Professional Documents
Culture Documents
www.SecureSystemsSupport.co.uk
Copyright Secure Systems Support Limited.
Practical Network Forensics Open Source Tools Preparation Passive Discovery (and some Active) Background Information Tool Usage Practical Network Topology Practical
Copyright Secure Systems Support Limited.
Preparation - Reconnaissance
Discover
Network infrastructure types copper / fibre / radio / satellite Type, number and location of: Network / Server hardware / Printers Workstations Network services including: DHCP / DNS / WNS Web Servers / Internet Gateway Servers Print / File Shares / Network Storage
Copyright Secure Systems Support Limited.
Preparation - Equipment
Passive Discovery
Copyright
Passive Discovery
Discover
Noisy operating systems Windows NetBIOS network traffic tcpdump -nvXtttts 0 udp port 138 General network traffic etherape
Copyright
etherape
Passive Discovery
Copyright
Passive Discovery
tcpdump (Linux)
Command line packet sniffer / analyser Remember options: -n -v -tttt -s 0 -e -X
Copyright Secure Systems Support Limited.
No DNS lookup (stay passive) Verbose, can use -vv Use YYYY-MM-DD HH:MM:SS.dec Snaplen (capture packet size) 0 Show link layer (MAC) addresses Show hex and ASCII data
Active Discovery
Active Discovery
Copyright
Active Discovery
OUI information:
standards.org.ieee/regauth/oui/oui.txt
Copyright
Active Discovery
or
arp -n >>arp.log mv arp.log arp.log.old sort -u arp.log.old >arp.log
Copyright
PacketLife (unknown)
http://packetlife.net/library/cheat-sheets/
Copyright
Presentation
Presentation
Session
Session
Transport
TCP, UDP
TCP protocol
TCP, UDP
Transport
Network
IP protocol
Network
Link
Ethernet protocol
Link
Physical
Electrical voltage
Physical
Copyright
TCP three way handshake: TCP FLAGS: URG ACK PSH RST SYN FIN -
Urgent (use Urgent pointer) Acknowledgement Push (flush data to receiver) Reset (abort) Synchronise (start) Finish (end gracefully) tcp[13] & 0x03 > 0'
Copyright
tcpdump - filtering
tcpdump (Linux)
Command line packet sniffer / analyser Remember options: -n -v -tttt -s 0 -e -X
Copyright Secure Systems Support Limited.
No DNS lookup (stay passive) Verbose, can use -vv Use YYYY-MM-DD HH:MM:SS.dec Snaplen (capture packet size) 0 Show link layer (MAC) addresses Show hex and ASCII data
tcpdump - filtering
Alien protocols
IPX / IPv6 / Jumbo frames / AppleTalk tcpdump -nr <kismet-dumpfile> not ip and not arp
Client devices
unauthorised equipment using corporate network identify by MAC address? bridging your network to other networks e.g. 3G identify by abnormal data traffic patterns? identify by routed IP packet?
Copyright Secure Systems Support Limited.
tcpdump - filtering
Copyright
tcpdump - filtering
in IP address range outside IP address range Link Local activity Windows NetBIOS traffic Unusual protocols Save traffic from NIC eth2 VLAN 12 on NIC eth1 SIN or FIN flag are set
net 10.0.0.0/8 not net 10.0.0.0/8 net 169.254.0.0/16 udp port 138 not ip and not arp i eth2 w dumpfile i eth1.0012 tcp tcp[13] & 0x03 > 0'
Copyright
Passive (no output) ifconfig eth0 up Disable ifconfig eth0 0.0.0.0 ifconfig eth0 down Specify Gateway route add default gw 192.168.1.234
Copyright Secure Systems Support Limited.
172.30.68.0 /22
XP3 DHCP
.1
100Mbps Hub
Copyright Secure Systems Support Limited.
100Mbps Hub
Practical Tasks
Running tcpdump
Launch a terminal window Run tcpdump: tcpdump ni eth0 (Ctrl-C to stop) Run tcpdump: tcpdump ni eth0 w dump1.tcpd (Ctrl-C to stop)
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Copyright
Practical Tasks
Other investigations ?
Copyright
172.30.68.0 /22
XP3 DHCP
.1
100Mbps Hub
Copyright Secure Systems Support Limited.
100Mbps Hub
Questions ?
Alan Woodroffe
issg@SecureSystemsSupport.co.uk
www.SecureSystemsSupport.co.uk
Copyright Secure Systems Support Limited.