Computer Forensics. Network Protocols Overview for Network Forensics. Focus of this presentation. Protocols With a few anecdotes, how-to-dos and previews thrown in. Network Protocols: Layering. Complexity of networking leads to layered architectures. TCP/IP stack has four levels.
Computer Forensics Network Protocols Overview for Network Forensics
Focus of this presentation Protocols With a few anecdotes, how-to-dos and previews thrown in.
Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.
Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link
Repetition:Capturing Data on a Network • Develop a threat model before deploying Network Security Monitoring • Internal / External Attacker • Wireless / Wired / … • Develop Monitoring zoning • Demilitarized zone • Wireless zone • Intranet zones
Repetition: Capturing Data on a Network • Wired monitoring • Hubs • SPAN ports • Taps • Inline devices
Repetition: Capturing Data on a Network • Hubs • Broadcasts incoming data on all interfaces. • Be careful about NIC capacity (10/100/1000 Mb/sec) • Be careful about hub quality • Are inexpensive, but can introduce collisions on the links where the hub sits.
Repetition: Capturing Data on a Network • Switched Port Analyzer (SPAN) • A.k.a. Port mirroring, Port monitoring. • SPAN port located on enterprise class switches. • Copy traffic between certain ports to SPAN port. • Configurable • Easy access to traffic. • Can make mistakes with configuration. • Under heavy load, SPAN port might not get all traffic. • SPAN only allows monitoring of a single switch.
Repetition: Capturing Data on a Network • Test Access Port (TAP) • Networking device specifically designed for monitoring applications. • Typically four ports: • Router • Firewall • Monitor traffic on remaining ports. • One port sees incoming, the other outgoing traffic. • Moderately high costs.
Repetition: Capturing Data on a Network • Specialized inline devices: • Server or hardware device • Filtering bridges • Server with OpenBSD and two NICs
Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).
Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826
Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.
Link Layer: ARP Resolution Protocol ARP requests:
Link Layer Forensics Network monitoring tools such as Argus or Ethereal log MAC addresses.
Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.
Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.
ATM • ATM • uses fiber optic cables and ATM switches. • encapsulates data into ATM cells. • number identifies the circuit that ATM has established between two computers. • ATMARP allows machines to discover MAC addresses. • ATMARP has a central server that responds to ARP requests. • ATM forensics is similar.
Link Layer Evidence • Sniffers in promiscuous mode. • Intruders also use sniffers. • Typically monitor traffic to / from compromised system. • Sometimes they monitor themselves coming back to look at the sniffer logs. • Intruders sometimes encrypt their traffic. • But the sniffers still see the packets, they just cannot read them. • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive. • FreeBSD / OpenBSD seem to be the best platforms.
Link Layer Evidence • Sniffer location: • On compromised machine. • Evidence not trustworthy. • Nearby host. • Switched Port Analyzer (SPAN) • Copies network traffic from one switch port to another • Only copy valid ethernet packets. • Do not duplicate all error information. • Copying process has lower priority and some packets might not be mirrored. • Misses out on traffic on the local link.
Link Layer Evidence • Sniffer configuration • Can capture entire frames. • Or only first part. • Tcpdump default setting.
Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.
Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing) Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.
Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.
Link Layer Evidence NetIntercept Screenshot An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence
ARP Package • RFC 826 • ARP package : • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP
ARP Package Ethereal deassembly of ARP package
Monitoring Tools • Arpwatch • monitors ethernet activity and keeps a database of ethernet/ip address pairings.
Attacks on ARP • Package Generators for various OS. • Allow an attacker to subvert a chosen protocol • hping2 for Windows. • *NIX, XWindows: • packit • http://sourceforge.net/projects/packitgui/ • IP Sorcery • and many, many more. • Use to create arbitrary packages
Attacks on ARP • Switch Flooding • Switches contain a switch address table. • Switch address table associates ports with MAC addresses. • Switch flooding creates many false entries. • Switches fail in two different modes: • Fail open: • Switch converts into a hub. • This allows to monitor traffic through the switch from any port. • Fail closed: • Switch stops functioning. • Denial of Service (DoS) attack
Attacks on ARP • ARP Poisoning: attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attacker configures IP forwarding to send packets to the default router for the LAN attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Switch now takes packet from victim and forwards it to attacker. attacker switch victim Outside world router
Attacks on ARP • ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router. attacker switch victim Outside world router
Attacks on ARP http://www.watchguard.com/
RARP • RARP (Reverse Address Resolution Protocol) • Used to allow diskless systems to obtain a static IP address. • System requests an IP address from another machine (with its MAC-address). • Responder either uses DNS with name-to-Ethernet address or looks up a MAC to IP ARP table. • Administrator needs to place table in a gateway. • RARP-daemon (RARP-d) responds to RARP requests.
RARP • RARP vulnerability • Use RARP together with ARP spoofing to request an IP address and take part in communications over the network.
RARP Package • Package Format as in ARP: • 0-1: Hardware type (0x0001 – Ethernet) • 2-3: Protocol type (0x0800 – IP) • 4: Number of bytes in hardware address (6 for MAC) • 5: Number of bytes in protocol address (4 for IP) • 6-7: Opcode: 1 for ARP request, 2 for an ARP reply • 8-13: Source MAC • 14-17: Source IP • 18-23: Target MAC • 24-27: Target IP
IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.
IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.
IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. For example • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping. • Used to detect network connectivity before it became too useful for attack reconnaissance. • Does not use ports. • Allows broadcasting. • More on ICMP later
IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway. • Otherwise: ICMP messages could proliferate and throttle a network
IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-pong. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.
TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.
TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.
TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF) Sequence number Flag Window: number of bytes accepted