1 COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons.

1

COMP 4027Network Forensics

This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman.Josh Broadway Hons thesis and development of Columbo tool

2

Network Forensics

• Common Intrusion Scenarios

• Intrusion Profiling

• Intrusion Investigation Management

Each stage will give some forensic evidence which can be gathered up. Most evidence as we have seen is in logs

3

Common Intrusion Scenarios

• Information Gathering

• Network and System Reconnaissance

• System Vulnerability exploitation

4

What motivates hackers

Release Information• Some hackers see a need for freedom of information and

thus attack in order to "liberate" the information

Release Software• Some make copies of software that can be installed on

multiple computers –they crack the licensing code for "ethical" or financial reasons

Consume Unused Resources• Try to access any resource – telephone line, bandwidth,

disk space – which is not being used

5

What do Hackers do

Find Vulnerabilities

• Find and exploit vulnerabilities – "security researchers"

Find fame

• Just another way of seeking attention

6

How do hackers do this?

Produce Malicious code• Logic Bomb

– Dormant until activated

• Parasite– Code added to existing program and draws information

which hacker does not have privileges to access. Covert and non-destructive

• Trojan horse– Useful program with an alternative agenda

• Virus– Infects another program by replicating itself in to the host.– Mostly destructive, perhaps with logic bomb

• Worm– Transport mechanism for another program, utilising

network

7

How do hackers do this?

Modify Source code• Eg in Linux

• So remove all compilers from non-development machines

Dynamic loadable modules and libraries

8

How do hackers do this?

Exploit network protocols• Use the internet daemon, inetd, which listens to each port

and passes control of it to the associated program

• Hacker can then get control of root

E-mail Spoofing• Hacker can telnet to system's SMTP port and input ascii

commands to it, identifying someone else in the To: or From : commands

IP Spoofing • Remedy: border routers should drop all packets from

internal network with a source address which is not part of the internal network

9

How do hackers do this?

Source routing• Should be disabled since never used by legitimate

applications – use dynamic protocols

Network flooding and SYN flooding• Use patches

Smurfing• Disable IP-directed broadcasts at the router

10

How do hackers do this?

Exploit Vulnerabilities• Scanners and Profilers

– Preliminary evaluation of software– Determine hardware– Identify versions and patches

• Sniffers and snoopers– Might watch network or disk traffic or be planted inside to

watch print spooler or logins– Must monitor own system – SNORT

• Security Tools– If a hacker finds them on your system he can use your tools

to identify your security flaws

• Buffer Overflows• File permissions• Password Crackers

11

How do they start Target selection – information gathering

web resources

• Whois– http://www.networksolutions.com/cgi-bin/whois/whois –

Network Solutions whois query tool (.com, .net, .org)

– http://www.ripe.net/db/whois.html – European IP Address Allocations

– http://whois.apnic.net – Asia Pacific IP Address Allocation

– http://www.nic.mil/cgi-bin/whois – US Military

– http://www.nic.gov/cgi-bin/whois – US Government

– http://www.arin.net/whois – Arin IP addr ownership query

12

13

Target selection - Passive methods

• Dejanews.com– Search for postings

– Discover infrastructure

– Build profile of user for later social engineering

• Search engines– link:www.yoursite.com

14

DEJA Search

15

16

Where is evidence of this activity?

• In http logs and firewall logs

• What about social engineering (spying) – No evidence because non-technological

17

Target acquisition - scanning

• Network scanning– Automated scripts that ID active hosts

– OS Fingerprinting

– Port scanning

– Vulnerability scanning

• Telco scanning

18

19

Nmap - The scanner of choice

• Quiet

• Decoys

• Very accurate OS fingerprinting

• UDP, stealth, full connect

• IPFrag

• …and more

20

21

IP scanning

• Solarwinds.net

• For a few hundred $ you get:– Cisco tools, DNS tools, TFTP, Network Discovery tools,

Ping tools

• Vulnerable ports = RFC 1700

22

23

Scanners of all types

• Free– nessus

• www.nessus.org

– nmap• www.insecure.org

– satan• ftp.win.tue.nl (/pub/security)

– Cheops• www.rsh.kiev.ua ($25.00)

– Sam Spade (Win 9x/NT/2K)• www.samspade.org

24

War dialers

• Shareware– ToneLoc

– THC scan (2.0)

• Commercial– Phone Sweep

– SecureLogix (a.k.a. Wheelgroup)

• New and improved for the Palm– www.l0pht.com now at stake.com

• Review PBX records!!!

25

26

27

TCP stack fingerprinting

• Different OSs respond in different ways to non-standard packets

• Programs use databases of these responses to determine OS & version of target machine

• QueSO and nmap

28

29

30

Where is evidence of Network and System Reconnaissance?

• In router logs if logging is turned on at appropriate level

• Ping sweeps will appear as ICMP packets on a large range of destination addresses with the same source address

• Evidence needs piecing together from– System logs

– Temporary or hidden directories

– User home directory

31

What do we do?

• Document every interaction with the host: – Who, when, which commands

– Make forensic copy of system log for evidence

– Collect as much system evidence as possible

32

Denial of Service – crashing the host

• Winnuke– OOB (Out of Band) attack on any unpatched 95/98 or

NT box

– Blue screens the box and forces reboot

• Ping of Death– ICMP attack using large packets

• Teardrop– Locks up the target

• Xcrush, Targa - DoS compliations

• New DoS attacks target routers

33

34

Distributed attacks

• Tribe Flood

– ICMP Echo, UDP, SYN and Smurf

– use ICMP_ECHOREPLY packets to communicate between master and zombie

– Need to get root on master and agents

– http://packetstormsecurity.org/distributed/tfn3k.txt

• Trin00

– UDP flood

– use UDP protocol to communicate

35

E-mail bombing applications

– Unabomber

– Kaboom 3.0

– Avalanche

– Ghost Mail

36

Packet sniffers

• What is it?– Application that collects TCP/IP (UDP, etc.) all packets

off the wire

• What is it used for?– Diagnose network problems

– Reading email• Email security = postcard

• We continue to use this for business critical/personnel data transfers

– Logging web usage

– Usernames/passwords

37

38

Packet sniffers

• Commercial– Sniffer Pro – www.nai.com

– Iris www.eeye.com/html/index.html

• Spynet

• TCPDUMP / WINDUMP– http://netgroup-serv.polito.it/windump/

• Included in several other programs– L0phtcrack

– Aggressor

• Wireless

39

Sub 7: What is it?

• Remote Administration trojan Client/Server architecture

• Server/Trojan runs on:– Windows ’98

– 2K / NT (v2.2)

• Client runs on:– Windows 2000

– Windows NT

– Windows ’98

– Port 27374

40

What can it do?

• Full remote administration of the server system:– Strip out passwords

– Key-logging

– Remote camera viewing

– Full file and registry manipulation

– Email upon discovery

– Message communications (chat, IRC, popups)

41

42

43

44

45

Password crackers

• NT– l0phtcrack

• Unix– Crack

ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/– john the ripper

• 98/95– cain– showpass

• Service specific– shares - legion– mail/ftp - unsecure

46

47

48

Intrusion Profiling

• Based on other kinds of criminal profiling– Time

– Source

– Method

– List of files accessed

– List of files created

49

Some conclusions from profiling

• When – Daytime might mean a time zone 8-12 away

– Night time might mean local

• Where– Local address – internal

– Dial-in – “internal “ or war dialling

– Wireless

– Targeted host – has inside information

• How– Simple – inside info

– Has password – may be insider

– Very technical – advanced and may be targeted

50

Other work

• Shanmugasundaram et al

• Integrating Digital Forensics into a Network Infra structure

51

Integrating Digital Forensics into a Network Infra structure

• Prototype system to integrate wide area network forensics

• Purpose– Forensics

– Network Management

– Compliance

• What to collect– Network dynamics

– Traffic dynamics

52

Integrating Digital Forensics into a Network Infra structure

• How to retrieve

• What to store

• Privacy and Security

• Fornet – large Forensic server