Network Forensics
advertisement
COMP 4027 Network Forensics This module draws on Network intrusion management and profiling [electronic resource] / Steven Schlarman. Josh Broadway Hons thesis and development of Columbo tool 1 Network Forensics • Common Intrusion Scenarios • Intrusion Profiling • Intrusion Investigation Management Each stage will give some forensic evidence which can be gathered up. Most evidence as we have seen is in logs 2 Common Intrusion Scenarios • Information Gathering • Network and System Reconnaissance • System Vulnerability exploitation 3 What motivates hackers Release Information • Some hackers see a need for freedom of information and thus attack in order to "liberate" the information Release Software • Some make copies of software that can be installed on multiple computers –they crack the licensing code for "ethical" or financial reasons Consume Unused Resources • Try to access any resource – telephone line, bandwidth, disk space – which is not being used 4 What do Hackers do Find Vulnerabilities • Find and exploit vulnerabilities – "security researchers" Find fame • Just another way of seeking attention 5 How do hackers do this? Produce Malicious code • Logic Bomb – Dormant until activated • Parasite – Code added to existing program and draws information which hacker does not have privileges to access. Covert and non-destructive • Trojan horse – Useful program with an alternative agenda • Virus – Infects another program by replicating itself in to the host. – Mostly destructive, perhaps with logic bomb • Worm – Transport mechanism for another program, utilising network 6 How do hackers do this? Modify Source code • Eg in Linux • So remove all compilers from non-development machines Dynamic loadable modules and libraries 7 How do hackers do this? Exploit network protocols • Use the internet daemon, inetd, which listens to each port and passes control of it to the associated program • Hacker can then get control of root E-mail Spoofing • Hacker can telnet to system's SMTP port and input ascii commands to it, identifying someone else in the To: or From : commands IP Spoofing • Remedy: border routers should drop all packets from internal network with a source address which is not part of the internal network 8 How do hackers do this? Source routing • Should be disabled since never used by legitimate applications – use dynamic protocols Network flooding and SYN flooding • Use patches Smurfing • Disable IP-directed broadcasts at the router 9 How do hackers do this? Exploit Vulnerabilities • Scanners and Profilers – Preliminary evaluation of software – Determine hardware – Identify versions and patches • Sniffers and snoopers – Might watch network or disk traffic or be planted inside to watch print spooler or logins – Must monitor own system – SNORT • Security Tools – If a hacker finds them on your system he can use your tools to identify your security flaws • Buffer Overflows • File permissions • Password Crackers 10 How do they start Target selection – information gathering web resources • Whois – http://www.networksolutions.com/cgi-bin/whois/whois – Network Solutions whois query tool (.com, .net, .org) – http://www.ripe.net/db/whois.html – European IP Address Allocations – http://whois.apnic.net – Asia Pacific IP Address Allocation – http://www.nic.mil/cgi-bin/whois – US Military – http://www.nic.gov/cgi-bin/whois – US Government – http://www.arin.net/whois – Arin IP addr ownership query 11 12 Target selection - Passive methods • Dejanews.com – Search for postings – Discover infrastructure – Build profile of user for later social engineering • Search engines – link:www.yoursite.com 13 DEJA Search 14 15 Where is evidence of this activity? • In http logs and firewall logs • What about social engineering (spying) – No evidence because non-technological 16 Target acquisition - scanning • Network scanning – – – – Automated scripts that ID active hosts OS Fingerprinting Port scanning Vulnerability scanning • Telco scanning 17 18 Nmap - The scanner of choice • • • • • • Quiet Decoys Very accurate OS fingerprinting UDP, stealth, full connect IPFrag …and more 19 20 IP scanning • Solarwinds.net • For a few hundred $ you get: – Cisco tools, DNS tools, TFTP, Network Discovery tools, Ping tools • Vulnerable ports = RFC 1700 21 22 Scanners of all types • Free – nessus • www.nessus.org – nmap • www.insecure.org – satan • ftp.win.tue.nl (/pub/security) – Cheops • www.rsh.kiev.ua ($25.00) – Sam Spade (Win 9x/NT/2K) • www.samspade.org 23 War dialers • Shareware – ToneLoc – THC scan (2.0) • Commercial – Phone Sweep – SecureLogix (a.k.a. Wheelgroup) • New and improved for the Palm – www.l0pht.com now at stake.com • Review PBX records!!! 24 25 26 TCP stack fingerprinting • Different OSs respond in different ways to nonstandard packets • Programs use databases of these responses to determine OS & version of target machine • QueSO and nmap 27 28 29 Where is evidence of Network and System Reconnaissance? • In router logs if logging is turned on at appropriate level • Ping sweeps will appear as ICMP packets on a large range of destination addresses with the same source address • Evidence needs piecing together from – System logs – Temporary or hidden directories – User home directory 30 What do we do? • Document every interaction with the host: – Who, when, which commands – Make forensic copy of system log for evidence – Collect as much system evidence as possible 31 Denial of Service – crashing the host • Winnuke – OOB (Out of Band) attack on any unpatched 95/98 or NT box – Blue screens the box and forces reboot • Ping of Death – ICMP attack using large packets • Teardrop – Locks up the target • Xcrush, Targa - DoS compliations • New DoS attacks target routers 32 33 Distributed attacks • Tribe Flood – ICMP Echo, UDP, SYN and Smurf – use ICMP_ECHOREPLY packets to communicate between master and zombie – Need to get root on master and agents – http://packetstormsecurity.org/distributed/tfn3k.txt • Trin00 – UDP flood – use UDP protocol to communicate 34 E-mail bombing applications – – – – Unabomber Kaboom 3.0 Avalanche Ghost Mail 35 Packet sniffers • What is it? – Application that collects TCP/IP (UDP, etc.) all packets off the wire • What is it used for? – Diagnose network problems – Reading email • Email security = postcard • We continue to use this for business critical/personnel data transfers – Logging web usage – Usernames/passwords 36 37 Packet sniffers • Commercial – Sniffer Pro – www.nai.com – Iris www.eeye.com/html/index.html • Spynet • TCPDUMP / WINDUMP – http://netgroup-serv.polito.it/windump/ • Included in several other programs – L0phtcrack – Aggressor • Wireless 38 Sub 7: What is it? • Remote Administration trojan Client/Server architecture • Server/Trojan runs on: – Windows ’98 – 2K / NT (v2.2) • Client runs on: – – – – Windows 2000 Windows NT Windows ’98 Port 27374 39 What can it do? • Full remote administration of the server system: – – – – – – Strip out passwords Key-logging Remote camera viewing Full file and registry manipulation Email upon discovery Message communications (chat, IRC, popups) 40 41 42 43 44 Password crackers • NT – l0phtcrack • Unix – Crack ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/ – john the ripper • 98/95 – cain – showpass • Service specific – shares - legion – mail/ftp - unsecure 45 46 47 Intrusion Profiling • Based on other kinds of criminal profiling – – – – – Time Source Method List of files accessed List of files created 48 Some conclusions from profiling • When – Daytime might mean a time zone 8-12 away – Night time might mean local • Where – – – – Local address – internal Dial-in – “internal “ or war dialling Wireless Targeted host – has inside information • How – Simple – inside info – Has password – may be insider – Very technical – advanced and may be targeted 49 Other work • Shanmugasundaram et al • Integrating Digital Forensics into a Network Infra structure 50 Integrating Digital Forensics into a Network Infra structure • Prototype system to integrate wide area network forensics • Purpose – Forensics – Network Management – Compliance • What to collect – Network dynamics – Traffic dynamics 51 Integrating Digital Forensics into a Network Infra structure • • • • How to retrieve What to store Privacy and Security Fornet – large Forensic server 52
