Transcript Router Investigation

COEN 252: Computer Forensics
Router Investigation
Significance of Routers


Targets of attacks, esp. DoS.
Stepping stones for attacks.

Routers store




Passwords
Routing tables
Network block information.
Tools for investigation.
Characteristics of Routers

Have little storage.


Use Non-Volatile RAM (NVRAM)


Saves configuration files
Use normal RAM




Most information comes from logs or is volatile.
Current routing tables
Listening services
Current Passwords
Forensics exam needs to get the volatile data!
Gather Volatile Router Data



Connect to console port.
Need cable and laptop with terminal
emulation software.
Gather Volatile Data


Record System Time
Determine who is logged on
Gather Volatile Router Data

Gather Volatile Data


Determine the uptime and other data on the
router since last boot-up
Determine listening sockets



Routers run a few services such as telnet that are
vulnerabilities.
Determining listening sockets lists all current services
that might be vulnerable.
For example, port 80 (http) is often used for router
administration, but port 80 is not normally protected by a
firewall.
Gather Volatile Router Data

Gather Volatile Data


Save the router configuration.
Review the routing table.

This detects malicious static routes.



Modified by attacker at the router.
Modified with Routing Information Protocol (RIP)
spoofing.
Check the interface configuration

Lots of easy to read data.
Gather Volatile Router Data

Gather Volatile Data

View the ARP cache

Evidence for IP or MAC spoofing
Incidence Investigation




Direct Compromise
Routing Table Manipulation
Theft of Information
Denial of Service
Incidence Investigation:
Direct Compromise

Many ways to access a router.



Telnet, SSH, SMTP, …
Physical Access.
Modem Access.


Listening Services.


Investigate via listening services.
Provide potential attack points.
Password Guessing
Incidence Investigation:
Direct Compromise

Passwords



Password cracking
stealing from configuration files
sniffing from net


snmp, telnet, HTTP, TFTP
Console Access

Reboot to get access
Incidence Investigation:
Direct Compromise

Modem


Last user did not log off.
TFTP




Used to store and reload configuration files.
UDP, no security
Attacker scans network for router and TFTP server,
then guesses configuration file name, and receives
it via TFTP. This gives all passwords needed to
access a router.
Alternatively, router uploads a changed
configuration file to the TFTP server and waits for
a network reload.
Incidence Investigation:
Routing Table Manipulations

Routers use a variety of protocols to
update their routing tables.





RIP
Open Shortest Path First
Enhanced Interior Gateway Routing
Protocol (EIGRP)
Interior Gateway Routing Protocol (IGRP)
Some have no authentication!
Incidence Investigation:
Routing Table Manipulations


Review routing table with “show ip
route”
For recovery:



Remove static routing entries.
Reboot router.
Switch to authenticating router updates.
(Easier said than done.)
Incident Investigation
Theft of Information


Routers contain network topology and
access control.
For recovery:


change all passwords
avoid password reuse
Incident Investigation
DoS



Destruction of router’s capability to
function.
Resource consumption reduces
functionality of router.
Bandwidth consumption overwhelms
the network bandwidth.
Incident Investigation
DoS

Recovery:




Elimination of listening services
Upgrade of software
Access restriction
Authentication
Router Authentication

Routers use Access Control Lists (ACL)

Restrict traffic based on packet attributes






Protocol
Source / Destination IP address
Port
TCP flag
ICMP message type
Time of day
Routers as Monitors


Can log traffic based on ACL
Logs stored at a remote site.