router forensics

TARUNA SINGH1208213035

AGENDA Introduction Overview of Routers Router Attack Topology Common Router Attacks Performing Forensics Incidence Investigation Accessing the Router Documentation What are the “BAD GUYS” doing What are the “GOOD GUYS” doing Why do we need to protect Router Resources Why do we need outer Forensics

INTRODUCTION

It is the application of proven scientific methods and techniques in order to recover data from routers in case of an intruder attack and apply forensics( law enforcement, documentation of the incidence) .

WHAT IS ROUTER?

A computer that specializes in sending packets over the data network. They are responsible for interconnecting n/w by selecting the bestpath for a packetto travel to theirdestinations.

HOW DOES ROUTER WORK

Routers forward data packets from one router to another using various routing protocols and routing table, to choose the optimum path.

The routing table may contain various fields.

COMMUNICATION WITH ROUTERS

Through local cable Throughmodem Throughterminalemulation software

ROUTER COMPONENTS

ROM POST IOS RAM Flash memory NVRAM

PORTS ON ROUTER

LAN Ports

WAN Ports Administrative ports

-Console ports-Auxiliary ports

MODES OF ROUTER

Setup Mode User Mode Privileged Mode Global Configuration Mode Interface Mode

ROUTER ATTACK TOPOLOGY

Reconnaissance Scanning and enumerationGaining access Escalation of privilegeMaintaining accessCovering tracks and placing backdoors

COMMON ROUTER ATTACKS

Denial of Service AttacksPacket Mistreating AttacksRouting Table PoisoningHit and Run AttacksPersistent Attacks

PERFORMING FORENSICS

CollectionExaminationAnalysisReporting

GATHER VOLATILE ROUTER DATA

Connect to console port for this need cable and laptop with terminal emulation software.Record System Time and determine who is logged on Save the router configuration.Review the routing table to detect malicious static routes modified by attacker.View the ARP cache for evidence for IP or MAC spoofing

INCIDENCE INVESTIGATION

Direct compromise: via physical access,

listening services, password guessing by TFTP, console access

Routing table manipulations: by

modifying routing protocols( RIP, IGRP), review routing table with “show IP route”

Theft of Information: via access control

and network topology

DoS: resource and bandwidth consumption

reduces functionality and n/w bandwidth

Contd...

FOR RECOVERY:Eliminate listening servicesUpgrade of softwareAccess restrictionAuthenticationChange all passwordsAvoid password reuseRemove static routing entries

ACCESSING THE ROUTER

DO

Access the router through the console

Record your entire console session

Run show commandsRecord the actual

time and the router’s time

Record the volatile information

DON’T

REBOOT THE ROUTER

Access the router through the network

Run configuration commands

Rely only on persistent information

DOCUMENTATION

Chain of Custody: to prove the integrity

of the evidence

Case reports: employee remediation,

employee termination ,civil proceedings, criminal prosecution, case Summary, bookmarks

Incident response: it is the effort of an

organisation to define and document the nature and scope of a computer security incident.

WHAT THE “BAD GUYS” ARE DOING

Internet Router Protocol Attack Suite (IRPAS): A suite of tools designed to abuse

inherent design insecurity in routers and routing protocols –Tools: ass, igrp, hsrp

VIPPR: Can be used to establish MITM for

compromised routers

UltimaRatio: Working exploit tool for use

against 1000, 1600/1700 and 2600 series routers

Research

WHAT THE GOOD GUYS ARE DOING

Router Audit Tool (RAT): Written in Perl,

highly customizable, Passive tool to analyze a Cisco router, Scores the overall security of your router, Support for Unix and Windows systems

Books, white papers on securing routersEmploy strong authentication: encrypted

traffic mgmt, two phase authentication, centralised authentication source.

WHY WE NEED TO PROTECT ROUTER RESOURCES

Often the “heart” of the network Gaining a lot more attention from attackers Few procedures on hardening routersRouters are much slower to get upgraded to solve security bugsFew people monitor their configurations regularlyFew security measures in placeThere are millions of them

NEED FOR ROUTER FORENSICS

Operational TroubleshootingLog Monitoring Data RecoveryData AcquisitionDue Diligence/Regulatory compliance