Understanding the Gnutella Network

advertisement
ICAC Peer-to-Peer Training
Understanding
the
Gnutella (P2P)
DAY ONE
Network
Training Objectives
•
IP Addresses, Ports, Netstat, & IPConfig
(Overview)
•
Provide a general understanding of Gnutella
and other Peer to Peer (P2P) file sharing
networks and clients;
•
Provide a general understanding of the
RoundUp tool and techniques used by ICAC to
investigate P2P file sharing networks; and
•
Some of the technical implications associated
with P2P file sharing.
Internet Protocol (IP) Addresses
What Are They?
• IP addresses are unique identifiers for every
device connected to the internet
– Similar to a Phone Number
• A typical IP address looks like this:
68.112.233.208
Connecting to the Internet
Source: 67.45.23.35
Destination: 65.12.25.1
Source: 65.12.25.1
Destination: 67.45.23.35
Internet
67.45.23.35
ISP
65.12.25.1
Dynamic Host Configuration Protocol
(DHCP) Server
Special/Private IP Addresses
• Not globally routable.
• Cannot connect directly to the Internet with
them.
• Cannot address information to a private IP
address and send it across the Internet.
• Private Addresses
– 10.0.0.0 through 10.255.255.255
– 172.16.0.0 through 172.31.255.255
– 192.168.0.0 through 192.168.255.255
– 127.0.0.1 (Loopback)
Connecting to the Internet Behind a Router
Source: 67.45.23.35
Destination: 65.12.25.1
Internet
•Source: 65.12.25.1
Destination: 67.45.23.35
Source:
67.45.23.35
192.168.1.102
65.12.25.1
Destination: 192.168.1.101
External Interface
67.45.23.35
IP Address
ISP
192.168.1.101
Source: 192.168.1.101
Destination: 67.45.23.35
MAC
192.168.1.1
Internal Interface
192.168.1.100
Dynamic Host Configuration (DHCP)
Network Address Translation (NAT)
DHCP
Ports
• Data is transferred through the Internet in
Packets
• Packets contain:
– Source and destination IP addresses
– Source and destination port numbers
• Because of this, you can have packets that
are destine for the same computer but for
completely different applications
• Like doors to a business
Ports
Common Ports:
– Port 21 ------- FTP
– Port 23 ------- Telnet
– Port 25 ------- SMTP
– Port 53 ------- Name Server
– Port 80 ------- HTTP/WEB
– 65,536 available port numbers
– More info on Ports:
www.iana.org/assignments/port-numbers
IP Addresses & Ports
• Gnutella Network also uses IP Addresses & Ports to
communicate
• IP & Port P2P Syntax:
74.234.21.132:6346
• Port Numbers are not always the same or static
• Dependent on the Gnutella Client
• Can change automatically or manually
• Gnutella Client may use more than one port
Using Ports to communicate with
P2P File Sharing Program
Packet(s) – File Request
Source IP: 132.177.48.63
Destination IP: 216.109.118.76
Source Port: 6346
Destination Port: 15324
IP: 132.177.48.63
IP: 216.109.118.76
Port: 6346
Port: 15324
Packet(s) – File Transfer
Source IP: 216.109.118.76
Destination IP: 132.177.48.63
Source Port: 15324
Destination Port: 6346
10
Netstat (Overview)
• Netstat is an internal Windows program that
displays the current network connections
– Click the “Start” Button
– Click “Run” (Windows XP only. Vista/Win7 just type in the
“Search programs and files” box)
– Type: cmd
– Type: netstat -n
• Gives us the ability to show that the suspect
computer was directly connected to our
computer
Ipconfig (Overview)
• Ipconfig is an internal Windows program
that displays the assigned IP address for
your computer
– Click the “Start” Button
– Click “Run” (Windows XP only. Vista/Win7 just type in the
“Search programs and files” box)
– Type: cmd
– Type: ipconfig (ipconfig /all)
• May show a public or private IP address
assigned by a router
Any Questions?
• IP Addresses?
• Ports?
• Netstat?
• Ipconfig?
P2P File Sharing Programs
What is Peer to Peer file sharing??
Peer to Peer (P2P) file sharing programs are
a standard way to transfer files from one
computer system to another while connected
to a network, usually the Internet.
What is the Gnutella Network??
An Open Source file sharing network.
Why Investigate P2P?
• Peer to peer (P2P) file sharing networks, including
the Gnutella network, are frequently used to
obtain and trade digital files of child pornography.
• These files include both image and movie files.
• These files range from commercially produced to
homemade.
• Easy to identify Computers sharing these files
Operation RoundUp
•
Investigative effort into the dissemination of child
pornography by the Gnutella file sharing network.
•
This operation has led to the issuance and execution of
search warrants resulting in numerous arrests &
convictions for possession and distribution of child
pornography.
•
Additionally, numerous contact offenders & live
victims have been located and identified.
•
RoundUp – PA/MA State Police & UMass/Georgetown
RoundUp Investigative Tool
• Enhanced from publicly available Gnutella Client (Phex)
• Open access to download and candidate details including
Hash value, IP address, & GUID
• Integrated Geo Location & Files of Interest
• Support for high number of Ultra-Peers
- Increases search results
• Allows separation of downloads / uploads
• Multiple, Single Source, or Never Ending Downloads
• Collaborative Effort!!!!
With RoundUp
Four Investigative Obstacles are Overcome:
• 1) P2P Clients are Geographically Indiscriminate
– they gather candidates and files throughout the
world
– Regionalize investigations with IP Geo Mapping
• 2) File names may be misleading or inaccurate
– Uses hash values to identify prosecutable files
• 3) Files transferred from multiple sources
– Allows either multiple or single source downloads
• 4) Dynamic IP Addresses
– Ability to track offenders via the GUID
What is the GUID?
• GUID
• Globally Unique Identifier
• Example: 09D62EA7D03F677BF252C451ADC83A00
• http://en.wikipedia.org/wiki/Globally_Unique_Identifier
• Most Gnutella Clients generate a unique GUID per
User Account
• When target’s IP changes, GUID stays the same
• Allows Investigator to track suspect when IP
changes or identify computer/user on-scene
• May change with client upgrade or randomly
• Can be spoofed
Geographic IP Mapping
Go to IPChicken.com & Maxmind.com
http://www.maxmind.com/
Geographic IP Mapping
• IP trace returns city, state, & country
• Can’t serve a search warrant based on the IP
trace, it is only to show which IP addresses are
most likely to be in your jurisdiction.
• IP tracing minimizes the amount of effort spent
working leads that end up outside your
jurisdiction.
• Subpoena or Court Order is needed to get the
exact location and subscriber of an IP address.
P2P File Sharing Programs
• Peer-to-Peer file sharing programs allow groups of
computers using the same file sharing network (i.e.
Gnutella) and protocols to connect directly to each other
to share files.
Why P2P file sharing networks are so “efficient”?
•Fault Tolerance is built in…
• If the connection with one peer fails, you will be
connected to another
•Load Balancing
• If a peer becomes too busy you will be connected to
another one
P2P File Sharing Programs
Why P2P file sharing networks are so “efficient”?
•Redundancy
• There
is more then one source for the same file
•File Swarming
• You get a file from multiple sources depending on
your settings and you will continually try to find more
sources for that file
P2P File Sharing Programs
Investigative Bonus:
•IP addresses –
• Identifies the computers that have the files
•File Hashing
• SHA-1 or the “Gnutella Hash” uniquely identifies the
target file
Some client programs display the IP address
& SHA-1 hash value of target.
Hash Functions
• A hash function, also known as a message
digest, digital fingerprint, or compression
function, is a mathematical function that
takes a variable-length input string and
converts it into a fixed-length value.
• A hash function is designed in such a way that
it is impossible to reverse the process, that is,
to find a string that hashes to a given value.
Common Hash Functions
• MD5 (Message Digest) hash takes up 16
bytes, which is 128 bits, and can be
expressed as 32 hexadecimal characters.
• SHA1 (Secure Hash Algorithm) hash
takes up 20 bytes, which is 160 bits, and
can be expressed as 40 hexadecimal
characters or as 32 characters
(Base32).
• http://www.itl.nist.gov/fipspubs/fip180-1.htm
to learn more about the Secure Hash Standard.
Comparison
Method
Odds of a Match
DNA (RFLP analysis)
One in 100,000,000,0001 (Billion)
MD5 (128 bit)
One in
340,282,366,920,938,000,000,000,000,000,
000,000,000
SHA1 (160 bit)
One in
1,461,501,637,330,900,000,000,000,000,00
0,000,000,000,000,000,000
1 Excluding monozygotic twins, which are 0.2% of the human population
Hash Functions
• A "collision" occurs when two different data
streams generate the same hash value.
– No known “collision” outside a lab
environment.
– No known SHA-1 collision
• “Avalanche Effect” - a slight change in an
input string will cause the hash value to
change drastically. Even if 1 bit is changed
in the input string, often at least half of the
bits in the hash value will change as a
result.
SHA1 - Demonstration
JQTPDSTHWKMNDT2VLIE3H7EVLMPH6QNO
S33EBO3O5SKAHKKHVATJWSXYSZFQJ5NF
Hashing Demonstration
• Cyohash (Found on ICACCops Website)
SHA-1 – Secure Hash Algorithm v1
Training Point
•
SHA-1 is used for computing a condensed
representation of a message or a data file. SHA-1
produces a secure 160-bit output called a message
digest.
•
It is secure because it is computationally infeasible
(2^160th) to find two different files that produce the
same SHA-1 value.
•
The Secure Hash Algorithm (SHA) was developed by
the National Institute of standards and Technology
(NIST), along with the National Security Agency (NSA),
for use with the Digital Signature Standard (DSS) as
specified within the Secure Hash Standard (SHS).
P2P Networks
Free Net
Gnutella
ed2k
Gnutella Network
•Open source
•Typically free
•UltraPeer (Multiple)
•True SHA1 (Base32)
•160 bit
•Clients may display
SHA1 and IP
address
•Cross Platform
•Windows, Mac, Linux/Unix
• Descriptive File
names
12y walking (upskirt) white thong PTHC,ls magazine, little models, PEDO.jpg
Gnutella Operation
Two types of computers on the
Gnutella Network
•
UltraPeer – indexing servers
• Does not contain the actual file
•
Peer (aka Host or Leaf) - Connects
to Ultrapeers
• Contains the actual file
Who can be an Ultrapeer?
•
•
•
•
A peer who has agreed in the settings;
Must be online a minimum of six hours;
Must have spare bandwidth;
Must be able to receive UDP/TCP/UPnP
connections;
• Not behind a firewall or router that hasn’t been
configured to allow incoming connections;
• Dependant upon network need; and
• Can’t be running Mac Classic or Windows 98.
Who can be an Ultrapeer?
• User chooses to be an Ultrapeer – Options Tab
Ultrapeer/Peer Practical
1. You will need a piece of paper and a pen/pencil
2. Write down two picture names from the next slide and
your IP Address.
3. Give the piece of paper to the person on the end of your
row (at the center of the aisle).
4. YOU are a Peer on our “Gnutella” network
5. The person with all the papers from your row is an
Ultrapeer on our “Gnutella” network
6. The name of the file on the piece of paper is NOT the
picture file, only a note telling the Ultrapeer what file
you are sharing.
7. The Peer (or you) has the picture on your computer.
PENCIL
BICYCLE
CAR
AAIGRGUERNWK2LNOVFYDZ7
ZBJ6UA2ZQA
S6OTFEMMEKBZOUTBGPQ
XMQQCUC2DYGJV
CYSV6LGXLNBMO5N6N43KHP4ANYYBLGO5
BRIDGE
OSVD6AKWSIR4YONJNOEX6WLHAQMUHQI4
COMPUTER
ZXBNTQMIHPTPJXGJLHJ6EQDM2POHCTHC
Gnutella P2P Network
Training Point
Gnutella is an open source file-sharing network. Most
computers that are part of this network are referred to as
peers, hosts or leaves. A peer can simultaneously provide
files (upload) to other peers while getting files (download)
from other peers. Peers may be elevated to temporary
indexing servers referred to as an “ultrapeer.” Ultrapeers
increase the efficiency of the Gnutella network by
maintaining an index of the contents of network peers.
Gnutella users query ultrapeers for files and are directed
to one or more peers sharing that file. There are many
ultrapeers on the network, if one shuts down the network
continues to operate.
The “Push”
• If two computers on the Gnutella network are behind a
firewall/router, direct communication between the two
computers CANNOT occur
• If only one computer is behind firewall/router, the
common UltraPeer acts as the Push Proxy
• Your computer needs to be connected to the same
UltraPeer as your target for the “Push” to occur
Ultra Peer
68.112.233.208
Ultra Peer
Ultra Peer
Push Proxy
Target’s GUID
09D62EA7D03F677BF
69.114.23.24
U/C Computer
Target Computer
0.0.0.0
72.128.122.14
Gnutella P2P Clients
Phex
P2P Clients in Cases
Limewire
Frostwire
31%
Bearshare
2%
Bearshare
Shareaza
Other
Other
2%
Shareaza
65%
Source Data from RoundUp as of 01/07/2012
Searching for Files
• Gnutella clients allow a user to search
for pictures, movies and other files by
entering descriptive text as a search
term.
• These terms are typically processed by
Ultrapeers based upon the information
about terms found in filenames that
had been sent by individual peers.
Search Terms for CP
• PJK
• BABY J
• PTHC
• Vicky Compilation
Many Others
Searching in Roundup
Type search term here
Gnutella Operation – Search (Roundup)
Search Tab
Search Results
Gnutella Operation – Search Results With Roundup
File Name
File Type
File Size
Source IP
• Search Results are reported to User from:
– Clients through UltraPeers (Hearsay)
– Clients themselves (out of band searching)
• No Ultrapeer middle man on the response
– Results are complete files (not partial)
Hash Value
Additional Search Results With RoundUp
Vendor
•
•
Files of
Interest
Location
GUID
Push Required
Files of interest are highlighted in red and submitted to ICACCOPS database
REMEMBER: Results are reported either directly from a client or from a client
through Ultrapeers
– Possible Issue: Hearsay if going through Ultrapeers
– Investigator’s responsibility to remove Hearsay issue
Eliminate the Issue of Hearsay
• Establish a Direct Connection to the source
computer.
– Download a file or partial file - The download of
data from an IP address removes hearsay issues.
– Browse Host - This is a “get” command that can usually
be completed even if the target’s slots are full
• Direct Connect establishes that the target
computer was on-line on a specific date and
time.
– Allows you to get a subpoena, court order or search
warrant
Gnutella Network – Downloading a File
Peer
Peer
Ultra Peer
Ultra Peer
Ultra Peer
Ultra Peer
Send
Data
Peer
Peer
File is obtained from Multiple Peer(s)
called Swarming
Peer
Quick/Swarming Download of a File
pthc Search
Results
Quick/Swarming Download of a File
File being
Downloaded
Download
Candidates
Swarming
Download
“Locate Candidates” Download of a File
pthc Search
Results
Generates Candidates without Downloading File
“Locate Candidate” Download of a File
File Generating
Candidates
Download
Candidates
Never Ending
Download
Gnutella Operation – Browsing a Host
Peer
Peer
Ultra Peer
Ultra Peer
Search
Results
Ultra Peer
Ultra Peer
Peer
Peer
Peer
- File List is obtained from a selected Peer
- Direct Connect to the Peer Must Occur!!!
Browsing a Host with RoundUp
Attempt to Browse IP #71.167.48.184 from Hicksville, NY
Browsing a Host Results with RoundUp
Successful Browse of IP #71.167.48.184
Push Proxy Browse
Target’s GUID
Target’s
Ultrapeers
How the Gnutella Network
Shares Files
Packet
I have it
Packet
Leaf
Sender
24.21.23.215
Recipient
68.15.23.25
Leaf
Packet
I have it
Leaf
Packet
Leaf
Packet
Packet
YOU
Search Term
Ultrapeer
I have it
Leaf
Packet
Leaf
Packet
I have it
Packet
Leaf
Leaf
Packet
I have it
Leaf
Packet
Packet
63
Packets are Reassembled
To Make Identical Copy of File
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
Packet
64
Single Source Downloading
Single Source Download of File Starting
with SHA1 Value: 3IIG2EII
Single Source Download
Download Tab
Confirmed Single Source Download
Target is the only Candidate Source
Client & GUID of Target Also Displayed
Why you may be unable
to get the Download
• Their upload slots are full
• Their Bandwidth is maxed out or they turned
bandwidth down to zero
• They set the number of downloads per user to zero
• They aren’t sharing
• They are no longer on the network
– Are you able to browse??
Why is this important?
Static IP vs. Dynamic IP
• Cable vs. Dial Up
• Hearsay issue
• You don’t want to hit the wrong house
• By obtaining a browse, file download, or
partial file download, then the target MUST
be on-line at that time
• Check NETSTAT artifact file
Gnutella Configurations/Options
• The Gnutella network is accessed by sources
running different client programs.
• These programs share common protocols for network access
and file sharing.
• HOWEVER, the user interface, features and
configuration may vary between clients and
versions of the same client.
• Many Options can be configured
• Know the default configurations/settings
Gnutella Configurations/Options
Training Point
• Some P2P file sharing networks are designed to
allow users to download files and frequently
provide enhanced capabilities to reward the
sharing of files by providing reduced wait
periods, higher user ratings, or other benefits.
• In some instances, users are not allowed to
download files if they are not sharing files.
• Typically, settings within these programs
control sharing thresholds.
Questions??
Download