Scribd Logo
Upload

Welcome to Scribd!

  • Forensics Practical

    Uploaded by

    ombidasar
    59 views34 pages
    ggtgtt

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    ggtgtt

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    59 views34 pages

    Forensics Practical

    Uploaded by

    ombidasar
    ggtgtt

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    BCS-ISSG Practical Network Forensics Day BCS, London

    Practical Network Forensics


    Alan Woodroffe
    issg@SecureSystemsSupport.co.uk

    www.SecureSystemsSupport.co.uk
    Copyright Secure Systems Support Limited.

    Practical Network Forensics Open Source Tools Preparation Passive Discovery (and some Active) Background Information Tool Usage Practical Network Topology Practical
    Copyright Secure Systems Support Limited.

    Open Source Tools

    Tools Passive Network Analysis


    Wireshark (Linux and Windows) packet sniffer GUI excellent filtering and re-construction facilities tcpdump, tcpreplay, tcpxtract (Linux) packet sniffer command line excellent filtering and re-construction facilities etherape (Linux) packet sniffer graphical traffic summary
    Copyright Secure Systems Support Limited.

    Preparation - Reconnaissance

    Discover
    Network infrastructure types copper / fibre / radio / satellite Type, number and location of: Network / Server hardware / Printers Workstations Network services including: DHCP / DNS / WNS Web Servers / Internet Gateway Servers Print / File Shares / Network Storage
    Copyright Secure Systems Support Limited.

    Preparation - Equipment

    Configure and update software / drivers


    Network interfaces Ethernet / Token Ring / copper / fibre Before connecting Date / Time synchronisation or use ntp? After connecting ifconfig eth0 up dhclient eth0 or not? tcpdump / wireshark
    Copyright Secure Systems Support Limited.

    Passive Discovery

    Network address ranges


    Discover the corporate address ranges Search for any outside that range: tcpdump -nvtttts 0 not net 10.0.0.0/8 Look for 169.254.0.0/16 (DHCP failure) Look for 192.168.0.0/24 (domestic) Look for 192.168.1.0/24

    Copyright

    Secure Systems Support Limited.

    Passive Discovery

    Discover
    Noisy operating systems Windows NetBIOS network traffic tcpdump -nvXtttts 0 udp port 138 General network traffic etherape

    Copyright

    Secure Systems Support Limited.

    etherape

    Passive Discovery

    Copyright

    Secure Systems Support Limited.

    Passive Discovery

    tcpdump (Linux)
    Command line packet sniffer / analyser Remember options: -n -v -tttt -s 0 -e -X
    Copyright Secure Systems Support Limited.

    No DNS lookup (stay passive) Verbose, can use -vv Use YYYY-MM-DD HH:MM:SS.dec Snaplen (capture packet size) 0 Show link layer (MAC) addresses Show hex and ASCII data

    Active Discovery

    Connecting to Local Area Networks


    network-manager
    automated network interface management software attempts to connect to networks whenever it can

    ifconfig manually configure network interface


    ifconfig eth0 192.168.55.123 ifconfig eth0 up

    dhclient automatically configure network interface


    dhclient eth0

    route manually network routing


    route add default gw 192.168.55.254
    Copyright Secure Systems Support Limited.

    Active Discovery

    Ping (ICMP echo request / reply)


    ping 192.168.55.123 ping -b 192.168.55.255 - single host - broadcast

    Arp (Address Resolution Protocol)


    arp -an (Linux / Windows)
    Internet Address 192.168.55.131 192.168.55.138 192.168.55.231 Physical Address 00-0b-cd-c1-e5-c4 00-80-87-d4-5b-f8 00-0c-29-87-c1-32 Type dynamic dynamic dynamic

    Copyright

    Secure Systems Support Limited.

    Active Discovery

    OUI information:
    standards.org.ieee/regauth/oui/oui.txt

    Discover hardware vendors: Physical Address Vendor


    00-0b-cd-c1-e5-c4 Hewlett Packard 00-80-87-d4-5b-f8 OKI Electric Industry 00-0c-29-87-c1-32 VMWare

    Copyright

    Secure Systems Support Limited.

    Active Discovery

    Log ARP data


    arp -n >>arp.log

    or
    arp -n >>arp.log mv arp.log arp.log.old sort -u arp.log.old >arp.log

    Copyright

    Secure Systems Support Limited.

    Background Information - Cheat Sheets

    Google: tcpdump cheat sheet Security Wizardry (Andy Cuff)


    http://www.securitywizardry.com/index.php/tools/ana lysis-crib-sheets/rawpackets.html

    PacketLife (unknown)
    http://packetlife.net/library/cheat-sheets/

    Secure Systems Support (Alan Woodroffe) headers.pdf

    Copyright

    Secure Systems Support Limited.

    Background Information - ISO 7 Layer Model


    ISO Model Layer Application Computing Use Web Browser, FTP, Telnet Perceived Direct Link Browser Server, Telnet client telnetd Computing Use Web Browser, FTP, Telnet ISO Model Layer Application

    Presentation

    Presentation

    Session

    Session

    Transport

    TCP, UDP

    TCP protocol

    TCP, UDP

    Transport

    Network

    IP, ICMP Device driver, NIC, ARP Ethernet cable

    IP protocol

    IP, ICMP Device driver, NIC, ARP Ethernet cable

    Network

    Link

    Ethernet protocol

    Link

    Physical

    Electrical voltage

    Physical

    Copyright

    Secure Systems Support Limited.

    Background Information - IP protocol

    TCP three way handshake: TCP FLAGS: URG ACK PSH RST SYN FIN -

    SYN SYN-ACK ACK --UAPRSF

    Urgent (use Urgent pointer) Acknowledgement Push (flush data to receiver) Reset (abort) Synchronise (start) Finish (end gracefully) tcp[13] & 0x03 > 0'

    SIN or FIN flag are set

    Copyright

    Secure Systems Support Limited.

    tcpdump - filtering

    tcpdump (Linux)
    Command line packet sniffer / analyser Remember options: -n -v -tttt -s 0 -e -X
    Copyright Secure Systems Support Limited.

    No DNS lookup (stay passive) Verbose, can use -vv Use YYYY-MM-DD HH:MM:SS.dec Snaplen (capture packet size) 0 Show link layer (MAC) addresses Show hex and ASCII data

    tcpdump - filtering

    Alien protocols
    IPX / IPv6 / Jumbo frames / AppleTalk tcpdump -nr <kismet-dumpfile> not ip and not arp

    Client devices
    unauthorised equipment using corporate network identify by MAC address? bridging your network to other networks e.g. 3G identify by abnormal data traffic patterns? identify by routed IP packet?
    Copyright Secure Systems Support Limited.

    tcpdump - filtering

    Network address ranges


    Discover the corporate address ranges Search for any outside that range: tcpdump -nvtttts 0 not net 10.0.0.0/8 Look for 169.254.0.0/16 (DHCP failure) Look for 192.168.0.0/24 (domestic) Look for 192.168.1.0/24

    Copyright

    Secure Systems Support Limited.

    tcpdump - filtering

    in IP address range outside IP address range Link Local activity Windows NetBIOS traffic Unusual protocols Save traffic from NIC eth2 VLAN 12 on NIC eth1 SIN or FIN flag are set

    net 10.0.0.0/8 not net 10.0.0.0/8 net 169.254.0.0/16 udp port 138 not ip and not arp i eth2 w dumpfile i eth1.0012 tcp tcp[13] & 0x03 > 0'

    Copyright

    Secure Systems Support Limited.

    Practical Network Topology

    Connecting to the Network


    Automatic (DHCP) Manual dhclient eth0 ifconfig eth0 192.168.1.123

    Passive (no output) ifconfig eth0 up Disable ifconfig eth0 0.0.0.0 ifconfig eth0 down Specify Gateway route add default gw 192.168.1.234
    Copyright Secure Systems Support Limited.

    172.30.68.0 /22
    XP3 DHCP

    XP1 DHCP XP2 DHCP

    Practical Network Topology

    192.168.1.0 /24 .101 .102 .103

    69.30 71.50 71.70 .202 .201

    .1

    100Mbps Hub
    Copyright Secure Systems Support Limited.

    100Mbps Hub

    Practical Tasks

    Running tcpdump
    Launch a terminal window Run tcpdump: tcpdump ni eth0 (Ctrl-C to stop) Run tcpdump: tcpdump ni eth0 w dump1.tcpd (Ctrl-C to stop)

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Generating data to capture


    Launch Firefox Browse to http://192.168.1.1 Close Firefox

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Examining captured data


    ls ltr tcpdump nr dump1.tcpd tcpdump nr dump1.tcpd tcp

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Examining captured data


    ls ltr tcpxtract f dump1.tcpd ls ltr cat <file>.html display <file>.gif

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Full packet capture


    Log all packets on NIC eth1, writing to files named e.g. 20120516103456.tcpd2, starting a new file after every 100MB of logged packets
    tcpdump ni eth1 C 100 w `date +%Y%m%d%H%M%S`.tcpd

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    IP Time to Live (hop count)


    Analyse pre-recorded tcpdump file and examine the TTL values for web browsing packets
    tcpdump nvr 3s.web.tcpd

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Typical TTL initial values


    Linux Windows Cisco Router 64 128 255

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Web site traffic (HTTP)


    Analyse pre-recorded tcpdump file and examine web browsing packets
    tcpdump nr bbc.web.tcpd tcp port 80

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Secure web site traffic (HTTPS)


    Analyse pre-recorded tcpdump file and examine web browsing packets
    tcpdump nr https.web.tcpd tcp port 443

    Copyright

    Secure Systems Support Limited.

    Practical Tasks

    Other investigations ?

    Copyright

    Secure Systems Support Limited.

    172.30.68.0 /22
    XP3 DHCP

    XP1 DHCP XP2 DHCP

    Practical Network Topology

    192.168.1.0 /24 .101 .102 .103

    69.30 71.50 71.70 .202 .201

    .1

    100Mbps Hub
    Copyright Secure Systems Support Limited.

    100Mbps Hub

    BCS-ISSG Practical Network Forensics Day BCS, London

    Questions ?
    Alan Woodroffe
    issg@SecureSystemsSupport.co.uk

    www.SecureSystemsSupport.co.uk
    Copyright Secure Systems Support Limited.

    You might also like