Week 12: Network Forensics
Download
Report
Transcript Week 12: Network Forensics
Week 13: Intrusion Detection
Systems
- Introduction
• When computer network is involved in a crime
the evidence is often distributed on many
computers.
• Difficult to isolate the crime scene since
criminal can be several places on the network at
any given time.
• Extra effort required to collect evidence and
document it thoroughly to protect collection
methods against every criticism.
Week 13-1
Week 13: Intrusion Detection Systems
Tools:
• Netstat – both on Unix and Windows can show
services and state of connections.
• Whois – command line or Web versions to
research domains of an IP address.
• Traceroute – Unix and Windows utility to show
network path between remote and local hosts.
• Visual route – Commercial tool that will show
graphically the path between remote and local
hosts.
Week 13-2
Week 13: Intrusion Detection Systems
• TCP Services started by master network
daemon, inetd (Unix) can be wrapped with a
program called tcpd. (open source available at
CERT) May be used as a limited host intrusion
detection system (IDS). (show inetd.conf)
• UDP is another story – not connection oriented.
Firewall is best defense for UDP.
• ICMP same problem – again the Firewall is the
best defense for ICMP.
Week 13-3
Week 13: Intrusion Detection Systems
• TCP services wrapped with tcpd gives fine
grained host security control and logging using
“hosts.allow” and “hosts.deny”.
• Log files should be compressed and archived for
30 days or longer.
• Linux all TCP services started by the master
xinetd daemon and those by bootup scripts have
the tcpd library compiled in. (show xinetd.d)
• Host IDS and/or Firewall should be used for
those services that can’t be wrapped.
Week 13-4
Week 13: Intrusion Detection Systems
• Three types of IDS
– Application-based (AIDS)
– Host Intrusion Detection (HIDS)
– Network Intrusion Detection (NIDS)
Q. Do you need all three?
A. Yes, not possible to install IDS in embedded devices
(print servers, cameras, wireless AP)
IPS Intrusion Prevention Systems (more about this later)
Week 13-5
Week 13: Intrusion Detection Systems
• AIDS – Honeypot (Honeyd)
- Web Applications (mod_security)
• HIDS – Many security companies offer IDS
(Tripwire, NetIQ, Juniper, Cisco, etc.)
• Open Source – AIDE (open version of Tripwire),
Honeynet, sXid, Chrookit, Prelude
– Ref: www.devx.com/security/Article/22442/0
Week 13-6
Week 13: Intrusion Detection Systems
• NIDS – are divided into three categories
– Port scan detectors (PSD)
– Sniffers
– Firewalls
• PortSentry (PSD)
• Scanlogd (PSD)
• Snort (Sniffer) best known and best open
source NIDS
– ECS currently has 2 Snort systems “seeall” and “ispy”
– Network Lab http://seeall.ecs.csus.edu/acid/
– Computer Room http://ispy.ecs.csus.edu/base/
Week 13-7
Week 13: Intrusion Detection Systems
| Fiber to ARC Building
______|_______ ECS Security Infrastructure
| ECS Switch |
| HP Procurve |
|______________| <--- mirrored port
____________|
|
|__________________ <--- sensor #1
_____|________
_____|________
______|_______
| ECSFire 1
| | ECSFire 2
|
| ISPY (IDS) |
| SonicWall
| | SonicWall
|
| Linux/Snort |
|______________| |______________|
|______________|
|
______________ |
|
|
|
| |
|
|
| ECS Main
| |
|
|____|
Switch
|_|
|
| 196 ports
|______________________|
|______________| <--- Unix hosts with security wrapper
_______/
\______
<--- WinXP hosts with firewall enabled
_____|________
______|_______
| CISCO Lab
| | ECSfire3
|
| HP Procurve | | SonicWall
|
|______________| |______________|<---> ECS Wireless Network
Week 13-8
Week 13: Intrusion Detection Systems
• NIDS – use 2 basic methodologies
– Anomaly based
– Rule based
• IDS<->Firewall Human link required to decide
actions
• False positives (annoying)
• False negatives (bad)
• Firewalls – 3 capable of automatic input from
NIDS but?
Week 13-9
Week 13: Intrusion Detection Systems
• Firewalls:
– Network (hardware)
•
•
•
•
Cisco PIX (campus), Nokia, Sonic Wall (ECS 6)
Computer Room http://sonic.ecs.csus.edu/
Network Lab http://netfire1.ecs.csus.edu/
(soon campus Juniper Firewalls replace PIXs)
– Host (software)
• Windows – several commercial companies, I like
Zone Labs (ZoneAlarm) the best.
• WinXP SP2 has built-in firewall but only for
inbound traffic.
Week 13-10
Week 13: Intrusion Detection Systems
• Firewalls: (host continued)
• Linux – ipchains (stateless) early versions
of kernel
• Linux – iptables (state full) part of recent
kernel can have rules for TCP, UDP and
ICMP (show live output)
• Administrators can add local rules e.g.
local chain coupled with program/script can
then become IPS (sshwatch.pl ftpwatch.pl)
Week 13-11
Week 13: Intrusion Detection Systems
Internet <--- OC-3c (155.52 Mbps) from CENIC.NET
^
| <--- Packet over SONET (POS)
______v_______
| CENIC.NET
|
|
Router
|
|______________|
INTERNET
^
INTERNET
------------------------- | ---------------------------------------Campus
______v_______ <--1000 Mbps
Campus
| CSUS Cisco |
| Border RTR |
______________
|______________|
| Perfigo Cisco|
_________________|____________________________| clean Access |
|
|
|
|______________|
_____|________
_____|________
_____|________
^
| Campus Cisco | | Campus Cisco |
| Campus Cisco |
|
| PIX Firewall <--> PIX Firewall |
| VPN Server
|
|
|______________| |______________|
|______________|
|
| <--- 1000 Mbps ---> |
|
v
|
______________ |
|
Campus
|
|
Campus
| |
|
Wireless
|
|
Cisco
| |
|
|____|
Router
|_|
| <-- 100 Mbps
|
|__________________|
|______________|
\ ECS
V
Week 13-12
Week 13: Intrusion Detection Systems
• IPS Intrusion Prevention Systems
• Need to have state and do deep packet
inspections.
• Must have hardware to scale
• Sonic Wall has software ($$) that gives limited
IPS
• Others: Countersnipe, Barbedwire Technologies,
McAfee, Top Layer* (IPS 5500) $15K,
Internet Security Systems, NFR, SonicWall,
Sourcefire* (IS-2000) $13K, Symantec,
TippingPoint and V-Secure
Week 13-13
Week 13: Intrusion Detection Systems
• Security Incident Friday April 15, 2005 at
3:02 AM. User “dialm” logged in from Moscow,
Russia as command “who” on gaia shows:
dialm pts/2
Apr 15 02:21 (d123.z194-58-101.relcom.ru)
You are the person responsible for security for this
company.
Q. What step would you have taken next?
Week 13-14
Week 13: Intrusion Detection Systems
• Step 1. “su” to root and changed the password
for user dialm
Q.
What next step would you have done?
Week 13-15
Week 13: Intrusion Detection Systems
• Step 2. Type command ps –adef| grep dialm
dumped process table and grep for processes
running as user dialm. One interesting process
was:
“./pine”
Q.
Why is this interesting?
Q.
What next step would you have done?
Week 13-16
Week 13: Intrusion Detection Systems
• Step 3. netstat -a (look at network connections
and any strange services – noted many
connections to IP’s that were not local and the
service “SOCKS”
Q.
What next step would you have performed?
Week 13-17
Week 13: Intrusion Detection Systems
• Step 4. kill –1 (login process number for
/bin/csh – this will log the user off and break
the network connection)
• because password was changed he/she won’t get
back in.
Q. unless what????
Note yours truly forgot to capture the output
from netstat!!! (next time do “script”)
Q.
What next step would you have done?
Week 13-18
Week 13: Intrusion Detection Systems
• Step 5. cd ~dialm (change directory to the
hacked account – and do the ls –alt command to
list the files and directories in chronological
order with most recent first)
drwxr-xr-x 1645 root root
28672 Apr 15 03:20 ..
-rwx------ 1 dialm stdcsc 583 Apr 15 03:13 .history
drwxr-xr-x 11 dialm stdcsc 4096 Apr 15 03:09 .dt
-rw-------- 1 dialm stdcsc 14733 Jan 10 08:19 .pinerc
… rest of listing were old files
Q. What next step would you have performed?
Week 13-19
Week 13: Intrusion Detection Systems
• Step 6. more .history (see if hacker removed
traces of his actions)
#+1113558361
gcc scan.c -s -o
#+1113558364
gcc scan.c -s -o
#+1113558368
./pine
#+1113558440
./pine
#+1113558481
gcc scan.c -s -o
#+1113558487
gcc scan.c -s -o
#+1113558542
gcc scan.c -s -o
#+1113558547
./pine
#+1113558982
man sleep
pine
pine
pine
pine
pine
Week 13-20
Week 13: Intrusion Detection Systems
• Step 6. more .history continued
#+1113559107
gcc scan.c -o pine
#+1113559111
./pine
#+1113559228
gcc scan.c -o pine
#+1113559231
gcc scan.c -o pine
#+1113559251
./pine
#+1113559352
gcc scan.c -o pine
#+1113559355
gcc scan.c -o pine
#+1113559360
./pine
#+1113559788
gcc scan.c -o pine
#+1113559791
gcc scan.c -o pine
#+1113559795
./pine
-s
-s
-s
-s
-s
-s
-s
Q. What next step would you have done?
Week 13-21
Week 13: Intrusion Detection Systems
• Step 7. cd .dt (change to the system
directory .dt – note this normally won’t
show because it starts with the dot)
Q. What next step would you have done?
Week 13-22
Week 13: Intrusion Detection Systems
• Step 8. ls –alt|more (list the contents
with most recent first)
(show live results on gaia - more timestamp)
Q.What next step would you have done?
Week 13-23
Week 13: Intrusion Detection Systems
• Live on gaia “more scan.c”
• Live on gaia “more list” (IPs)
• Q. Why would a hacker be interested in
“proxy servers”????
• Examine “messages” log
(if time permits, then nmap remote host)
(also finger @remote host)
• “Think outside the box!”
Q. What is another possible step in the
process?
Week 13-24
Week 13: Intrusion Detection Systems
• Step 9. Check for any “backdoors”
• UCBerkeley “r” commands (ruptime,
rcp, rlogin, rsh, rexec)
• Hosts.equiv (+ or ++ wild cards)
• .rhosts (individual authentication)
• Security compromise recently
exposed for Windows clients remote
shell (.rhosts).
Week 13-25
Week 13: Intrusion Detection Systems
• Backdoor Examples:
• “inetd.conf” or /etc/xinetd.d
backdoor
• Added account to /etc/passwd file
• Perl script called “back.pl”
• + + wild card in users .rhosts
• Most recent backdoor from the
UN-ROOT team Brazil “./bindz”
Week 13-26
Week 13: Intrusion Detection Systems
• Summary
Network IDS and Host IDS can hold evidence of
break-ins. (not prevent only after the fact)
Use scp or sftp to make copies of evidence and
perform MD5 and SHA-1 to verify identical to
original.
Never trust system unless completely reinstalled.
Especially if your unable to tell how it was
compromised in the first place.
Keep copies of evidence obtained from security
incidents.
Week 13-27