1 Network Forensics Overview

!  Network forensics
!  Systematic tracking of incoming and outgoing traffic
!  To ascertain how an attack was carried out or how an event
occurred on a network
!  Intruders leave a trail behind
Network Forensics !  Knowing your network’s typical traffic patterns is important
!  Determine the cause of the abnormal traffic
!  Internal bug
COMP 2555: Principles of Computer Forensics !  Attackers
Autumn 2014
http://www.cs.du.edu/2555

L15: Network Forensics

2 Securing a Network
3 Securing a Network (contd.)

!  Layered network defense strategy !  Testing networks is as important as testing servers

!  Sets up layers of protection to hide the most valuable data at !  You need to be up to date on the latest methods
the innermost part of the network intruders use to infiltrate networks
!  Deeper resources are difficult to get to !  As well as methods internal employees use to sabotage
!  More safeguards in place networks
!  Defense in depth (DiD) !  You should be proactive in this game
!  Similar layered approach developed by the NSA !  Ensuring that network activities are normal
!  Modes of protection !  Having enough data to analyze a compromised network
!  People
!  Technology
!  Operations
L15: Network Forensics

L15: Network Forensics

4 Procedures for Network Forensics
5 Network Logs

!  Computer forensics !  Record incoming and outgoing traffic

!  Work from the image to find what has changed !  Network servers
!  Network forensics !  Routers
!  Restore drives to understand attack !  Firewalls
!  Work on an isolated system !  Tcpdump tool for examining network traffic
!  Prevents malware from affecting other systems !  Can generate top 10 lists
!  Can identify patterns

L15: Network Forensics

L15: Network Forensics

6 Sample Record in a Network Log
7 Using Network Tools

!  Sysinternals
!  A collection of free tools for examining Windows products

12:22:41.019630 IP (tos 0x0, ttl 64, id 15979, offset 0, flags [DF], proto
!  Examples of the Sysinternals tools:
TCP (6), length 52, bad cksum 0 (->f0fd)!)
130.253.190.122.60086 > 74.125.127.102.80: Flags [F.], cksum 0x0b82
!  RegMon shows Registry data in real time
(incorrect -> 0xa091), seq 3907206118, ack 447866512, win 65535, options
[nop,nop,TS val 677501972 ecr 940801331], length 0
!  Process Explorer shows what is loaded
0x0000: 4500 0034 3e6b 4000 4006 0000 82fd be7a E..4>k@.@......z !  Handle shows open files and processes using them
0x0010: 4a7d 7f66 eab6 0050 e8e3 3be6 1ab1 e690 J}.f...P..;.....
0x0020: 8011 ffff 0b82 0000 0101 080a 2861 dc14 ............(a.. !  Filemon shows file system activity
0x0030: 3813 7d33 8.}3
L15: Network Forensics

L15: Network Forensics

8 Using Network Tools (contd.)
9 Using UNIX/Linux Tools

!  Tools from PsTools suite created by Sysinternals !  Knoppix Security Tools Distribution (STD)
!  PsExec runs processes remotely !  Bootable Linux CD intended for computer and network
!  PsGetSid displays security identifier (SID) forensics
!  PsKill kills process by name or ID !  Knoppix-STD tools
!  PsList lists details about a process !  dcfldd - the U.S. DoD dd version
!  PsLoggedOn shows who’s logged locally !  memfetch - forces a memory dump
!  PsPasswd changes account passwords !  photorec - grabs files from a digital camera
!  PsService controls and views services !  snort - an intrusion detection system
!  PsShutdown shuts down and restarts PCs !  oinkmaster - helps manage your snort rules
!  PsSuspend suspends processes !  john - a passwork cracker
!  chntpw - resets passwords on a Windows PC

L15: Network Forensics

L15: Network Forensics

!  tcpdump and ethereal - packet sniffers

10 Networking in a Nutshell
11 TCP/IP Model

Handles application level

Application Layer communications – how does a FTP
client talk to another?

Packages data so that they can be

Transport Layer sent in chunks, application
addressing, etc.

TCP/IP TCP/IP
Model Model Internet Layer
Handles route discovery – how to
reach the destination machine?

Move packets between two hosts

Link Layer over a physical medium
L15: Network Forensics

L15: Network Forensics

packets
12 A Packet
13 Transport Layer Header

A Packet Source Port Destination port

Sequence Number
Link Layer Payload
Acknowledgement Number
Internet Layer Payload
Transport Layer Payload Data
Reserved Flags Window Size
Link Layer Internet Offset
Transport Application
Header Layer Application Data
Layer Layer
Header Checksum Urgent Pointer
Header Header
Options

L15: Network Forensics

L15: Network Forensics

a TCP header

14 Internet Layer Header

15 Link Layer Header

Header Preamble
Version Type of Service Total Length
Length
Start-of-Frame-Delimiter
Identification Flags Fragment Offset
MAC Destination

header
Time To Live Protocol Header Checksum
MAC Source
Source IP Address 802.1Q Header

EthernetType
Destination IP Address
Link Layer Payload
Options
CRC-32
L15: Network Forensics

L15: Network Forensics

an IP header
a 802.3 Frame
16 TCP/IP Flags
17 TCP/IP Handshake

!  Starts at offset 0x0D (14) in the TCP header !  Three step process to establish a connection
!  Client sends a SYN packet to the server
CWR ECE URG ACK PSH RST SYN FIN !  Server responds with a SYN/ACK packet
!  Client acknowledges receipt of the packet with a ACK packet
8 bits
!  Connection is established
!  SYN packet has the corresponding bit set
!  Flag = 0b00000010 = 0x02
!  Connection stays open until
!  SYN/ACK packet
!  Client sends a FIN packet or a RST packet
!  Flag = 0b00010010 = 0x12
!  Connection times out
!  ACK packet !  Either side has been silent for a long time
!  Flag = 0b00010000 = 0x10

L15: Network Forensics

L15: Network Forensics

18 SYN Flood Attack
19 Understanding a TCP/IP Packet

!  SYN flood attack

!  A simple denial-of-service attack timestamp source IP.Port
destination IP.Port
!  Attacker initiates the handshake but does not complete it
!  Legitimate clients may have to wait if resources are allocated 14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF],
proto TCP (6), length 64, bad cksum 0 (->4fdb)!)
during the handshaking phase 130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum
0x7d4a (correct), seq 949075525, win 65535, options [mss
1460,nop,wscale 3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], length
0
0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@......z
0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}.....P8..E....
0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J..........
0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000 ................
L15: Network Forensics

L15: Network Forensics

20 Understanding a TCP/IP Packet (contd.) 21 Understanding a TCP/IP Packet (contd.)
First step of handshake
IP header size (in number of 32-bit words)
Size = 5 x 32 = 160 bits = 20 bytes

14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF],

sequence number: randomly generated initially
14:49:54.675225 IP (tos 0x0, ttl 64, id 57300, offset 0, flags [DF],
proto TCP (6), length 64, bad cksum 0 (->4fdb)!) proto TCP (6), length 64, bad cksum 0 (->4fdb)!)
130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum 130.253.190.122.56223 > 74.125.127.19.80: Flags [S], cksum
0x7d4a (correct), seq 949075525, win 65535, options [mss 0x7d4a (correct), seq 949075525, win 65535, options [mss
1460,nop,wscale IP header length
3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], 1460,nop,wscale 3,nop,nop,TS val 553564903 ecr 0,sackOK,eol], length
IP version
0 0
0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@......z 0x0000: 4500 0040 dfd4 4000 4006 0000 82fd be7a E..@..@.@......z
0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}.....P8..E.... 0x0010: 4a7d 7f13 db9f 0050 3891 be45 0000 0000 J}.....P8..E....
0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J.......... 0x0020: b002 ffff 7d4a 0000 0204 05b4 0103 0303 ....}J..........
0x0030: 0101 080a 20fe bae7 0000 0000 0402 0000 ................ 0x0030: 0101 080a 20fe bae7Offset
0000 0x0D:
0000Flags
0402 0000 ................
0x02 = 00000010
TCP header
This is a SYN packet sent from
TCP header size (in number of 32-bit words)

L15: Network Forensics

L15: Network Forensics

130.253.190.122 to Google while opening
Size = 11 x 4 = 44 bytes gmail.com

22 Understanding a TCP/IP Packet (contd.) 23 Understanding a TCP/IP Packet (contd.)

Second step of handshake Third step of handshake

acknowledgment number: seq. no. in SYN packet + 1

14:49:54.713335 IP (tos 0x0, ttl 51, id 43889, offset 0, flags
acknowledgment number: seq. no. in SYN/ACK packet + 1
14:49:54.713699 IP (tos 0x0, ttl 64, id 32705, offset 0, flags [DF],
[none], proto TCP (6), length 60) proto TCP (6), length 52, bad cksum 0 (->affa)!)
74.125.127.19.80 > 130.253.190.122.56223: Flags [S.], cksum 130.253.190.122.56223 > 74.125.127.19.80: Flags [.], cksum
0x363e (correct), seq 3167645671, ack 949075526, win 5672, options 0x7ae1 (correct), seq 949075526, ack 3167645672, win 65535, options
[mss 1380,sackOK,TS val 1190383227 ecr 553564903,nop,wscale 6], [nop,nop,TS val 553564903 ecr 1190383227], length 0
length 0 0x0000: 4500 0034 7fc1 4000 4006 0000 82fd be7a E..4..@.@......z
0x0000: 4500 003c ab71 0000 3306 d142 4a7d 7f13 E..<.q..3..BJ}.. 0x0010: 4a7d 7f13 db9f 0050 3891 be46 bcce 6fe8 J}.....P8..F..o.
0x0010: 82fd be7a 0050 db9f bcce 6fe7 3891 be46 ...z.P....o.8..F 0x0020: 8010 ffff 7ae1 0000 0101 Offset
080a0x0E:
20feFlags
bae7 ....z...........
0x0020: a012 1628 363e 0000 0204 Offset
05640x0E:
0402Flags
080a ...(6>.....d.... 0x0030: 46f3 ce7b 0x10 = 00010000 F..{
0x0030: 46f3 ce7b 20fe bae7 0103 0x12
0306= 00010010 F..{........
ACK from 130.253.190.122 to Google
SYN/ACK from Google in response to the
SYN packet
L15: Network Forensics

L15: Network Forensics

24 Exercise
25 Using Port Scanners

!  Open coursesite.pcap (download from the course !  A port is an endpoint of communication in a network
website) in Wireshark !  Much like an electrical socket
!  https://www.wireshark.org/download.html !  Appliances are plugged into it
!  One machine connects to another through an open port
!  This is a capture of a session where a browser was used to
open our course website !  Port scanners allow an investigator to determine which
ports are open on a remote system (or the local
!  Understand the communication going between the
system)
client and the web server
!  Unusual open ports may be indicative of suspicious
!  Use Statistics > Flow Graph activity
!  Choose TCP flow !  A rootkit allowing remote access to the system
!  What is going on with the Seq./Ackw. numbers? !  Tools
!  Netcat

L15: Network Forensics

L15: Network Forensics

!  Portqry
!  Nmap

26 Using Port Scanners (contd.)

27 Using Port Scanners (contd.)

!  Port scanning involves !  Stealth scanning

!  Sending a SYN packet to a system at a port number
!  If port is open (a server is waiting for connections on the
port), the server will respond with a SYN/ACK packet
!  Send the ACK packet, followed by a FIN packet to terminate
the connection
!  All discovered open ports must be accounted for
!  Which software is listening on which port
!  Banner grabbing
L15: Network Forensics
!  Follows steps as in a regular port scanning, but instead of
sending an ACK packet, the scanner sends a RST packet
!  Server immediately terminates the TCP connection upon receipt of
an RST packet
!  Stealthy because most systems log incoming connection
requests only when all three steps of the handshaking
completes
!  Send a legitimate request at the identified port after
successful handshaking
!  Elicits a response having information about the kind of

L15: Network Forensics

service running at that port
28 Using Nmap
29 Using Nmap (contd.)

!  Network mapper utility for network exploration or !  Some options

security auditing !  -sT : a regular SYN scan
!  Includes !  -sS : a stealth scan
!  Port scanning !  -sV : attempt to identify service
!  OS detection !  -O : attempt to identify OS
!  Service detection !  -p <range> : scan ports specified in range
!  Version detection !  E.g. –p 1-1024,1078, 1090

!  Available for almost all popular operating systems !  -v : verbose mode

!  www.nmap.org !  -P0 : do not ping hosts before scanning
!  -sF, -sN, -sX : FIN scan, null scan, Christmas scan
!  -sA : ACK scan

L15: Network Forensics

L15: Network Forensics

!  And many more: see http://nmap.org/bennieston-tutorial/

30 Using Nmap (contd.)

31 Using Packet Sniffers

!  -sF, -sX, -sN !  Packet sniffers

!  Scanning using SYN packets may not work if an IDS is in !  Devices or software that monitor network traffic
place !  Log (capture) incoming and outgoing packets
!  Closed ports will send a RST back !  See what various systems are “saying” to each other
!  Open ports will drop these packets since they are waiting for !  Most tools follow the PCAP format to store the data
SYN packets
!  Tools
!  MS Windows will drop even if port is closed
!  Tcpdump
!  Combined with a regular scan, you can know there is likely a
Windows machine on the other side !  Windump
!  -sA !  Netcap
!  Is the firewall stateless (just blocking incoming SYN packets) !  Wireshark (previously known as Ethereal)
or stateful (tracks the connections)
L15: Network Forensics

L15: Network Forensics

!  A RST packet in reply points at a stateless firewall
32 Using Packet Sniffers (contd.)
33 Analyzing Packet Traces

!  Captured packets can reveal who has connected to an !  Packet sniffers will log packets; analyzing them to obtain
identified Trojan in a system useful information is your task
!  Including the commands and data exchanged through the !  FTP traffic capture
Trojan !  What is the name and version of the FTP server?
!  Useful, in general, to see who is making connections to your !  What password was used during an anonymous login?
system
!  What files were transferred?
!  Captured packets can reveal the entire communication !  What are the contents of those files?
sequence between two systems
!  Netcat traffic capture
!  Too many initiated connections without any data exchange
!  Netcat is a flexible utility that facilitates reading/writing data
!  Perhaps someone is trying a port scan!
using TCP/UDP network connections
!  SYN flood attack
!  What port is the netcat listener running?

L15: Network Forensics

L15: Network Forensics

!  What commands were issued?

34 Analyzing Packet Traces (contd.)

35 The Honeynet Project

!  IIS traffic capture !  Attempt to thwart Internet and network hackers

!  Microsoft Internet Information Services web server !  Provides information about attacks methods
!  What version of IIS is running? !  Objectives
!  What browser and OS is a client using? !  Awareness: threats do exist out there
!  What commands were sent by the browser? !  Information: how do attackers operate and how to protect
!  Is there any known vulnerability that is being exploited? against their tactics
!  Nmap traffic capture !  Tools: methods to protect resources
!  What type of nmap scan was run?
!  Which system(s) is(are) being scanned?
!  Lets look at some examples using Wireshark!
L15: Network Forensics

L15: Network Forensics

36 The Honeynet Project (contd.)
37 References

!  Distributed denial-of-service (DDoS) attacks !  Ch 11: B. Nelson, A. Phillips and C. Steuart, Guide to
!  A recent major threat Computer Forensics and Investigations. ISBN:
!  Hundreds or even thousands of machines (zombies) can be 978-1-435-49883-9
used
!  Zero day attacks
!  Another major threat
!  Attackers look for holes in networks and OSs and exploit
these weaknesses before patches are available
!  Honeypot
!  Normal looking computer that lures attackers to it
!  Honeywalls

L15: Network Forensics

L15: Network Forensics

!  Monitor what’s happening to honeypots on your network
and record what attackers are doing