Computer forensics
1 / 165

Computer Forensics - PowerPoint PPT Presentation

  • Uploaded on

Computer Forensics. Network Protocols Overview for Network Forensics. Focus of this presentation. Protocols With a few anecdotes, how-to-dos & previews thrown in. Network Protocols: Layering. Complexity of networking leads to layered architectures. TCP/IP stack has four levels.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Computer Forensics' - arama

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Computer forensics

Computer Forensics

Network Protocols

Overview for Network Forensics

Focus of this presentation
Focus of this presentation


With a few anecdotes, how-to-dos

& previews thrown in.

Network protocols layering
Network Protocols: Layering

  • Complexity of networking leads to layered architectures.

    • TCP/IP stack has four levels.

    • OSI has seven.

Network protocols layering2
Network Protocols: Layering

  • Each layer adds a header.

    • Application

    • TCP

    • IP

    • Link

Repetition capturing data on a network
Repetition:Capturing Data on a Network

  • Develop a threat model before deploying Network Security Monitoring

    • Internal / External Attacker

    • Wireless / Wired / …

  • Develop Monitoring zoning

    • Demilitarized zone

    • Wireless zone

    • Intranet zones

Repetition capturing data on a network1
Repetition: Capturing Data on a Network

  • Wired monitoring

    • Hubs

    • SPAN ports

    • Taps

    • Inline devices

Repetition capturing data on a network2
Repetition: Capturing Data on a Network

  • Hubs

    • Broadcasts incoming data on all interfaces.

    • Be careful about NIC capacity (10/100/1000 Mb/sec)

    • Be careful about hub quality

  • Are inexpensive, but can introduce collisions on the links where the hub sits.

Repetition capturing data on a network3
Repetition: Capturing Data on a Network

  • Switched Port Analyzer (SPAN)

    • A.k.a. Port mirroring, Port monitoring.

    • SPAN port located on enterprise class switches.

    • Copy traffic between certain ports to SPAN port.

    • Configurable

  • Easy access to traffic.

  • Can make mistakes with configuration.

  • Under heavy load, SPAN port might not get all traffic.

  • SPAN only allows monitoring of a single switch.

Repetition capturing data on a network4
Repetition: Capturing Data on a Network

  • Test Access Port (TAP)

    • Networking device specifically designed for monitoring applications.

    • Typically four ports:

      • Router

      • Firewall

      • Monitor traffic on remaining ports.

        • One port sees incoming, the other outgoing traffic.

  • Moderately high costs.

Repetition capturing data on a network5
Repetition: Capturing Data on a Network

  • Specialized inline devices:

    • Server or hardware device

      • Filtering bridges

        • Server with OpenBSD and two NICs

Link layer
Link Layer

  • Network Interface Cards (NIC)

    • Unique Medium Access Control (MAC) number

  • Format 48b written as twelve hex bytes.

    • First 6 identify vendor.

    • Last 6 serial number.

  • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

Link layer1
Link Layer

  • Address Resolution Protocol (ARP)

  • Resolves IP addresses to MAC addresses

  • RFC 826

Link layer arp resolution protocol
Link Layer: ARP Resolution Protocol

  • Assume node A with IP address and MAC 00:01:02:03:04:05 wants to talk to IP address

  • Sends out a broadcast who-has request:

    00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has

  • All devices on the link capture the packet and pass it to the IP layer.

  • is the only one to answer:

    a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply is-at a0:a0:a0:a0:a0:a0

  • A caches the value in its arp cache.

Link layer arp resolution protocol1
Link Layer: ARP Resolution Protocol

ARP requests:

Link layer arp resolution protocol2
Link Layer: ARP Resolution Protocol

Link layer forensics
Link Layer Forensics

Network monitoring tools such as Argus or Ethereal / Wireshark log MAC addresses.

Link layer forensics1
Link Layer Forensics


Spike in network traffic comes from a computer with a certain IP address.

However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing)

Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

Link layer forensics2
Link Layer Forensics

  • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.


  • ATM

    • uses fiber optic cables and ATM switches.

    • encapsulates data into ATM cells.

    • number identifies the circuit that ATM has established between two computers.

    • ATMARP allows machines to discover MAC addresses.

      • ATMARP has a central server that responds to ARP requests.

  • ATM forensics is similar.

Link layer evidence
Link Layer Evidence

  • Sniffers in promiscuous mode.

  • Intruders also use sniffers.

    • Typically monitor traffic to / from compromised system.

    • Sometimes they monitor themselves coming back to look at the sniffer logs.

  • Intruders sometimes encrypt their traffic.

    • But the sniffers still see the packets, they just cannot read them.

  • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive.

    • FreeBSD / OpenBSD seem to be the best platforms.

Link layer evidence1
Link Layer Evidence

  • Sniffer location:

    • On compromised machine.

      • Evidence not trustworthy.

    • Nearby host.

    • Switched Port Analyzer (SPAN)

      • Copies network traffic from one switch port to another

      • Only copy valid ethernet packets.

      • Do not duplicate all error information.

      • Copying process has lower priority and some packets might not be mirrored.

      • Misses out on traffic on the local link.

Link layer evidence2
Link Layer Evidence

  • Sniffer configuration

    • Can capture entire frames.

    • Or only first part.

      • Tcpdump default setting.

Link layer evidence3
Link Layer Evidence

  • Some organizations log ARP information.

  • Routers keep ARP tables.

    • show ip arp

  • All hosts keep ARP tables.

  • DHCP often assigns addresses only to computers with known MAC.

Link layer evidence4
Link Layer Evidence

An employee received harassing e-mail from a host on the employer’s network with IP address

DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c.

This MAC belonged to a network printer.

The router’s ARP table showed that the IP address was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing)

Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

Link layer evidence5
Link Layer Evidence

  • Analyze and filter log files:

    • Keyword searches

      • E.g. for USER, PASS, login

      • Nicknames, channel names

    • Filters

    • Reconstruction

      • E.g. contents of web-mail inbox.

Link layer evidence6
Link Layer Evidence

NetIntercept Screenshot

An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence

Arp package
ARP Package

  • RFC 826

  • ARP package :

    • 0-1: Hardware type (0x0001 – Ethernet)

    • 2-3: Protocol type (0x0800 – IP)

    • 4: Number of bytes in hardware address (6 for MAC)

    • 5: Number of bytes in protocol address (4 for IP)

    • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply

    • 8-13: Source MAC

    • 14-17: Source IP

    • 18-23: Target MAC

    • 24-27: Target IP

Arp package1
ARP Package


Arp package2
ARP Package

Ethereal deassembly of ARP package

Monitoring tools
Monitoring Tools

  • Arpwatch

    • monitors ethernet activity and keeps a database of ethernet/ip address pairings.

Attacks on arp
Attacks on ARP

  • Package Generators for various OS.

    • Allow an attacker to subvert a chosen protocol

      • hping2 for Windows.

      • *NIX, XWindows:

        • packit


        • IP Sorcery

      • and many, many more.

    • Use to create arbitrary packages

Attacks on arp1
Attacks on ARP

  • Switch Flooding

    • Switches contain a switch address table.

      • Switch address table associates ports with MAC addresses.

    • Switch flooding creates many false entries.

    • Switches fail in two different modes:

      • Fail open:

        • Switch converts into a hub.

          • This allows to monitor traffic through the switch from any port.

      • Fail closed:

        • Switch stops functioning.

          • Denial of Service (DoS) attack

Attacks on arp2
Attacks on ARP

  • ARP Poisoning:







Attacks on arp3
Attacks on ARP

  • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN







Attacks on arp4
Attacks on ARP

  • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address







Attacks on arp5
Attacks on ARP

  • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker.







Attacks on arp6
Attacks on ARP

  • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router.







Attacks on arp7
Attacks on ARP


  • RARP (Reverse Address Resolution Protocol)

  • Used to allow diskless systems to obtain a static IP address.

    • System requests an IP address from another machine (with its MAC-address).

    • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table.

      • Administrator needs to place table in a gateway.

    • RARP-daemon (RARP-d) responds to RARP requests.


  • RARP vulnerability

    • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.

Rarp package
RARP Package

  • Package Format as in ARP:

    • 0-1: Hardware type (0x0001 – Ethernet)

    • 2-3: Protocol type (0x0800 – IP)

    • 4: Number of bytes in hardware address (6 for MAC)

    • 5: Number of bytes in protocol address (4 for IP)

    • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply

    • 8-13: Source MAC

    • 14-17: Source IP

    • 18-23: Target MAC

    • 24-27: Target IP


  • Uses IP addresses of source and destination.

  • IP datagrams are moved from hop to hop.

  • “Best Effort” service.

  • Corrupted datagrams are detected and dropped.


  • Addresses contain IP address and port number.

  • IPv4 addresses are 32 bit longs


  • IPv6 addresses are 8*16 bits long.

    • Eight groups of four hexadecimal digits, each group is separated by a colon (:).

    • 2001:0db8:85a3:0000:0000:8a2e:0370:7334

    • Simplification addressed in protocol

    • Notation also valid: 2001:db8:85a3::8a2e:370:7334



Ip icmp

  • Internet Control Message Protocol

  • Created to deal with non-transient problems. For example

    • Fragmentation is necessary, but the No Frag flag is set.

    • UPD datagram sent to a non-listening port.

    • Ping.

      • Used to detect network connectivity before it became too useful for attack reconnaissance.

  • Does not use ports.

  • Allows broadcasting.

  • More on ICMP later

Ip icmp1

  • ICMP error messages should not be sent:

    • For any but the first fragment.

    • A source address of broadcast or loopback address.

      • Are probably malicious, anyway.

    • Otherwise: ICMP messages could proliferate and throttle a network

Ip icmp2

  • ICMP errors are not sent:

    • In response to an ICMP error message.

      • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong.

    • A destination broadcast address.

      • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

Transport layer tcp and udp
Transport Layer: TCP and UDP

  • Transmission Control Protocol (TCP)

    • Reliable

    • Connection-Oriented.

    • Slow

  • User Datagram Protocol (UDP)

    • Unreliable

    • Connectionless.

    • Fast.


  • Only supports unicasting.

  • Full duplex connection.

  • Message numbers to prevent loss of messages.

Tcp three way handshake
TCP:Three Way Handshake

  • Initiator to responder: Syns

  • Responder to initator: Acks, Synt

  • Initiator to responder: Ackt

  • Sets up two connections with initial message numbers s and t.

Tcp three way handshake1
TCP:Three Way Handshake

  • 20:13:34.972069 IP > S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)

  • 20:13:34.972487 IP > S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF)

  • 20:13:34.972500 IP > . ack 1 win 17520 (DF)

Sequence number


Window: number of bytes accepted

Tcp terminating connections
TCP:Terminating Connections

  • Graceful shutdown

    • Party 1 to Party 2: Fin

    • Party 2 to Party 1: Ack

    • Party 2 to Party 1: Fin

    • Party 1 to Party 2: Ack

  • Abrupt shutdown

    • Party 1 to Party 2: Rst

Tcp exchanging data
TCPExchanging Data

  • Each packet has a sequence number.

    • (One for each direction.)

  • Initial sequence numbers are created during initial three way handshake.

    • NMap uses the creation of these sequence numbers to determine the OS.

    • OS are now much better with truly random sequence numbers.

Tcp exchanging data1
TCP Exchanging Data

  • Party that receives packet sends an acknowledgement.

  • Acknowledgement consists in

    • Ack flag.

    • Sequence number of the next package to be expected.

    • (TCPDump shows number of bytes acknowledged).

Tcp exchanging data2
TCP Exchanging Data

  • If a package is lost, then the ack sequence number will not change:

    • “Duplicate acknowledgement”

  • Depending on settings, sender will resend, after at most three stationary ack numbers.

  • Also, senders resend after timeout.

Tcp flags
TCP flags

  • Part of TCP header

    • F : FIN - Finish; end of session

    • S : SYN - Synchronize; indicates request to start session

    • R : RST - Reset; drop a connection

    • P : PUSH - Push; packet is sent immediately

    • A : ACK - Acknowledgement

    • U : URG - Urgent

    • E : ECE - Explicit Congestion Notification Echo

    • W : CWR - Congestion Window Reduced

Tcp example with ethereal1
TCP Example with Ethereal

First Syn message

Tcp example with ethereal2
TCP Example with Ethereal

This is the Syn-ack packet with sequence number 68 8d 5c ad and ack number 10 3f 21 1e

Tcp example with ethereal3
TCP Example with Ethereal

Syn number 10 3f 21 1e

Ack number 68 8d 5c ae


  • “Send and pray”

  • No connection.

  • No special header like TCP.

  • Protocol field in the IP header is 0x11

  • Another field in the IP header contains UDP specific header information


  • IP datagram can come across smaller maximum transmission units than its own size.

  • Resender chops up the IP datagram into many IP datagrams, the fragments.


  • Fragments are reassembled at the destination.

  • Fragments carry:

    • Fragment identifier

    • Offset in original data portion

    • Length of data payload in fragment

    • Flag that indicates whether or not this is the final fragment.



  • Large Echo Request

  • ping -l 1480

  • Assume MTU is 1500

Fragmentation first fragment
Fragmentation: First Fragment

Fragmentation second fragment
Fragmentation: Second Fragment

Fragmentation last fragment
Fragmentation: Last Fragment


ping –l 65500

12:02:18.256066 IP > icmp 1472: echo request seq 6400 (frag 10712:1472@0+)

12:02:18.257282 IP > icmp (frag 10712:1472@1472+)

12:02:18.258498 IP > icmp (frag 10712:1472@2944+)

12:02:18.258502 IP > udp 50

12:02:18.259714 IP > icmp (frag 10712:1472@4416+)

12:02:18.261177 IP > icmp (frag 10712:1472@5888+)

12:02:18.262389 IP > icmp (frag 10712:1472@7360+)

12:02:18.263604 IP > icmp (frag 10712:1472@8832+)

12:02:18.264820 IP > icmp (frag 10712:1472@10304+)

12:02:18.266037 IP > icmp (frag 10712:1472@11776+)

12:02:18.267495 IP > icmp (frag 10712:1472@13248+)

12:02:18.268712 IP > icmp (frag 10712:1472@14720+)


  • DF (Don’t Fragment) Flag

  • If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment.

  • Useful to find minimum MTU on a link.


  • Fragmentation has security implications

    • Stateless firewalls look only at individual packages.

    • Protocol header is only in the first fragment.

    • “Stealth attacks / scans” have evil payload only in the second and following fragments.

Fragments teardrop and friends
Fragments:Teardrop and Friends

  • Teardrop (1997)

    • Fragments with overlapping offset fields.

    • Many contemporary OS’s crashed, hang, rebooted.

  • Jolt2

    • Single fragment with non-zero offset.

    • Receiving system allocates resources to reconstruct a datagram that never arrives.

Fragments teardrop and friends1
Fragments:Teardrop and Friends

  • Create fragments that seem to come from a GB datagram.

    • Trusting OS tries to allocate memory and dies.

  • Ping of Death

    • Win95 allowed to send a ping that was just a tad too long. Receiving host would crash.

  • Unnamed Attacks

    • Missing fragments lead to resource allocation.


  • Protocols like TCP can send error messages themselves.

  • Stateless protocols like UDP need another mechanism to send error messages.

  • Host uses ICMP for

    • Simple replies and requests

    • Inform other hosts of some kind of error condition.

      • E.g.: To throttle delivery rate, receiving host can use the ICMP source quench message.

      • E.g.: Router can send “admin prohibited” ICMP message.


  • ICMP has no port numbers.

  • No acks, no message delivery guarantee

  • Allows broadcasting

  • ICMP types at


  • First Byte of package is Type

  • Second Byte of package is Code


  • Attackers can use ICMP for scanning:

    • Mapping a network.

    • Detect availability of target.

    • Detect OS through the way that host responds.


Tireless Mapper

  • Sends ICMP echo requests messages to all possible IP addresses

  • Many IDS might not capture this scan if the number of packages per hour is small.

  • Therefore: Firewalls should filter incoming ping requests.

  • ICMP

    Efficient Mapper

    • Use the ICMP echo request with a broadcast address.

    • Ping


    Clever Mapper

    • Use a different ICMP message such as ICMP address mask.

    • Determines the class of the network

    Icmp normal activity
    ICMP: Normal activity

    Normal messages:

    • Host unreachable

    • Port unreachable

    • Admin prohibited

    • Need to fragment

    • Time exceeded in transit

    Icmp normal activity1
    ICMP: Normal activity

    Host unreachable

    • Router at target host’s network sends such a message.

    • This gives out info to an attacker.

      • Some routers (Cisco) allow an access control list entry:

        • no ip unreachable

    Icmp normal activity2
    ICMP: Normal activity

    Port unreachable

    • > icmp: udp port ntp unreachable (DF)

    • Used for UDP

    • TCP has the RESET message to inform sender.

    Icmp normal activity3
    ICMP: Normal activity

    Unreachable - Admin Prohibited

    • Router informs sender that this type of message cannot be forwarded.

      • Router decision based on access control list.

      • Message leaks information to outside scanner.

    Icmp normal activity4
    ICMP: Normal activity

    Need to Frag

    • Router informs sender that DF is set, but that the package is larger than the MTU.

    Icmp normal activity5
    ICMP: Normal activity

    Time Exceeded In-Transit

    • Packages contain Time To Live (TTL) value.

    • Each router handling a package decrements the TTL value.

    • If TTL is zero, router discards package and sends the Time Exceeded In-Transit message to the sender.

    Icmp normal activity6
    ICMP: Normal activity

    • ICMP messages contain additional date in the package.

      • In particular: IP header followed by eight bytes of protocol header and data of the original datagram.

      • Not all OS implementations do this in exactly the same way.

        • Nmap used this for OS fingerprinting.

        • Lately, all TCP/IP stack implementations have been fixed to remove OS idiosyncracies.

    Malicious icmp smurf attack
    Malicious ICMP: Smurf Attack

    Smurf attack on victim

    • Step 1: Send ICMP echo request to a broadcast address with spoofed IP of

    • Step 2: Router allows in ICMP echo request to broadcast address

    • Step 3: All live hosts respond with ICMP echo reply to real machine with source IP

    Malicious icmp smurf attack1
    Malicious ICMP: Smurf Attack

    • ISMP Smurf Attack

      • Denial of Service Attack.

      • Effort of Attacker << Effort of Victim.

      • Uses ICMP replies from network as an amplifier.

      • Works well if victim has a slow connection.

    Malicious icmp tribal flood network
    Malicious ICMP: Tribal Flood Network

    • Based on Smurf

    • Creates zombies out of compromised machines

    • Compromised machines use a trigger to start bombarding a victim with requests

    • Many variations on this theme

    Malicious icmp winfreeze obsolete
    Malicious ICMP:Winfreeze (obsolete)

    • Uses the ICMP redirect message.

    • Legal use is to update routing information.

    • Flood of redirect message causes the victim (Win95 / Win98) to redirect traffic to itself via random hosts.

    • Victim spends too much time updating routing table.

    Malicious icmp loki
    Malicious ICMP: Loki

    • Uses ICMP packages for covert channel

    • A compromised host with a Loki server responds to requests from a Loki client.

    • Requests are sent via ping messages with data embedded in ICMP pings.

    • Originally used bytes 6 and 7.


    Malicious icmp simple counter measures
    Malicious ICMP: Simple Counter-Measures

    • Limit ICMP messages at the firewall.

    • Leads to inefficiencies, such as trying a TCP connection to a host that is down.

    • Need to admit path MTU discovery.

    • Log those that are let through.

    Harmless behavior tcp
    Harmless Behavior: TCP

    • Destination Host not Listening on Requested Port

      • Receiver acknowledges and resets at the same time.

    • Destination Host does not Exist

      • Router sends with the ICMP: Host xxx.yyy unreachable

    Harmless behavior tcp1
    Harmless Behavior: TCP

    • Destination Port Blocked

      • Router responds with an icmp message:

        • icmp: xxx.yyy unreachable – admin prohibited filter

      • Router does not respond.

        • Sender retries up to a protocol dependent maximum number of retries time

    Harmless behavior udp
    Harmless Behavior: UDP

    • Destination Host not Listening on Requested Port

      • Destination host sends icmp message:

        • icmp: xxx.yyy port domain unreachable

      • Or: destination host does not respond.

        • Sender will possibly retry several times

    Harmless behavior windows tracert
    Harmless Behavior: Windows Tracert

    • tracert (traceroute) uses ICMP pings

      • Tracing host sends ICMP echo request with TTL = 1.

      • Then tracing host sends ICMP echo request with TTL = 2, etc.

      • First router responds to first request.

        • If not destination, then with icmp: time exceeded in transit message

      • Second router responds to second request, etc.

    Harmless behavior unix tracert
    Harmless Behavior: Unix Tracert

    • traceroute uses UDP to random ephemeral port.

      • Tracing host sends UDP package with TTL = 1.

      • Then tracing host sends UDP package with TTL = 2, etc.

      • First router responds to first request.

        • If not destination, then with icmp: time exceeded in transit message

      • Second router responds to second request, etc.

      • Target responds with a port unreachable message.


    • Uses TCP

    • Active / Passive FTP

    • Both use port 21 to issue FTP commands.

    • Active FTP:

      • Uses port 20 for data.

      • FTP server establishes connection to client

    Ftp active ftp example
    FTP: Active FTP Example:

    • Command channel between and Bobadilla.1628

    • Dir command creates a new connection between and Bobadilla.5001


    • The opening of a connection from the outside to an ephemeral port is dangerous. (Client side source port used temporarily by applications when requesting data from a server.)

    • Passive FTP: The client initiates the data connection to port 20.

    Malicious tcp use mitnick attack obsolete
    Malicious TCP Use: Mitnick Attack (obsolete)

    • SYN flood

      • Goal is to disconnect victim from the net.

      • Throws hundreds / thousands of SYN packets

      • Return address is spoofed.

      • Recipient’s stack of connections waiting to be established is flooded.

      • Still works with DDoS attack.

    Malicious tcp use mitnick attack obsolete1
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Identify Trust Relationships

      • Extensive network mapping.

      • Nbtstat/finger, showmount, rpcinfo -r, …

      • Rpcinfo provides information about the remote procedure call services and their ports

    Malicious tcp use mitnick attack obsolete2
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Initiate a number of TCP connections to the host.

      • Send SYN packet. Receive SYN/ACK packet. Send RES so that victim is not flooded.

      • Observe the sequence number values between different connections.

      • Can they be predicted?

    Malicious tcp use mitnick attack obsolete3
    Malicious TCP Use: Mitnick Attack (obsolete)


    Victim trusts B


    Malicious tcp use mitnick attack obsolete4
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker can predict the sequence number that victim expects.


    Victim trusts B


    Malicious tcp use mitnick attack obsolete5
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker SYN floods B.

    • B cannot respond.


    Victim trusts B


    Malicious tcp use mitnick attack obsolete6
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker takes over B’s identity.

    • Spoofs packet from B to Victim.



    Victim trusts B


    Malicious tcp use mitnick attack obsolete7
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Victim responds with SYN / ACK to B.

    • B cannot respond.

    ACK / SYN


    Victim trusts B


    Malicious tcp use mitnick attack obsolete8
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker sends the ACK with the guessed sequence number to victim



    Victim trusts B


    Malicious tcp use mitnick attack obsolete9
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker sends another TCP packet with payload: rsh victim “echo ++ >> .rhosts”


    Bad stuff

    Victim trusts B


    Malicious tcp use mitnick attack obsolete10
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Now victim trusts everyone.


    Victim trusts everyone.


    Malicious tcp use mitnick attack obsolete11
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker terminates connection with a FIN exchange



    Victim trusts everyone


    Malicious tcp use mitnick attack obsolete12
    Malicious TCP Use: Mitnick Attack (obsolete)

    • To wake up B, attacker sends it a bunch of RES to free B from the SYN flood.





    Victim trusts everyone


    Malicious tcp use mitnick attack obsolete13
    Malicious TCP Use: Mitnick Attack (obsolete)

    • Attacker now starts a new connection with the victim.


    Yak yak yak

    Victim trusts everyone


    Malicious tcp use mitnick attack detection
    Malicious TCP Use: Mitnick Attack Detection

    • Network based intrusion detection (NID) can find the original site mapping.

    • NID can find the reconnaissance by finding “finger” “showmount” etc. commands.

      • Directed to the same port (111).

      • This is a dangerous port.

      • Frequent.

    Malicious tcp use mitnick attack detection1
    Malicious TCP Use: Mitnick Attack Detection

    • Host scans log instances where a single system accesses multiple hosts at the same time.

    • Host-based Intrusion Detection (HID) can find access to a single port.

    • HID / Tripwire could find changes to .rhosts.

    Malicious tcp use mitnick attack detection2
    Malicious TCP Use: Mitnick Attack Detection

    Computer Forensics can detect the attack by

    • Logging network traffic.

    • Examining MAC of important files (.rhosts)

    Malicious tcp use mitnick attack prevention
    Malicious TCP Use: Mitnick Attack Prevention

    • Router-based Firewall blocks certain type of traffic.

      • Network mapping.

      • SYN flooding.

      • Access to dangerous ports.

    • Host-based firewall blocks

      • Access to dangerous ports.

    • Security policy

      • Disallows reconnaissance tools.

      • Enforces better authentication.

    Domain name servers
    Domain Name Servers

    • Provide mapping from host names to IP addresses.

    • DNS resolution process

      • Client sends a gethostbyname message to the local domain name server.

      • Local domain name server sends back ip address.

    • Uses UDP (almost exclusively)

    Dns resolution protocol
    DNS: Resolution protocol

    • Client to local DNS server gethostbyname

    • Local DNS server sends forwards request to root server.

    • Root server returns with name of remote DNS server.

    • Local DNS server queries remote DNS server.

    • Remote DNS server answers with IP address.

    • Local DNS server gives data to client.


    • Use caching to prevent overload by root servers.

    • DNS records have a TTL

      • Responding DNS server sets TTL.

      • Receiving DNS server caches record for TTL time.

    Dns reverse lookup
    DNS: Reverse Lookup

    • IP-address to host-name

    • Query for send to

    Dns master slave name servers
    DNS: Master - Slave Name Servers

    • Each domain has a single master DNS server.

    • Add slaves for redundancy.

    • Slave server periodically contacts master to see whether there are changes.

    • Older BIND download all data from domain, even if only one record has changed.

    Dns zone transfer
    DNSZone Transfer

    • Slave server restarts  zone transfer from master to slave

    • Uses TCP, port 53.

    • Attackers like zone transfer

      • Gives all IP addresses and names in subnet.

      • Newer versions of BIND limit transfers based on IP address.

    Dns abuse for reconnaissance
    DNS:Abuse for Reconnaissance

    • nslookup: Get name servers.

    Dns abuse for reconnaissance1
    DNS:Abuse for Reconnaissance

    • HINFO: host information.

    Dns abuse for reconnaissance2
    DNS:Abuse for Reconnaissance

    • List the zone map information.

    • > ls –d in nslookup

    Dns abuses and problems
    DNS:Abuses and Problems

    • DNS cache poisoning

    • Affects BIND versions before 8.1.1.

    • Based on lack of authentication

    • Some BIND versions cache every DNS data they see.

    Dns cache poisoning
    DNS Cache Poisoning

    • Attack on Hillary Clinton’s Run for Senate Website

    • Traffic to (IP address redirected to (IP address

    Dns cache poisoning1
    DNS Cache Poisoning

    • Step 1: Evil sends a bogus query to the victim’s name server that contains data at

    Dns cache poisoning2
    DNS Cache Poisoning

    • Step 2: Name server accepts the bogus information (even though it is contained in a query).

    • Step 3: Victim requests IP address of and is directed to

    • Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.

    Dns cache poisoning3
    DNS Cache Poisoning

    • Birthday Attack

      • Attacker sends large number of queries to a vulnerable name server asking for hillary2000.

      • Attacker sends an equal number of phony replies (with the poisoned data).

      • Name server will generate requests to resolve hillary2000.

      • With high probability, one of the phony answers will have the same transaction number as the name server’s query.

    Dns cache poisoning4
    DNS Cache Poisoning

    • Redirect traffic to a fake Pay-Pal or other e-commerce site.

    • Set-up Man in the Middle Attacks

    • Defenses:

      • Domain Owner has to rely on the DNS system.

      • ISP name server admin needs to protect by

        • Updating BIND or replacing it with djbdns

        • Two name servers, one for the public domain information to the outside, another for internal use.

      • End user has to rely on the DNS system.


    • Local Routing Table: netstat -r

    Static routing
    Static Routing

    • IP Layer searches the routing table in the following order

      • Search for a matching destination host address

      • Search for a matching destination network address

      • Search for a default entry


    • Static routes are typically added during the boot process.

    • Administrative changes with a “routing” command.

    • ICMP routing discovery messages

    Routing changes
    Routing Changes

    • A host might have inefficient entries in the routing table.

    • ICMP Router Discovery Protocol (IRDP)

      • ICMP redirect messages

      • ICMP routing discovery messages

    • IRDP needs to be enabled.

    Routing changes1
    Routing Changes

    • ICMP Redirect Message

      • A sends message to D.

      • Routing table says to send to B first.





    Routing changes2
    Routing Changes

    • ICMP Redirect Message

      • B forwards to C

      • B informs A that there is a direct route to C

        • ICMP Redirect Message





    Routing changes3
    Routing Changes

    • ICMP Redirect Message

      • C forwards package to target.

      • A updates routing table.





    Irdp dos exploit
    IRDP DoS Exploit

    • Attacker (E) sends spoofed IRDP message to A

    • A updates routing table to reflect bogus default value.

    • A looses connectivity






    Irdp windows exploit
    IRDP Windows Exploit

    • Windows (95, 98, 2000) and some Solaris systems are vulnerable.

    • If a Windows hosts runs a Dynamic Host Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server.

    • ICMP router advertisement can be spoofed.

    • First router advertisement is checked for correct IP address.

    • Second router advertisement is erroneously not.

    Irdp windows exploit1
    IRDP Windows Exploit

    • Attacker sends two ICMP router advertisements to victim.

    • Victim updates its default gateway to IP determined by attacker.

    • Use for man in the middle attacks or DoS.

    Arp poisoning
    ARP Poisoning

    • Address resolution protocol associates MAC addresses with IP addresses.

    • Four Messages

      • ARP Request: “Who has this IP?”

      • ARP Reply: “I have this IP. My MAC is …”

      • Reverse ARP Request: “Who has that MAC?”

      • Reverse ARP Request Reply: “I have that MAC, my IP is …”

    Arp poisoning1
    ARP Poisoning

    • ARP is very efficient, but does not do any authentication.

    • Many OS still accept ARP replies even without making an ARP request.

    • ARP poisoning: Spoofing an ARP package with false ARP data.

    Arp poisoning2
    ARP Poisoning

    • Denial of Service:

      • Spoofed ARP message can associate the default gateway address with a non-existing MAC.

      • Traffic to the outside is no longer picked up.

    Arp poisoning3
    ARP Poisoning

    • Man in the Middle

      • Intercept traffic between devices A and B.

        • A has IP IA and MACMA.

        • B has IP IB and MAC MB.

        • Attacker has machine C with MAC MC.

      • Attacker sends an ARP reply to B: IA is at MC.

      • B updates its ARP cache entry: IA is at MC.

      • Attacker sends an ARP reply to A: IB is at MC.

      • A updates its ARP cache entry: IB is at MC.

      • A sends traffic to IB on a level 1 frame to MC.

      • C intercepts the package and forwards it to MB.

      • Traffic from A to B (and vice versa) now flows through C.

    Arp poisoning4
    ARP Poisoning

    • MAC flooding

      • Switches maintain a MAC to port table.

      • Traffic only flows to destination.

      • Attacker sends lots of bogus ARP data to switch.

      • Switch’s ARP table is flooded.

      • Switches either stop functioning (DoS attack) or drop to hub mode.

      • Switch in hub mode forwards a package to all ports.

      • Allows traffic to be sniffed.

    Arp poisoning5
    ARP Poisoning

    • Small networks:

      • Could use a static ARP table.

      • Disables ARP messaging.

      • All ARP entries need to be put in by hand and maintained.

      • Will not work with DHCP.

      • Maintenance becomes quickly impossible with larger size of network.

      • Some Win OS will still accept and use dynamic ARP updates, even if all routes are statically encoded.

    Arp poisoning6
    ARP Poisoning

    • Large Networks

      • Use Port Security features on higher-end switches.

      • Allow only one MAC address.

      • Prevents hackers from embedding their MAC address more than once.

    • All networks

      • Monitor ARP traffic (ARP monitoring tool)

    Ip options
    IP Options

    • IP options enhance the IP protocol.

      • Security

      • Stream Identification

      • Internet Timestamp

      • Loose Source Routing

      • Strict Source Routing

      • Record Route

    These are security risks

    Ip route options
    IP Route Options

    • Loose Source Routing specifies a route that includes a list of required nodes.

    • Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely.

    • Record Route: does not alter the routing but requires that all nodes are recorded.

    Detecting ip source routing
    Detecting IP Source Routing

    • IP header is larger than 20B

    • IP option field has a hex value of

      • 83: loose source routing

      • 89: strict source routing

    • ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 89)

    Source route exploit
    Source Route Exploit

    • Spoofing host requires source routing through a host trusted by the victim.

    • Victim decides that the traffic comes from a trusted host.

    • Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.

    Internet group management protocol igmp
    Internet Group Management Protocol (IGMP)

    • Defined by RFC 1112.

    • IGMP messages use IP Protocol 2

    • IGMP are used to join and leave multicast groups.

    Tcp ip related evidence
    TCP/IP Related Evidence

    • Sniffer Logs

    A computer intrusion left a program called router behind. Investigation of the binary code revealed that it was a Portuguese language sniffer storing data in a given file.

    The sniffer file contained log entries of log-ins from Brazil to a non-authenticated account as well as further activities.

    Tcp ip related evidence1
    TCP/IP Related Evidence

    • Authentication, Server Logs

    Maury Travis Case:

    During a series of homicides in St. Louis, a reporter received a letter with the location of an additional victim.

    The FBI determined that the map was from

    The web server logs showed that only one IP address requested that particular map around the time that the letter was sent.

    Tcp ip related evidence2
    TCP/IP Related Evidence

    The IP address belonged to an ISP.

    The ISP logs showed that this IP address was registered to Maury Travis. The telephone number from the connection was made also belonged to Maury Travis.

    A (warranted) search of Maury Travis’ home found a torture chamber and videotapes of Maury torturing and killing victims.

    Maury killed himself while in custody. The total number of victims is unknown.

    Tcp ip related evidence3
    TCP/IP Related Evidence

    • Internet dial-up logs are created by RADIUS and TACACS authentication servers.

    • These servers are also used for VPN concentrators.

    • Kerberos logs authentication requests.

    Tcp ip related evidence4
    TCP/IP Related Evidence

    • Application Logs

      • When someone defaces web servers, they usually view them shortly before and after defacement.

      • The web logs might contain evidence of someone checking for vulnerabilities before defacement.

        • With the IP address that they used.

    Tcp ip related evidence5
    TCP/IP Related Evidence

    • Application Logs

      • Mail servers log details of message.

        • Example: An email spoofer makes a typo.

          • Logs contains entries with backspaces, …

      • OS log connections.

      • Network devices log.