1 COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons thesis and development of Columbo tool
1
COMP 4027Network Forensics
This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman.Josh Broadway Hons thesis and development of Columbo tool
2
Network Forensics
• Common Intrusion Scenarios
• Intrusion Profiling
• Intrusion Investigation Management
Each stage will give some forensic evidence which can be gathered up. Most evidence as we have seen is in logs
3
Common Intrusion Scenarios
• Information Gathering
• Network and System Reconnaissance
• System Vulnerability exploitation
4
What motivates hackers
Release Information• Some hackers see a need for freedom of information and
thus attack in order to "liberate" the information
Release Software• Some make copies of software that can be installed on
multiple computers –they crack the licensing code for "ethical" or financial reasons
Consume Unused Resources• Try to access any resource – telephone line, bandwidth,
disk space – which is not being used
5
What do Hackers do
Find Vulnerabilities
• Find and exploit vulnerabilities – "security researchers"
Find fame
• Just another way of seeking attention
6
How do hackers do this?
Produce Malicious code• Logic Bomb
– Dormant until activated
• Parasite– Code added to existing program and draws information
which hacker does not have privileges to access. Covert and non-destructive
• Trojan horse– Useful program with an alternative agenda
• Virus– Infects another program by replicating itself in to the host.– Mostly destructive, perhaps with logic bomb
• Worm– Transport mechanism for another program, utilising
network
7
How do hackers do this?
Modify Source code• Eg in Linux
• So remove all compilers from non-development machines
Dynamic loadable modules and libraries
8
How do hackers do this?
Exploit network protocols• Use the internet daemon, inetd, which listens to each port
and passes control of it to the associated program
• Hacker can then get control of root
E-mail Spoofing• Hacker can telnet to system's SMTP port and input ascii
commands to it, identifying someone else in the To: or From : commands
IP Spoofing • Remedy: border routers should drop all packets from
internal network with a source address which is not part of the internal network
9
How do hackers do this?
Source routing• Should be disabled since never used by legitimate
applications – use dynamic protocols
Network flooding and SYN flooding• Use patches
Smurfing• Disable IP-directed broadcasts at the router
10
How do hackers do this?
Exploit Vulnerabilities• Scanners and Profilers
– Preliminary evaluation of software– Determine hardware– Identify versions and patches
• Sniffers and snoopers– Might watch network or disk traffic or be planted inside to
watch print spooler or logins– Must monitor own system – SNORT
• Security Tools– If a hacker finds them on your system he can use your tools
to identify your security flaws
• Buffer Overflows• File permissions• Password Crackers
11
How do they start Target selection – information gathering
web resources
• Whois– http://www.networksolutions.com/cgi-bin/whois/whois –
Network Solutions whois query tool (.com, .net, .org)
– http://www.ripe.net/db/whois.html – European IP Address Allocations
– http://whois.apnic.net – Asia Pacific IP Address Allocation
– http://www.nic.mil/cgi-bin/whois – US Military
– http://www.nic.gov/cgi-bin/whois – US Government
– http://www.arin.net/whois – Arin IP addr ownership query
13
Target selection - Passive methods
• Dejanews.com– Search for postings
– Discover infrastructure
– Build profile of user for later social engineering
• Search engines– link:www.yoursite.com
16
Where is evidence of this activity?
• In http logs and firewall logs
• What about social engineering (spying) – No evidence because non-technological
17
Target acquisition - scanning
• Network scanning– Automated scripts that ID active hosts
– OS Fingerprinting
– Port scanning
– Vulnerability scanning
• Telco scanning
19
Nmap - The scanner of choice
• Quiet
• Decoys
• Very accurate OS fingerprinting
• UDP, stealth, full connect
• IPFrag
• …and more
21
IP scanning
• Solarwinds.net
• For a few hundred $ you get:– Cisco tools, DNS tools, TFTP, Network Discovery tools,
Ping tools
• Vulnerable ports = RFC 1700
23
Scanners of all types
• Free– nessus
• www.nessus.org
– nmap• www.insecure.org
– satan• ftp.win.tue.nl (/pub/security)
– Cheops• www.rsh.kiev.ua ($25.00)
– Sam Spade (Win 9x/NT/2K)• www.samspade.org
24
War dialers
• Shareware– ToneLoc
– THC scan (2.0)
• Commercial– Phone Sweep
– SecureLogix (a.k.a. Wheelgroup)
• New and improved for the Palm– www.l0pht.com now at stake.com
• Review PBX records!!!
27
TCP stack fingerprinting
• Different OSs respond in different ways to non-standard packets
• Programs use databases of these responses to determine OS & version of target machine
• QueSO and nmap
30
Where is evidence of Network and System Reconnaissance?
• In router logs if logging is turned on at appropriate level
• Ping sweeps will appear as ICMP packets on a large range of destination addresses with the same source address
• Evidence needs piecing together from– System logs
– Temporary or hidden directories
– User home directory
31
What do we do?
• Document every interaction with the host: – Who, when, which commands
– Make forensic copy of system log for evidence
– Collect as much system evidence as possible
32
Denial of Service – crashing the host
• Winnuke– OOB (Out of Band) attack on any unpatched 95/98 or
NT box
– Blue screens the box and forces reboot
• Ping of Death– ICMP attack using large packets
• Teardrop– Locks up the target
• Xcrush, Targa - DoS compliations
• New DoS attacks target routers
34
Distributed attacks
• Tribe Flood
– ICMP Echo, UDP, SYN and Smurf
– use ICMP_ECHOREPLY packets to communicate between master and zombie
– Need to get root on master and agents
– http://packetstormsecurity.org/distributed/tfn3k.txt
• Trin00
– UDP flood
– use UDP protocol to communicate
36
Packet sniffers
• What is it?– Application that collects TCP/IP (UDP, etc.) all packets
off the wire
• What is it used for?– Diagnose network problems
– Reading email• Email security = postcard
• We continue to use this for business critical/personnel data transfers
– Logging web usage
– Usernames/passwords
38
Packet sniffers
• Commercial– Sniffer Pro – www.nai.com
– Iris www.eeye.com/html/index.html
• Spynet
• TCPDUMP / WINDUMP– http://netgroup-serv.polito.it/windump/
• Included in several other programs– L0phtcrack
– Aggressor
• Wireless
39
Sub 7: What is it?
• Remote Administration trojan Client/Server architecture
• Server/Trojan runs on:– Windows ’98
– 2K / NT (v2.2)
• Client runs on:– Windows 2000
– Windows NT
– Windows ’98
– Port 27374
40
What can it do?
• Full remote administration of the server system:– Strip out passwords
– Key-logging
– Remote camera viewing
– Full file and registry manipulation
– Email upon discovery
– Message communications (chat, IRC, popups)
45
Password crackers
• NT– l0phtcrack
• Unix– Crack
ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/– john the ripper
• 98/95– cain– showpass
• Service specific– shares - legion– mail/ftp - unsecure
48
Intrusion Profiling
• Based on other kinds of criminal profiling– Time
– Source
– Method
– List of files accessed
– List of files created
49
Some conclusions from profiling
• When – Daytime might mean a time zone 8-12 away
– Night time might mean local
• Where– Local address – internal
– Dial-in – “internal “ or war dialling
– Wireless
– Targeted host – has inside information
• How– Simple – inside info
– Has password – may be insider
– Very technical – advanced and may be targeted
50
Other work
• Shanmugasundaram et al
• Integrating Digital Forensics into a Network Infra structure
51
Integrating Digital Forensics into a Network Infra structure
• Prototype system to integrate wide area network forensics
• Purpose– Forensics
– Network Management
– Compliance
• What to collect– Network dynamics
– Traffic dynamics