1 / 18

COEN 252: Computer Forensics

COEN 252: Computer Forensics. Router Investigation. Significance of Routers. Targets of attacks, esp. DoS. Stepping stones for attacks. Routers store Passwords Routing tables Network block information. Tools for investigation. Characteristics of Routers. Have little storage.

deborahe
Download Presentation

COEN 252: Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 252: Computer Forensics Router Investigation

  2. Significance of Routers • Targets of attacks, esp. DoS. • Stepping stones for attacks. • Routers store • Passwords • Routing tables • Network block information. • Tools for investigation.

  3. Characteristics of Routers • Have little storage. • Most information comes from logs or is volatile. • Use Non-Volatile RAM (NVRAM) • Saves configuration files • Use normal RAM • Current routing tables • Listening services • Current Passwords • Forensics exam needs to get the volatile data!

  4. Gather Volatile Router Data • Connect to console port. • Need cable and laptop with terminal emulation software. • Gather Volatile Data • Record System Time • Determine who is logged on

  5. Gather Volatile Router Data • Gather Volatile Data • Determine the uptime and other data on the router since last boot-up • Determine listening sockets • Routers run a few services such as telnet that are vulnerabilities. • Determining listening sockets lists all current services that might be vulnerable. • For example, port 80 (http) is often used for router administration, but port 80 is not normally protected by a firewall.

  6. Gather Volatile Router Data • Gather Volatile Data • Save the router configuration. • Review the routing table. • This detects malicious static routes. • Modified by attacker at the router. • Modified with Routing Information Protocol (RIP) spoofing. • Check the interface configuration • Lots of easy to read data.

  7. Gather Volatile Router Data • Gather Volatile Data • View the ARP cache • Evidence for IP or MAC spoofing

  8. Incidence Investigation • Direct Compromise • Routing Table Manipulation • Theft of Information • Denial of Service

  9. Incidence Investigation:Direct Compromise • Many ways to access a router. • Telnet, SSH, SMTP, … • Physical Access. • Modem Access. • Investigate via listening services. • Listening Services. • Provide potential attack points. • Password Guessing

  10. Incidence Investigation:Direct Compromise • Passwords • Password cracking • stealing from configuration files • sniffing from net • snmp, telnet, HTTP, TFTP • Console Access • Reboot to get access

  11. Incidence Investigation:Direct Compromise • Modem • Last user did not log off. • TFTP • Used to store and reload configuration files. • UDP, no security • Attacker scans network for router and TFTP server, then guesses configuration file name, and receives it via TFTP. This gives all passwords needed to access a router. • Alternatively, router uploads a changed configuration file to the TFTP server and waits for a network reload.

  12. Incidence Investigation:Routing Table Manipulations • Routers use a variety of protocols to update their routing tables. • RIP • Open Shortest Path First • Enhanced Interior Gateway Routing Protocol (EIGRP) • Interior Gateway Routing Protocol (IGRP) • Some have no authentication!

  13. Incidence Investigation:Routing Table Manipulations • Review routing table with “show ip route” • For recovery: • Remove static routing entries. • Reboot router. • Switch to authenticating router updates. (Easier said than done.)

  14. Incident InvestigationTheft of Information • Routers contain network topology and access control. • For recovery: • change all passwords • avoid password reuse

  15. Incident InvestigationDoS • Destruction of router’s capability to function. • Resource consumption reduces functionality of router. • Bandwidth consumption overwhelms the network bandwidth.

  16. Incident InvestigationDoS • Recovery: • Elimination of listening services • Upgrade of software • Access restriction • Authentication

  17. Router Authentication • Routers use Access Control Lists (ACL) • Restrict traffic based on packet attributes • Protocol • Source / Destination IP address • Port • TCP flag • ICMP message type • Time of day

  18. Routers as Monitors • Can log traffic based on ACL • Logs stored at a remote site.

More Related