1 / 125

COEN 252 Computer Forensics

COEN 252 Computer Forensics. Network Protocols Overview for Network Forensics. Network Protocols: Layering. Complexity of networking leads to layered architectures. TCP/IP stack has four levels. OSI has seven. Network Protocols: Layering. Network Protocols: Layering.

denna
Télécharger la présentation

COEN 252 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 252 Computer Forensics Network Protocols Overview for Network Forensics

  2. Network Protocols: Layering • Complexity of networking leads to layered architectures. • TCP/IP stack has four levels. • OSI has seven.

  3. Network Protocols: Layering

  4. Network Protocols: Layering • Each layer adds a header. • Application • TCP • IP • Link

  5. Link Layer • Network Interface Cards (NIC) • Unique Medium Access Control (MAC) number • Format 48b written as twelve hex bytes. • First 6 identify vendor. • Last 6 serial number. • NICs either select based on MAC address or are in promiscuous mode (capture every packet).

  6. Link Layer • Address Resolution Protocol (ARP) • Resolves IP addresses to MAC addresses • RFC 826

  7. Link Layer: ARP Resolution Protocol • Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101. • Sends out a broadcast who-has request: 00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has 10.10.10.101 • All devices on the link capture the packet and pass it to the IP layer. • 10.10.10.101 is the only one to answer: a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0 • A caches the value in its arp cache.

  8. Link Layer: ARP Resolution Protocol ARP requests:

  9. Link Layer Forensics Network monitoring tools such as Argus or Ethereal log MAC addresses.

  10. Link Layer Forensics Example: Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing) Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.

  11. Link Layer Forensics • ARP cache can be viewed on Windows NT/2000/XP with arp –a command.

  12. ATM • ATM • uses fiber optic cables and ATM switches. • encapsulates data into ATM cells. • number identifies the circuit that ATM has established between two computers. • ATMARP allows machines to discover MAC addresses. • ATMARP has a central server that responds to ARP requests. • ATM forensics is similar.

  13. Link Layer Evidence • Sniffers in promiscuous mode. • Intruders also use sniffers. • Typically monitor traffic to / from compromised system. • Sometimes they monitor themselves coming back to look at the sniffer logs. • Intruders sometimes encrypt their traffic. • But the sniffers still see the packets, they just cannot read them. • Installing sniffers can violate the wire-tapping and other laws and is resource-intensive. • FreeBSD / OpenBSD seem to be the best platforms.

  14. Link Layer Evidence • Sniffer location: • On compromised machine. • Evidence not trustworthy. • Nearby host. • Switched Port Analyzer (SPAN) • Copies network traffic from one switch port to another • Only copy valid ethernet packets. • Do not duplicate all error information. • Copying process has lower priority and some packets might not be mirrored. • Misses out on traffic on the local link.

  15. Link Layer Evidence • Sniffer configuration • Can capture entire frames. • Or only first part. • Tcpdump default setting.

  16. Link Layer Evidence • Some organizations log ARP information. • Routers keep ARP tables. • show ip arp • All hosts keep ARP tables. • DHCP often assigns addresses only to computers with known MAC.

  17. Link Layer Evidence An employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65. DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c. This MAC belonged to a network printer. The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.

  18. Link Layer Evidence • Analyze and filter log files: • Keyword searches • E.g. for USER, PASS, login • Nicknames, channel names • Filters • Reconstruction • E.g. contents of web-mail inbox.

  19. Link Layer Evidence NetIntercept Screenshot

  20. IP • Uses IP addresses of source and destination. • IP datagrams are moved from hop to hop. • “Best Effort” service. • Corrupted datagrams are detected and dropped.

  21. IP • Addresses contain IP address and port number. • IPv4 addresses are 32 bit longs • IPv6 addresses are 8*16 bits long.

  22. IP: ICMP • Internet Control Message Protocol • Created to deal with non-transient problems. • Fragmentation is necessary, but the No Frag flag is set. • UPD datagram sent to a non-listening port. • Ping.

  23. IP: ICMP • ICMP error messages should not be sent: • For any but the first fragment. • A source address of broadcast or loopback address. • Are probably malicious, anyway.

  24. IP: ICMP • ICMP errors are not sent: • In response to an ICMP error message. • Otherwise, craft a message with invalid UDP source and destination port. Then watch ICMP ping-ponging. • A destination broadcast address. • Don’t answer with destination unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.

  25. Transport Layer: TCP and UDP • Transmission Control Protocol (TCP) • Reliable • Connection-Oriented. • Slow • User Datagram Protocol (UDP) • Unreliable • Connectionless. • Fast.

  26. TCP • Only supports unicasting. • Full duplex connection. • Message numbers to prevent loss of messages.

  27. TCP:Three Way Handshake • Initiator to responder: Syns • Responder to initator: Acks, Synt • Initiator to responder: Ackt • Sets up two connections with initial message numbers s and t.

  28. TCP:Three Way Handshake • 20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) • 20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF) • 20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF)

  29. TCP:Terminating Connections • Graceful shutdown • Party 1 to Party 2: Fin • Party 2 to Party 1: Ack • Party 2 to Party 1: Fin • Party 1 to Party 2: Ack • Abrupt shutdown • Party 1 to Party 2: Res

  30. TCP:Shutting down a connection • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF) • 20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF) • 20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF) • 20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF) • 20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)

  31. TCPExchanging Data • Each packet has a sequence number. • (One for each direction.) • Initial sequence numbers are created during initial three way handshake. • NMap uses the creation of these sequence numbers to determine the OS. • OS are now much better with truly random sequence numbers.

  32. TCP Exchanging Data • Party that receives packet sends an acknowledgement. • Acknowledgement consists in • Ack flag. • Sequence number of the next package to be expected.

  33. TCP Exchanging Data • If a package is lost, then the ack number will not change: • “Duplicate acknowledgement” • Depending on settings, sender will resend, after at most three stationary ack numbers. • Also, resend after timeout.

  34. TCP Exchanging Data • 20:48:45.087563 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 4 win 16959 (DF) • 20:48:45.087583 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) • 20:48:45.096443 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) • 20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) • 20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) • 20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF) • 20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)

  35. TCP flags • Part of TCP header • F : FIN - Finish; end of session • S : SYN - Synchronize; indicates request to start session • R : RST - Reset; drop a connection • P : PUSH - Push; packet is sent immediately • A : ACK - Acknowledgement • U : URG - Urgent • E : ECE - Explicit Congestion Notification Echo • W : CWR - Congestion Window Reduced

  36. UDP • “Send and pray” • No connection. • No special header like TCP. • Protocol field in the IP header is 0x11 • Another field in the IP header contains UDP specific header information

  37. Fragmentation • IP datagram can come across smaller maximum transmission units than its own size. • Resender chops up the IP datagram into many IP datagrams, the fragments.

  38. Fragmentation • Fragments are reassembled at the destination. • Fragments carry: • Fragment identifier • Offset in original data portion • Length of data payload in fragment • Flag that indicates whether or not this is the final fragment.

  39. Fragmentation Example • Large Echo Request • ping -l 1480 129.218.19.198 • Assume MTU is 1500

  40. Fragmentation

  41. Fragmentation: First Fragment

  42. Fragmentation: Second Fragment

  43. Fragmentation: Last Fragment

  44. Fragmentation ping –l 65500 129.218.19.198 12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+) 12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+) 12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+) 12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@4416+) 12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@5888+) 12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@7360+) 12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@8832+) 12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@10304+) 12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@11776+) 12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@13248+) 12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@14720+)

  45. Fragmentation • DF (Don’t Fragment) Flag • If forwarding node finds that the datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment. • Useful to find minimum MTU on a link.

  46. Fragmentation • Stateless firewalls look only at individual packages. • Protocol header is only in the first fragment. • “Stealth attacks / scans” have evil payload only in the second and following fragments.

  47. Fragments:Teardrop and Friends • Teardrop (1997) • Fragments with overlapping offset fields. • Many contemporary OS crashed, hang, rebooted. • Jolt2 • Single fragment with non-zero offset. • Receiving system allocates resources to reconstruct a datagram that never arrives.

  48. Fragments:Teardrop and Friends • Create fragments that seem to come from a GB datagram. • Trusting OS tries to allocate memory and dies. • Ping of Death • Win95 allowed to send a ping that was just a tad too long. Receiving host would crash. • Unnamed Attacks • Missing fragments lead to resource allocation.

  49. ICMP • ICMP has no port numbers. • No acks, no message delivery guarantee • http://www.iana.org/assignments/icmp-parameters • First Byte Type • Second Byte Code

  50. ICMP • Mapping Techniques. • Detect up host. • Detect OS through responses.

More Related