Transcript Network Forensics

COMP 4027
Network Forensics
This module draws on
Network intrusion management and profiling [electronic resource] / Steven Schlarman.
Josh Broadway Hons thesis and development of Columbo tool
1
Network Forensics
• Common Intrusion Scenarios
• Intrusion Profiling
• Intrusion Investigation Management
Each stage will give some forensic evidence which
can be gathered up. Most evidence as we have seen
is in logs
2
Common Intrusion Scenarios
• Information Gathering
• Network and System Reconnaissance
• System Vulnerability exploitation
3
What motivates hackers
Release Information
• Some hackers see a need for freedom of information and
thus attack in order to "liberate" the information
Release Software
• Some make copies of software that can be installed on
multiple computers –they crack the licensing code for
"ethical" or financial reasons
Consume Unused Resources
• Try to access any resource – telephone line, bandwidth, disk
space – which is not being used
4
What do Hackers do
Find Vulnerabilities
• Find and exploit vulnerabilities – "security researchers"
Find fame
• Just another way of seeking attention
5
How do hackers do this?
Produce Malicious code
• Logic Bomb
– Dormant until activated
• Parasite
– Code added to existing program and draws information
which hacker does not have privileges to access. Covert
and non-destructive
• Trojan horse
– Useful program with an alternative agenda
• Virus
– Infects another program by replicating itself in to the host.
– Mostly destructive, perhaps with logic bomb
• Worm
– Transport mechanism for another program, utilising
network
6
How do hackers do this?
Modify Source code
• Eg in Linux
• So remove all compilers from non-development machines
Dynamic loadable modules and libraries
7
How do hackers do this?
Exploit network protocols
• Use the internet daemon, inetd, which listens to each port
and passes control of it to the associated program
• Hacker can then get control of root
E-mail Spoofing
• Hacker can telnet to system's SMTP port and input ascii
commands to it, identifying someone else in the To: or From
: commands
IP Spoofing
• Remedy: border routers should drop all packets from
internal network with a source address which is not part of
the internal network
8
How do hackers do this?
Source routing
• Should be disabled since never used by legitimate
applications – use dynamic protocols
Network flooding and SYN flooding
• Use patches
Smurfing
• Disable IP-directed broadcasts at the router
9
How do hackers do this?
Exploit Vulnerabilities
• Scanners and Profilers
– Preliminary evaluation of software
– Determine hardware
– Identify versions and patches
• Sniffers and snoopers
– Might watch network or disk traffic or be planted inside to
watch print spooler or logins
– Must monitor own system – SNORT
• Security Tools
– If a hacker finds them on your system he can use your tools
to identify your security flaws
• Buffer Overflows
• File permissions
• Password Crackers
10
How do they start
Target selection – information gathering
web resources
• Whois
– http://www.networksolutions.com/cgi-bin/whois/whois –
Network Solutions whois query tool (.com, .net, .org)
– http://www.ripe.net/db/whois.html – European IP Address
Allocations
– http://whois.apnic.net – Asia Pacific IP Address Allocation
– http://www.nic.mil/cgi-bin/whois – US Military
– http://www.nic.gov/cgi-bin/whois – US Government
– http://www.arin.net/whois – Arin IP addr ownership query
11
12
Target selection - Passive methods
• Dejanews.com
– Search for postings
– Discover infrastructure
– Build profile of user for later social engineering
• Search engines
– link:www.yoursite.com
13
DEJA Search
14
15
Where is evidence of this activity?
• In http logs and firewall logs
• What about social engineering (spying)
– No evidence because non-technological
16
Target acquisition - scanning
• Network scanning
–
–
–
–
Automated scripts that ID active hosts
OS Fingerprinting
Port scanning
Vulnerability scanning
• Telco scanning
17
18
Nmap - The scanner of choice
•
•
•
•
•
•
Quiet
Decoys
Very accurate OS fingerprinting
UDP, stealth, full connect
IPFrag
…and more
19
20
IP scanning
• Solarwinds.net
• For a few hundred $ you get:
– Cisco tools, DNS tools, TFTP, Network Discovery tools,
Ping tools
• Vulnerable ports = RFC 1700
21
22
Scanners of all types
• Free
– nessus
• www.nessus.org
– nmap
• www.insecure.org
– satan
• ftp.win.tue.nl (/pub/security)
– Cheops
• www.rsh.kiev.ua ($25.00)
– Sam Spade (Win 9x/NT/2K)
• www.samspade.org
23
War dialers
• Shareware
– ToneLoc
– THC scan (2.0)
• Commercial
– Phone Sweep
– SecureLogix (a.k.a. Wheelgroup)
• New and improved for the Palm
– www.l0pht.com now at stake.com
• Review PBX records!!!
24
25
26
TCP stack fingerprinting
• Different OSs respond in different ways to nonstandard packets
• Programs use databases of these responses to
determine OS & version of target machine
• QueSO and nmap
27
28
29
Where is evidence of Network and
System Reconnaissance?
• In router logs if logging is turned on at appropriate
level
• Ping sweeps will appear as ICMP packets on a
large range of destination addresses with the same
source address
• Evidence needs piecing together from
– System logs
– Temporary or hidden directories
– User home directory
30
What do we do?
• Document every interaction with the host:
– Who, when, which commands
– Make forensic copy of system log for evidence
– Collect as much system evidence as possible
31
Denial of Service – crashing the host
• Winnuke
– OOB (Out of Band) attack on any unpatched 95/98 or NT
box
– Blue screens the box and forces reboot
• Ping of Death
– ICMP attack using large packets
• Teardrop
– Locks up the target
• Xcrush, Targa - DoS compliations
• New DoS attacks target routers
32
33
Distributed attacks
• Tribe Flood
– ICMP Echo, UDP, SYN and Smurf
– use ICMP_ECHOREPLY packets to communicate
between master and zombie
– Need to get root on master and agents
– http://packetstormsecurity.org/distributed/tfn3k.txt
• Trin00
– UDP flood
– use UDP protocol to communicate
34
E-mail bombing applications
–
–
–
–
Unabomber
Kaboom 3.0
Avalanche
Ghost Mail
35
Packet sniffers
• What is it?
– Application that collects TCP/IP (UDP, etc.) all packets
off the wire
• What is it used for?
– Diagnose network problems
– Reading email
• Email security = postcard
• We continue to use this for business critical/personnel data
transfers
– Logging web usage
– Usernames/passwords
36
37
Packet sniffers
• Commercial
– Sniffer Pro – www.nai.com
– Iris www.eeye.com/html/index.html
• Spynet
• TCPDUMP / WINDUMP
– http://netgroup-serv.polito.it/windump/
• Included in several other programs
– L0phtcrack
– Aggressor
• Wireless
38
Sub 7: What is it?
• Remote Administration trojan Client/Server
architecture
• Server/Trojan runs on:
– Windows ’98
– 2K / NT (v2.2)
• Client runs on:
–
–
–
–
Windows 2000
Windows NT
Windows ’98
Port 27374
39
What can it do?
• Full remote administration of the server system:
–
–
–
–
–
–
Strip out passwords
Key-logging
Remote camera viewing
Full file and registry manipulation
Email upon discovery
Message communications (chat, IRC, popups)
40
41
42
43
44
Password crackers
• NT
– l0phtcrack
• Unix
– Crack
ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/
– john the ripper
• 98/95
– cain
– showpass
• Service specific
– shares - legion
– mail/ftp - unsecure
45
46
47
Intrusion Profiling
• Based on other kinds of criminal profiling
–
–
–
–
–
Time
Source
Method
List of files accessed
List of files created
48
Some conclusions from profiling
• When
– Daytime might mean a time zone 8-12 away
– Night time might mean local
• Where
–
–
–
–
Local address – internal
Dial-in – “internal “ or war dialling
Wireless
Targeted host – has inside information
• How
– Simple – inside info
– Has password – may be insider
– Very technical – advanced and may be targeted
49
Other work
• Shanmugasundaram et al
• Integrating Digital Forensics into a Network Infra
structure
50
Integrating Digital Forensics into a Network
Infra structure
• Prototype system to integrate wide area network
forensics
• Purpose
– Forensics
– Network Management
– Compliance
• What to collect
– Network dynamics
– Traffic dynamics
51
Integrating Digital Forensics into a Network
Infra structure
•
•
•
•
How to retrieve
What to store
Privacy and Security
Fornet – large Forensic server
52