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.

  31. Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • http://sourceforge.net/projects/packitgui/ • IP Sorcery • and many, many more. • Use to create arbitrary packages

  32. Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack

  33. Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router

  34. Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router

  35. Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router

  36. Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router

  37. Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router

  38. Attacks on ARP http://www.watchguard.com/

  39. RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.

  40. RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.

  41. RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP

  42. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

  43. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.

  44. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later

  45. IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network

  46. IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

  47. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

  48. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.

  49. TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.

  50. TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF) Sequence number Flag Window: number of bytes accepted

More Related