Professional Documents
Culture Documents
Network Forensics 15
Network Forensics 15
! Network forensics
! Systematic tracking of incoming and outgoing traffic
! To ascertain how an attack was carried out or how an event
occurred on a network
! Intruders leave a trail behind
Network Forensics ! Knowing your network’s typical traffic patterns is important
! Determine the cause of the abnormal traffic
! Internal bug
COMP 2555: Principles of Computer Forensics ! Attackers
Autumn 2014
http://www.cs.du.edu/2555
! Sysinternals
! A collection of free tools for examining Windows products
12:22:41.019630 IP (tos 0x0, ttl 64, id 15979, offset 0, flags [DF], proto
! Examples of the Sysinternals tools:
TCP (6), length 52, bad cksum 0 (->f0fd)!)
130.253.190.122.60086 > 74.125.127.102.80: Flags [F.], cksum 0x0b82
! RegMon shows Registry data in real time
(incorrect -> 0xa091), seq 3907206118, ack 447866512, win 65535, options
[nop,nop,TS val 677501972 ecr 940801331], length 0
! Process Explorer shows what is loaded
0x0000: 4500 0034 3e6b 4000 4006 0000 82fd be7a E..4>k@.@......z ! Handle shows open files and processes using them
0x0010: 4a7d 7f66 eab6 0050 e8e3 3be6 1ab1 e690 J}.f...P..;.....
0x0020: 8011 ffff 0b82 0000 0101 080a 2861 dc14 ............(a.. ! Filemon shows file system activity
0x0030: 3813 7d33 8.}3
L15: Network Forensics
! Tools from PsTools suite created by Sysinternals ! Knoppix Security Tools Distribution (STD)
! PsExec runs processes remotely ! Bootable Linux CD intended for computer and network
! PsGetSid displays security identifier (SID) forensics
! PsKill kills process by name or ID ! Knoppix-STD tools
! PsList lists details about a process ! dcfldd - the U.S. DoD dd version
! PsLoggedOn shows who’s logged locally ! memfetch - forces a memory dump
! PsPasswd changes account passwords ! photorec - grabs files from a digital camera
! PsService controls and views services ! snort - an intrusion detection system
! PsShutdown shuts down and restarts PCs ! oinkmaster - helps manage your snort rules
! PsSuspend suspends processes ! john - a passwork cracker
! chntpw - resets passwords on a Windows PC
10 Networking in a Nutshell
11 TCP/IP Model
TCP/IP TCP/IP
Model Model Internet Layer
Handles route discovery – how to
reach the destination machine?
Sequence Number
Link Layer Payload
Acknowledgement Number
Internet Layer Payload
Transport Layer Payload Data
Reserved Flags Window Size
Link Layer Internet Offset
Transport Application
Header Layer Application Data
Layer Layer
Header Checksum Urgent Pointer
Header Header
Options
Header Preamble
Version Type of Service Total Length
Length
Start-of-Frame-Delimiter
Identification Flags Fragment Offset
MAC Destination
header
Time To Live Protocol Header Checksum
MAC Source
Source IP Address 802.1Q Header
EthernetType
Destination IP Address
Link Layer Payload
Options
CRC-32
L15: Network Forensics
! Starts at offset 0x0D (14) in the TCP header ! Three step process to establish a connection
! Client sends a SYN packet to the server
CWR ECE URG ACK PSH RST SYN FIN ! Server responds with a SYN/ACK packet
! Client acknowledges receipt of the packet with a ACK packet
8 bits
! Connection is established
! SYN packet has the corresponding bit set
! Flag = 0b00000010 = 0x02
! Connection stays open until
! SYN/ACK packet
! Client sends a FIN packet or a RST packet
! Flag = 0b00010010 = 0x12
! Connection times out
! ACK packet ! Either side has been silent for a long time
! Flag = 0b00010000 = 0x10
! Open coursesite.pcap (download from the course ! A port is an endpoint of communication in a network
website) in Wireshark ! Much like an electrical socket
! https://www.wireshark.org/download.html ! Appliances are plugged into it
! One machine connects to another through an open port
! This is a capture of a session where a browser was used to
open our course website ! Port scanners allow an investigator to determine which
ports are open on a remote system (or the local
! Understand the communication going between the
system)
client and the web server
! Unusual open ports may be indicative of suspicious
! Use Statistics > Flow Graph activity
! Choose TCP flow ! A rootkit allowing remote access to the system
! What is going on with the Seq./Ackw. numbers? ! Tools
! Netcat
! Captured packets can reveal who has connected to an ! Packet sniffers will log packets; analyzing them to obtain
identified Trojan in a system useful information is your task
! Including the commands and data exchanged through the ! FTP traffic capture
Trojan ! What is the name and version of the FTP server?
! Useful, in general, to see who is making connections to your ! What password was used during an anonymous login?
system
! What files were transferred?
! Captured packets can reveal the entire communication ! What are the contents of those files?
sequence between two systems
! Netcat traffic capture
! Too many initiated connections without any data exchange
! Netcat is a flexible utility that facilitates reading/writing data
! Perhaps someone is trying a port scan!
using TCP/UDP network connections
! SYN flood attack
! What port is the netcat listener running?
! Distributed denial-of-service (DDoS) attacks ! Ch 11: B. Nelson, A. Phillips and C. Steuart, Guide to
! A recent major threat Computer Forensics and Investigations. ISBN:
! Hundreds or even thousands of machines (zombies) can be 978-1-435-49883-9
used
! Zero day attacks
! Another major threat
! Attackers look for holes in networks and OSs and exploit
these weaknesses before patches are available
! Honeypot
! Normal looking computer that lures attackers to it
! Honeywalls