Forensics Book 4: Investigating Network Intrusions and Cybercrime Chapter 4: Router Forensics Objectives Understand router architecture Understand the use of Routing Information Protocol (RIP) List the different types of router attacks Differentiate router forensics from traditional forensics List the steps for investigating router attacks Conduct an incident response Read router logs List various router auditing tools Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Introduction to Router Forensics Router Network-layer device or software application that determines the next network point to which a data packet should be forwarded in a packet-switched network Decides where to send information packets based on its current understanding of the state of the networks it is connected to, as well as the network portion of the Internet Protocol (IP) address Routers use headers and forwarding tables to determine the best path for sending data packets Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router Basic functions of a router: Forwarding packets Sharing routing information Packet filtering Network address translation (NAT) Encrypting or decrypting packets in the case of virtual private networks (VPNs) Overall, a router: Is the backbone of a network and performs significant network functions Has the additional responsibility of protocol interpretation Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued) A router in the OSI model Operates at the network layer of the OSI model Relays packets among multiple interconnected networks Forwards the packets to the next router on the path until the destination is reached Generally sends the packets through that particular route once the best route is identified Router architecture Memory Hardware IOS Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued) Figure 4-1 Routers operate in the physical, data link, and network layers of the OSI model. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued) The routing table and its components Routing table Database that stores the most efficient routes to particular network destinations Components of a routing table Address prefix specifying the address of the final destination of the packet Interface on which the packets corresponding to the address prefix are transmitted Next hop address specifying the address of the router to which a packet must be delivered en route to its final destination Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Functions of a Router (continued) Components of a routing table (continued) Preference value for choosing between several routes with similar prefixes Route duration Specification showing whether the route is advertised in a routing advertisement Specification on how the route is aged Route type Routing Information Protocol (RIP) Protocol used to manage router information within a self-contained network Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Vulnerabilities Common router vulnerabilities are likely avenues for attack: HTTP authentication vulnerability NTP vulnerability SNMP parsing vulnerability Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Attacks Intruder that takes control of a router can perform many different attacks on a network Can gain knowledge of all possible vulnerabilities in a network once the router has been accessed Attacker who has gained access to a router can interrupt communication, disable the router, stop communication between compromised networks, as well as observe and record logs on both incoming and outgoing traffic By compromising a router, attackers can avoid firewalls and intrusion detection systems (IDS), and can transmit any kind of traffic to a chosen network Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Router Attacks Denial-Of-Service (DoS) attacks Render a router unusable for network traffic by overloading the router’s resources so that no one can access it Goals: destruction, resource utilization, and bandwidth consumption Packet-mistreating attacks Compromised router mishandles or mistreats packets, resulting in congestion Mistreated packet could invoke the following problems: denial of service, congestion, and lowering of connection throughput Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Router Attacks (continued) Routing table poisoning One of the most prominent types of attacks When an attacker maliciously alters, or poisons, a routing table, the routing-data update packets are also maliciously modified Misconfigured packets produce false entries in the routing table, such as a false destination address Hit-and-run attacks Occur when an attacker injects a small number of bad packets into the router to exploit the network Similar to a test attack: attacker gains knowledge of whether the network is online and functioning Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Types of Router Attacks (continued) Persistent attacks Attacker continuously injects bad packets into the router and exploits the vulnerabilities that are revealed during the course of the injection process Can cause significant damage because the router can get flooded with packets and cease functioning due to the constant injection of packets Comparatively easy to detect Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Router Forensics Versus Traditional Forensics Router forensics does not differ much from traditional forensics Except in some particular steps taken during investigations During router investigations, the system needs to be online, whereas in traditional forensic investigations, the system needs to be powered off System must be online so the forensic investigator can have exact knowledge of what type of traffic flows through the router Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigating Router Attacks Guidelines: Start with a security policy and develop a plan that includes collecting and defining data Create a reconnaissance methodology that provides information about the target Perform an analysis check to identify incidents and review default passwords and default information Develop an attack strategy for analyzing commands to access the network, ACLs, firewalls, and protocols Be careful while accessing the router Intrusion analysis is vital to identifying the attacker and preventing the success of future attacks Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps Seize the router and maintain the chain of custody Investigator should seize the router so that nobody can change its configuration Chain of custody Record of seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence Perform incident response and session recording Router should not be rebooted unless absolutely necessary Record all information and evidence acquired No modifications should be made to the information and evidence acquired Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-2 Chain of custody forms document the evidencegathering phase of an investigation. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Incidents that should be handled in specific ways: Direct-compromise incidents Routing table manipulation Theft of information Denial of service Access the router (guidelines) Router must be accessed through the console Record the entire console session Record the actual time and the router time Only show commands should be executed Volatile information must be given priority Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-3 Every step an investigator takes must be recorded. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Gather volatile evidence Volatile evidence: evidence that can easily be lost during the course of a normal investigation Items considered volatile evidence: Current Configuration, Access list, Time, and Log files Methods to collect volatile evidence: Direct access – carried out using show commands Indirect access – carried out only if the attacker has changed the passwords by port-scanning every router IP Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Identify the router configuration Establish a connection to the router to retrieve the RAM and NVRAM Use the encrypted protocol secure shell to remotely access the router if a direct connection is not possible Log entire session with HyperTerminal Capture and save the volatile and nonvolatile router configurations for documentation purposes Examine and analyze Once the volatile evidence has been secured and the configuration has been obtained, the investigator can begin to analyze the retrieved information Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Router components that should be examined and analyzed: Router configuration Routing table Access control list Router logs: provide information about the router’s activities Types of router logs: Syslog log, log buffer, console lop, terminal log, SNMP log, and ACL violation log Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-4 Router log files can tell an investigator where a connection originated. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-5 The ping command can be used to find a host name. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) NETGEAR router logs Can be used for monitoring network activities for specific types of attacks and reporting those attacks to a security monitoring program Can be used to perform the following tasks: Alert when someone on a LAN has tried to access a blocked WAN address Alert when someone on the Internet has tried to access a blocked address in a LAN Identify port scans, attacks, and administrative logins Collect statistics on outgoing traffic Assess whether keyword-blocking rules are excluding an undesired IP address Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-6 NETGEAR router logs allow the user to apply various firewall rules. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Figure 4-7 Entries indicating suspicious data being dropped are a possible indication of an attack. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Real-time forensics Investigator should use the router to monitor the network, after removing or collecting the data from the compromised router AAA logging gathers the following information: Login time Logout time HTTP accesses Privilege level changes Commands executed Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Investigation Steps (continued) Generate a report (steps) Note the name of the investigator List the router evidence Document the evidence and other supporting items Provide a list of tools used for the investigation List the devices and setup used in the examination Give a brief description of the examination steps Provide the following details about the findings: Information about the files Internet-related evidence Data and image analysis Provide conclusions Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited for the investigation Router Audit Tool (RAT) Figure 4-8 The RAT tool checks devices against settings in a benchmark. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Link Logger Figure 4-9 Link Logger allows users to see and analyze firewall traffic. Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Sawmill Table 4-1 Sawmill stores these nonnumerical fields in its Linksys router database Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Summary A router is a computer networking device that forwards data packets across networks A router decides the most effective path for a packet to reach its final destination A routing table is a database that stores the most efficient routes to particular network destinations The types of router attacks are denial-of-service attacks, packet-mistreating attacks, routing table poisoning, hit-and-run attacks, and persistent attacks Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited Summary (continued) RIP sends routing update messages when the network topology changes A router log shows whether anyone has been trying to get into a network Investigators must be careful while accessing a router Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited