computer forensics network protocols overview for network forensics
TRANSCRIPT
Computer Forensics
Network ProtocolsOverview for Network
Forensics
Focus of this presentation
ProtocolsWith a few anecdotes, how-to-dos and previews
thrown in.
Network Protocols: Layering
Complexity of networking leads to layered architectures. TCP/IP stack has four levels. OSI has seven.
Network Protocols: Layering
Network Protocols: Layering
Each layer adds a header. Application TCP IP Link
Repetition:Capturing Data on a Network Develop a threat model before
deploying Network Security Monitoring Internal / External Attacker Wireless / Wired / …
Develop Monitoring zoning Demilitarized zone Wireless zone Intranet zones
Repetition: Capturing Data on a Network
Wired monitoring Hubs SPAN ports Taps Inline devices
Repetition: Capturing Data on a Network
Hubs Broadcasts incoming data on all
interfaces. Be careful about NIC capacity
(10/100/1000 Mb/sec) Be careful about hub quality
Are inexpensive, but can introduce collisions on the links where the hub sits.
Repetition: Capturing Data on a Network Switched Port Analyzer (SPAN)
A.k.a. Port mirroring, Port monitoring. SPAN port located on enterprise class
switches. Copy traffic between certain ports to SPAN
port. Configurable
Easy access to traffic. Can make mistakes with configuration. Under heavy load, SPAN port might not
get all traffic. SPAN only allows monitoring of a single
switch.
Repetition: Capturing Data on a Network Test Access Port (TAP)
Networking device specifically designed for monitoring applications.
Typically four ports: Router Firewall Monitor traffic on remaining ports.
One port sees incoming, the other outgoing traffic.
Moderately high costs.
Repetition: Capturing Data on a Network
Specialized inline devices: Server or hardware device
Filtering bridges Server with OpenBSD and two NICs
Link Layer Network Interface Cards (NIC)
Unique Medium Access Control (MAC) number
Format 48b written as twelve hex bytes. First 6 identify vendor. Last 6 serial number.
NICs either select based on MAC address or are in promiscuous mode (capture every packet).
Link Layer
Address Resolution Protocol (ARP) Resolves IP addresses to MAC
addresses RFC 826
Link Layer: ARP Resolution Protocol
Assume node A with IP address 10.10.10.100 and MAC 00:01:02:03:04:05 wants to talk to IP address 10.10.10.101.
Sends out a broadcast who-has request:00:01:02:03:04:05; ff:ff:ff:ff:ff:ff; arp 42 who-has
10.10.10.101 All devices on the link capture the packet and
pass it to the IP layer. 10.10.10.101 is the only one to answer:
a0:a0:a0:a0:a0:a0; 00:01:02:03:04:05; arp 64; arp reply 10.10.10.101 is-at a0:a0:a0:a0:a0:a0
A caches the value in its arp cache.
Link Layer: ARP Resolution Protocol
ARP requests:
Link Layer: ARP Resolution Protocol
Link Layer Forensics
Network monitoring tools such as Argus or Ethereal log MAC addresses.
Link Layer Forensics
Example:Spike in network traffic comes from a computer with a certain IP address. However, Argus logs reveal that the traffic comes from a computer with a different MAC then the computer assigned that IP. (Spoofing)Finally, intrusion response finds the computer with that MAC, a Linux laptop that has been compromised and is used for a Denial of Service attack.
Link Layer Forensics
ARP cache can be viewed on Windows NT/2000/XP with arp –a command.
ATM ATM
uses fiber optic cables and ATM switches. encapsulates data into ATM cells. number identifies the circuit that ATM has
established between two computers. ATMARP allows machines to discover MAC
addresses. ATMARP has a central server that responds to ARP
requests. ATM forensics is similar.
Link Layer Evidence Sniffers in promiscuous mode. Intruders also use sniffers.
Typically monitor traffic to / from compromised system.
Sometimes they monitor themselves coming back to look at the sniffer logs.
Intruders sometimes encrypt their traffic. But the sniffers still see the packets, they just cannot
read them. Installing sniffers can violate the wire-tapping
and other laws and is resource-intensive. FreeBSD / OpenBSD seem to be the best platforms.
Link Layer Evidence Sniffer location:
On compromised machine. Evidence not trustworthy.
Nearby host. Switched Port Analyzer (SPAN)
Copies network traffic from one switch port to another
Only copy valid ethernet packets. Do not duplicate all error information. Copying process has lower priority and some
packets might not be mirrored. Misses out on traffic on the local link.
Link Layer Evidence
Sniffer configuration Can capture entire frames. Or only first part.
Tcpdump default setting.
Link Layer Evidence
Some organizations log ARP information.
Routers keep ARP tables. show ip arp
All hosts keep ARP tables. DHCP often assigns addresses only
to computers with known MAC.
Link Layer EvidenceAn employee received harassing e-mail from a host on the employer’s network with IP address 192.168.1.65.
DHCP server database showed that this IP was assigned to a computer with MAC address 00:00:48:5c:3a:6c.
This MAC belonged to a network printer.
The router’s ARP table showed that the IP address 192.168.1.65. was used by a computer with MAC 00:30:65:4b:2a:5c. (IP-spoofing)
Although this MAC was not on the organization’s list, there were only a few Apple computers on the network and the culprit was soon found.
Link Layer Evidence
Analyze and filter log files: Keyword searches
E.g. for USER, PASS, login Nicknames, channel names
Filters Reconstruction
E.g. contents of web-mail inbox.
Link Layer Evidence
NetIntercept Screenshot
An example for a Network Forensics / Network Intrusion Detection commercial tool that reveals link layer evidence
ARP Package RFC 826 ARP package :
0-1: Hardware type (0x0001 – Ethernet) 2-3: Protocol type (0x0800 – IP) 4: Number of bytes in hardware address (6 for MAC) 5: Number of bytes in protocol address (4 for IP) 6-7: Opcode: 1 for ARP request, 2 for an ARP reply 8-13: Source MAC 14-17: Source IP 18-23: Target MAC 24-27: Target IP
ARP Package
Ethereal deassembly of ARP package
Monitoring Tools
Arpwatch monitors ethernet activity and keeps
a database of ethernet/ip address pairings.
Attacks on ARP Package Generators for various OS.
Allow an attacker to subvert a chosen protocol
hping2 for Windows. *NIX, XWindows:
packit http://sourceforge.net/projects/packitgui/
IP Sorcery and many, many more.
Use to create arbitrary packages
Attacks on ARP Switch Flooding
Switches contain a switch address table. Switch address table associates ports with MAC
addresses. Switch flooding creates many false entries. Switches fail in two different modes:
Fail open: Switch converts into a hub.
This allows to monitor traffic through the switch from any port.
Fail closed: Switch stops functioning.
Denial of Service (DoS) attack
Attacks on ARP
ARP Poisoning:
victim
attacker
switch
router
Outside
world
Attacks on ARP ARP Poisoning: Attacker configures IP
forwarding to send packets to the default router for the LAN
victim
attacker
switch
router
Outside
world
Attacks on ARP
ARP Poisoning: Attacker sends fake ARP to remap default router IP address to his MAC address
victim
attacker
switch
router
Outside
world
Attacks on ARP
ARP Poisoning: Switch now takes packet from victim and forwards it to attacker.
victim
attacker
switch
router
Outside
world
Attacks on ARP
ARP Poisoning: Attackers machine intercepts message for sniffing and sends it back to the switch with the MAC address of router.
victim
attacker
switch
router
Outside
world
Attacks on ARP
http://www.watchguard.com/
RARP RARP (Reverse Address Resolution
Protocol) Used to allow diskless systems to obtain
a static IP address. System requests an IP address from another
machine (with its MAC-address). Responder either uses DNS with name-to-
Ethernet address or looks up a MAC to IP ARP table.
Administrator needs to place table in a gateway. RARP-daemon (RARP-d) responds to RARP
requests.
RARP
RARP vulnerability Use RARP together with ARP spoofing
to request an IP address and take part in communications over the network.
RARP Package
Package Format as in ARP: 0-1: Hardware type (0x0001 – Ethernet) 2-3: Protocol type (0x0800 – IP) 4: Number of bytes in hardware address (6 for MAC) 5: Number of bytes in protocol address (4 for IP) 6-7: Opcode: 1 for ARP request, 2 for an ARP reply 8-13: Source MAC 14-17: Source IP 18-23: Target MAC 24-27: Target IP
IP Uses IP addresses of source and
destination. IP datagrams are moved from hop
to hop. “Best Effort” service. Corrupted datagrams are detected
and dropped.
IP Addresses contain IP address and
port number. IPv4 addresses are 32 bit longs IPv6 addresses are 8*16 bits long.
IP: ICMP Internet Control Message Protocol Created to deal with non-transient problems. For
example Fragmentation is necessary, but the No Frag flag is set. UPD datagram sent to a non-listening port. Ping.
Used to detect network connectivity before it became too useful for attack reconnaissance.
Does not use ports. Allows broadcasting. More on ICMP later
IP: ICMP
ICMP error messages should not be sent: For any but the first fragment. A source address of broadcast or
loopback address. Are probably malicious, anyway.
Otherwise: ICMP messages could proliferate and throttle a network
IP: ICMP
ICMP errors are not sent: In response to an ICMP error
message. Otherwise, craft a message with invalid
UDP source and destination port. Then watch ICMP ping-pong.
A destination broadcast address. Don’t answer with destination
unreachable for a broadcast. Otherwise, this makes it trivial to scan a network.
Transport Layer: TCP and UDP Transmission Control Protocol (TCP)
Reliable Connection-Oriented. Slow
User Datagram Protocol (UDP) Unreliable Connectionless. Fast.
TCP
Only supports unicasting. Full duplex connection. Message numbers to prevent loss
of messages.
TCP:Three Way Handshake
Initiator to responder: Syns
Responder to initator: Acks, Synt
Initiator to responder: Ackt
Sets up two connections with initial message numbers s and t.
TCP:Three Way Handshake
20:13:34.972069 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: S 2882650416:2882650416(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
20:13:34.972487 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1316: S 1012352000:1012352000(0) ack 2882650417 win 32768 <mss 1460> (DF)
20:13:34.972500 IP Bobadilla.scu.edu.1316 > server8.engr.scu.edu.23: . ack 1 win 17520 (DF)
Sequence number
Flag
Window: number of bytes accepted
TCP:Terminating Connections
Graceful shutdown Party 1 to Party 2: Fin Party 2 to Party 1: Ack Party 2 to Party 1: Fin Party 1 to Party 2: Ack
Abrupt shutdown Party 1 to Party 2: Res
TCP:Shutting down a connection
20:48:45.221851 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF)
20:48:45.226300 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF)
20:48:45.231650 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
20:48:45.235303 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: F 23:23(0) ack 5 win 32768 (DF)
20:48:45.235331 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 24 win 16940 (DF)
20:48:45.235494 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: F 5:5(0) ack 24 win 16940 (DF)
20:48:45.236027 IP server8.engr.scu.edu.23 > Bobadilla.scu.edu.1570: . ack 6 win 32767 (DF)
TCPExchanging Data
Each packet has a sequence number. (One for each direction.)
Initial sequence numbers are created during initial three way handshake. NMap uses the creation of these
sequence numbers to determine the OS.
OS are now much better with truly random sequence numbers.
TCP Exchanging Data
Party that receives packet sends an acknowledgement.
Acknowledgement consists in Ack flag. Sequence number of the next
package to be expected. (TCPDump shows number of bytes
acknowledged).
TCP Exchanging Data
If a package is lost, then the ack sequence number will not change: “Duplicate acknowledgement”
Depending on settings, sender will resend, after at most three stationary ack numbers.
Also, senders resend after timeout.
TCP Exchanging Data 20:48:45.087563 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: . ack 4 win 16959 (DF) 20:48:45.087583 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 3:4(1) ack 4 win 16959 (DF) 20:48:45.096443 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 4:5(1) ack 4 win 32768 (DF) 20:48:45.221851 IP Bobadilla.scu.edu.1570 >
server8.engr.scu.edu.23: P 4:5(1) ack 5 win 16958 (DF) 20:48:45.226300 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 5:7(2) ack 5 win 32768 (DF) 20:48:45.231650 IP server8.engr.scu.edu.23 >
Bobadilla.scu.edu.1570: P 7:23(16) ack 5 win 32768 (DF)
20:48:45.231666 IP Bobadilla.scu.edu.1570 > server8.engr.scu.edu.23: . ack 23 win 16940 (DF)
TCP flags Part of TCP header
F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start
session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced
TCP Example with Ethereal
TCP Example with Ethereal
First Syn message
TCP Example with Ethereal
This is the Syn-ack packet with sequence number 68 8d 5c ad and ack number 10 3f 21 1e
TCP Example with Ethereal
Syn number 10 3f 21 1e
Ack number 68 8d 5c ae
TCP Example with Ethereal
TCP Example with Ethereal
UDP
“Send and pray” No connection. No special header like TCP. Protocol field in the IP header is
0x11 Another field in the IP header
contains UDP specific header information
Fragmentation
IP datagram can come across smaller maximum transmission units than its own size.
Resender chops up the IP datagram into many IP datagrams, the fragments.
Fragmentation Fragments are reassembled at the
destination. Fragments carry:
Fragment identifier Offset in original data portion Length of data payload in fragment Flag that indicates whether or not this
is the final fragment.
Fragmentation
Example Large Echo Request ping -l 1480 129.218.19.198 Assume MTU is 1500
Fragmentation
Fragmentation: First Fragment
Fragmentation: Second Fragment
Fragmentation: Last Fragment
Fragmentation
ping –l 65500 129.218.19.198
12:02:18.256066 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp 1472: echo request seq 6400 (frag 10712:1472@0+)
12:02:18.257282 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@1472+)
12:02:18.258498 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag 10712:1472@2944+)
12:02:18.258502 IP dhcp-19-115.engr.scu.edu.137 > 129.210.19.255.137: udp 50 12:02:18.259714 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@4416+)12:02:18.261177 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@5888+)12:02:18.262389 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@7360+)12:02:18.263604 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@8832+)12:02:18.264820 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@10304+)12:02:18.266037 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@11776+)12:02:18.267495 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@13248+)12:02:18.268712 IP dhcp-19-211.engr.scu.edu > Bobadilla.scu.edu: icmp (frag
10712:1472@14720+)
Fragmentation
DF (Don’t Fragment) Flag If forwarding node finds that the
datagram needs to be fragmented but that the DF flag is set, it should respond with ICMP host unreachable – need to fragment.
Useful to find minimum MTU on a link.
Fragmentation
Fragmentation has security implications Stateless firewalls look only at
individual packages. Protocol header is only in the first
fragment. “Stealth attacks / scans” have evil
payload only in the second and following fragments.
Fragments:Teardrop and Friends
Teardrop (1997) Fragments with overlapping offset
fields. Many contemporary OS crashed,
hang, rebooted. Jolt2
Single fragment with non-zero offset. Receiving system allocates resources
to reconstruct a datagram that never arrives.
Fragments:Teardrop and Friends
Create fragments that seem to come from a GB datagram. Trusting OS tries to allocate memory and
dies. Ping of Death
Win95 allowed to send a ping that was just a tad too long. Receiving host would crash.
Unnamed Attacks Missing fragments lead to resource
allocation.
ICMP Protocols like TCP can send error
messages themselves. Stateless protocols like UDP need
another mechanism to send error messages.
Host uses ICMP for Simple replies and requests Inform other hosts of some kind of error
condition. E.g.: To throttle delivery rate, receiving host
can use the ICMP source quench message. E.g.: Router can send “admin prohibited” ICMP
message.
ICMP ICMP has no port numbers. No acks, no message delivery guarantee Allows broadcasting ICMP types at http://www.iana.org/
assignments/icmp-parameters First Byte of package is Type Second Byte of package is Code
ICMP
Attackers can use ICMP for scanning: Mapping a network. Detect availability of target. Detect OS through the way that host
responds.
ICMP
Tireless Mapper Sends ICMP echo requests messages to all
possible IP addresses Many IDS might not capture this scan if the
number of packages per hour is small. Therefore: Firewalls should filter
incoming ping requests.
ICMP
Efficient Mapper Use the ICMP echo request with a
broadcast address. Ping 129.210.19.255
ICMP
Clever Mapper Use a different ICMP message such
as ICMP address mask. Determines the class of the
network
ICMP: Normal activity
Normal messages: Host unreachable Port unreachable Admin prohibited Need to fragment Time exceeded in transit
ICMP: Normal activity
Host unreachable Router at target host’s network
sends such a message. This gives out info to an attacker.
Some routers (Cisco) allow an access control list entry:
no ip unreachable
ICMP: Normal activity
Port unreachable target.host > sending.host: icmp:
target.host udp port ntp unreachable (DF)
Used for UDP TCP has the RESET message to
inform sender.
ICMP: Normal activity
Unreachable - Admin Prohibited Router informs sender that this
type of message cannot be forwarded. Router decision based on access
control list. Message leaks information to outside
scanner.
ICMP: Normal activity
Need to Frag Router informs sender that DF is
set, but that the package is larger than the MTU.
ICMP: Normal activity
Time Exceeded In-Transit Packages contain Time To Live
(TTL) value. Each router handling a package
decrements the TTL value. If TTL is zero, router discards
package and sends the Time Exceeded In-Transit message to the sender.
ICMP: Normal activity ICMP messages contain additional
date in the package. In particular: IP header followed by
eight bytes of protocol header and data of the original datagram.
Not all OS implementations do this in exactly the same way.
Nmap used this for OS fingerprinting. Lately, all TCP/IP stack implementations
have been fixed to remove OS idiosyncracies.
Malicious ICMP: Smurf Attack
Smurf attack on victim 129.219.19.198 Step 1: Send ICMP echo request to a
broadcast address with spoofed IP of 129.219.19.198
Step 2: Router allows in ICMP echo request to broadcast address
Step 3: All live hosts respond with ICMP echo reply to real machine with source IP 129.219.19.198
Malicious ICMP: Smurf Attack
ISMP Smurf Attack Denial of Service Attack. Effort of Attacker << Effort of Victim. Uses ICMP replies from network as an
amplifier. Works well if victim has a slow
connection.
Malicious ICMP: Tribal Flood Network
Based on Smurf Creates zombies out of
compromised machines Compromised machines use a
trigger to start bombarding a victim with requests
Many variations on this theme
Malicious ICMP:Winfreeze (obsolete) Uses the ICMP redirect message. Legal use is to update routing
information. Flood of redirect message causes
the victim (Win95 / Win98) to redirect traffic to itself via random hosts.
Victim spends too much time updating routing table.
Malicious ICMP: Loki
Uses ICMP packages for covert channel
A compromised host with a Loki server responds to requests from a Loki client.
Requests are sent via ping messages with data embedded in ICMP pings.
Originally used bytes 6 and 7. http://sourceforge.net/projects/loki-lib/
Malicious ICMP: Simple Counter-Measures
Limit ICMP messages at the firewall.
Leads to inefficiencies, such as trying a TCP connection to a host that is down.
Need to admit path MTU discovery. Log those that are let through.
Harmless Behavior: TCP
Destination Host not Listening on Requested Port Receiver acknowledges and resets at
the same time. Destination Host does not Exist
Router sends with the ICMP: Host xxx.yyy unreachable
Harmless Behavior: TCP
Destination Port Blocked Router responds with an icmp
message: icmp: xxx.yyy unreachable – admin prohibited
filter Router does not respond.
Sender retries up to a protocol dependent maximum number of retries time
Harmless Behavior: UDP
Destination Host not Listening on Requested Port Destination host sends icmp
message: icmp: xxx.yyy port domain unreachable
Or: destination host does not respond. Sender will possibly retry several times
Harmless Behavior: Windows Tracert tracert (traceroute) uses ICMP pings
Tracing host sends ICMP echo request with TTL = 1.
Then tracing host sends ICMP echo request with TTL = 2, etc.
First router responds to first request. If not destination, then with icmp: time exceeded
in transit message Second router responds to second request,
etc.
Harmless Behavior: Unix Tracert traceroute uses UDP to random
ephemeral port. Tracing host sends UDP package with TTL =
1. Then tracing host sends UDP package with
TTL = 2, etc. First router responds to first request.
If not destination, then with icmp: time exceeded in transit message
Second router responds to second request, etc.
Target responds with a port unreachable message.
FTP
Uses TCP Active / Passive FTP Both use port 21 to issue FTP
commands. Active FTP:
Uses port 20 for data. FTP server establishes connection to
client
FTP: Active FTP Example: Command channel between server8.engr.scu.edu.21 and
Bobadilla.1628 Dir command creates a new connection between
server9.engr.scu.edu.20 and Bobadilla.5001
FTP
The opening of a connection from the outside to an ephemeral port is dangerous.
Passive FTP: The client initiates the data connection to port 20.
Malicious TCP Use: Mitnick Attack (obsolete)
SYN flood Goal is to disconnect victim from the
net. Throws hundreds / thousands of SYN
packets Return address is spoofed. Recipient’s stack of connections
waiting to be established is flooded. Still works with DDoS attack.
Malicious TCP Use: Mitnick Attack (obsolete)
Identify Trust Relationships Extensive network mapping. Nbtstat/finger, showmount, rpcinfo -r,
… Rpcinfo provides information about
the remote procedure call services and their ports
Malicious TCP Use: Mitnick Attack (obsolete)
Initiate a number of TCP connections to the host. Send SYN packet. Receive SYN/ACK
packet. Send RES so that victim is not flooded.
Observe the sequence number values between different connections.
Can they be predicted?
Malicious TCP Use: Mitnick Attack (obsolete)
Victim trusts B
B
Attacker
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker can predict the sequence number that victim expects.
Victim trusts B
B
Attacker
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker SYN floods B. B cannot respond.
Victim trusts B
B
Attacker
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker takes over B’s identity. Spoofs packet from B to Victim.
Victim trusts B
B
AttackerSYN
Malicious TCP Use: Mitnick Attack (obsolete)
Victim responds with SYN / ACK to B.
B cannot respond.
Victim trusts B
B
Attacker
ACK / SYN
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker sends the ACK with the guessed sequence number to victim
Victim trusts B
B
Attacker
ACK
Malicious TCP Use: Mitnick Attack (obsolete) Attacker sends another TCP packet with
payload: rsh victim “echo ++ >> .rhosts”
Victim trusts B
B
AttackerBad stuff
Malicious TCP Use: Mitnick Attack (obsolete)
Now victim trusts everyone.
Victim trusts everyone.
B
Attacker
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker terminates connection with a FIN exchange
Victim trusts everyone
B
Attacker
FIN ACK FIN ACK
Malicious TCP Use: Mitnick Attack (obsolete)
To wake up B, attacker sends it a bunch of RES to free B from the SYN flood.
Victim trusts everyone
B
Attacker
RES
RES
RES
Malicious TCP Use: Mitnick Attack (obsolete)
Attacker now starts a new connection with the victim.
Victim trusts everyone
B
Attacker
Yak yak yak
Malicious TCP Use: Mitnick Attack Detection Network based intrusion detection (NID)
can find the original site mapping. NID can find the reconnaissance by
finding “finger” “showmount” etc. commands. Directed to the same port (111). This is a dangerous port. Frequent.
Malicious TCP Use: Mitnick Attack Detection
Host scans log instances where a single system accesses multiple hosts at the same time.
Host-based Intrusion Detection (HID) can find access to a single port.
HID / Tripwire could find changes to .rhosts.
Malicious TCP Use: Mitnick Attack Detection
Computer Forensics can detect the attack by
Logging network traffic. Examining MAC of important files
(.rhosts)
Malicious TCP Use: Mitnick Attack Prevention Router-based Firewall blocks certain
type of traffic. Network mapping. SYN flooding. Access to dangerous ports.
Host-based firewall blocks Access to dangerous ports.
Security policy Disallows reconnaissance tools. Enforces better authentication.
Domain Name Servers
Provide mapping from host names to IP addresses.
DNS resolution process Client sends a gethostbyname
message to the local domain name server.
Local domain name server sends back ip address.
Uses UDP (almost exclusively)
DNS: Resolution protocol1. Client to local DNS server gethostbyname2. Local DNS server sends forwards request to root server.3. Root server returns with name of remote DNS server.4. Local DNS server queries remote DNS server.5. Remote DNS server answers with IP address.6. Local DNS server gives data to client.
DNS
Use caching to prevent overload by root servers.
DNS records have a TTL Responding DNS server sets TTL. Receiving DNS server caches record
for TTL time.
DNS: Reverse Lookup
IP-address to host-name Query for 1.2.3.4 send to
4.3.2.1.in-addr.arpa
DNS: Master - Slave Name Servers Each domain has a single master
DNS server. Add slaves for redundancy. Slave server periodically contacts
master to see whether there are changes.
Older BIND download all data from domain, even if only one record has changed.
DNSZone Transfer
Slave server restarts zone transfer from master to slave
Uses TCP, port 53. Attackers like zone transfer
Gives all IP addresses and names in subnet.
Newer versions of BIND limit transfers based on IP address.
DNS:Abuse for Reconnaissance nslookup: Get name servers.
DNS:Abuse for Reconnaissance HINFO: host information.
DNS:Abuse for Reconnaissance List the zone map information. > ls –d engr.scu.edu in nslookup
DNS:Abuses and Problems
DNS cache poisoning Affects BIND versions before 8.1.1. Based on lack of authentication Some BIND versions cache every
DNS data they see.
DNS Cache Poisoning
Attack on Hillary Clinton’s Run for Senate Website
Traffic to www.hillary2000.org (IP address 206.245.150.74) redirected to www.hillaryno.com (IP address 206.245.150.74.)
DNS Cache Poisoning Step 1: Evil sends a bogus query to the
victim’s name server that contains data www.hillary2000.org at 206.245.150.74
DNS Cache Poisoning Step 2: Name server accepts the
bogus information (even though it is contained in a query).
Step 3: Victim requests IP address of hillary2000.org and is directed to hillaryno.com.
Vulnerability arises from lack of authentication and of using queries to update entries at the queried server.
DNS Cache Poisoning Birthday Attack
Attacker sends large number of queries to a vulnerable name server asking for hillary2000.
Attacker sends an equal number of phony replies (with the poisoned data).
Name server will generate requests to resolve hillary2000.
With high probability, one of the phony answers will have the same transaction number as the name server’s query.
DNS: The Bind Birthday Attack
DNS Cache Poisoning Redirect traffic to a fake Pay-Pal or other
e-commerce site. Set-up Man in the Middle Attacks Defenses:
Domain Owner has to rely on the DNS system.
ISP name server admin needs to protect by Updating BIND or replacing it with djbdns Two name servers, one for the public domain
information to the outside, another for internal use.
End user has to rely on the DNS system.
Routing Local Routing Table: netstat -r
Static Routing
IP Layer searches the routing table in the following order Search for a matching destination
host address Search for a matching destination
network address Search for a default entry
Routing
Static routes are typically added during the boot process.
Administrative changes with a “routing” command.
ICMP routing discovery messages
Routing Changes
A host might have inefficient entries in the routing table.
ICMP Router Discovery Protocol (IRDP) ICMP redirect messages ICMP routing discovery messages
IRDP needs to be enabled.
Routing Changes
ICMP Redirect Message A sends message to D. Routing table says to send to B first.
Routing Changes
ICMP Redirect Message B forwards to C B informs A that there is a direct route
to C ICMP Redirect Message
Routing Changes
ICMP Redirect Message C forwards package to target. A updates routing table.
IRDP DoS Exploit Attacker (E) sends spoofed IRDP message to A A updates routing table to reflect bogus
default value. A looses connectivity
IRDP Windows Exploit Windows (95, 98, 2000) and some Solaris
systems are vulnerable. If a Windows hosts runs a Dynamic Host
Configuration Protocol (DHCP) client, it obtains its default route from the DHCP server.
ICMP router advertisement can be spoofed. First router advertisement is checked for
correct IP address. Second router advertisement is erroneously
not.
IRDP Windows Exploit
Attacker sends two ICMP router advertisements to victim.
Victim updates its default gateway to IP determined by attacker.
Use for man in the middle attacks or DoS.
ARP Poisoning Address resolution protocol associates
MAC addresses with IP addresses. Four Messages
ARP Request: “Who has this IP?” ARP Reply: “I have this IP. My MAC is …” Reverse ARP Request: “Who has that MAC?” Reverse ARP Request Reply: “I have that
MAC, my IP is …”
ARP Poisoning
ARP is very efficient, but does not do any authentication.
Many OS still accept ARP replies even without making an ARP request.
ARP poisoning: Spoofing an ARP package with false ARP data.
ARP Poisoning
Denial of Service: Spoofed ARP message can associate
the default gateway address with a non-existing MAC.
Traffic to the outside is no longer picked up.
ARP Poisoning Man in the Middle
Intercept traffic between devices A and B. A has IP IA and MAC MA. B has IP IB and MAC MB. Attacker has machine C with MAC MC.
Attacker sends an ARP reply to B: IA is at MC. B updates its ARP cache entry: IA is at MC. Attacker sends an ARP reply to A: IB is at MC. A updates its ARP cache entry: IB is at MC. A sends traffic to IB on a level 1 frame to MC. C intercepts the package and forwards it to MB. Traffic from A to B (and vice versa) now flows through
C.
ARP Poisoning MAC flooding
Switches maintain a MAC to port table. Traffic only flows to destination. Attacker sends lots of bogus ARP data to
switch. Switch’s ARP table is flooded. Switches either stop functioning (DoS
attack) or drop to hub mode. Switch in hub mode forwards a package to
all ports. Allows traffic to be sniffed.
ARP Poisoning Small networks:
Could use a static ARP table. Disables ARP messaging. All ARP entries need to be put in by hand
and maintained. Will not work with DHCP. Maintenance becomes quickly impossible
with larger size of network. Some Win OS will still accept and use
dynamic ARP updates, even if all routes are statically encoded.
ARP Poisoning
Large Networks Use Port Security features on higher-
end switches. Allow only one MAC address. Prevents hackers from embedding
their MAC address more than once. All networks
Monitor ARP traffic (ARP monitoring tool)
IP Options
IP options enhance the IP protocol. Security Stream Identification Internet Timestamp Loose Source Routing Strict Source Routing Record Route
These are security risks
IP Route Options Loose Source Routing specifies a
route that includes a list of required nodes.
Strict Source Routing specifies the beginning of a route (up to 9 nodes) completely.
Record Route: does not alter the routing but requires that all nodes are recorded.
Detecting IP Source Routing
IP header is larger than 20B IP option field has a hex value of
83: loose source routing 89: strict source routing
ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 89)
Source Route Exploit
Spoofing host requires source routing through a host trusted by the victim.
Victim decides that the traffic comes from a trusted host.
Therefore: firewalls need to disable source-routing or network admin needs to disable trust relationships.
Internet Group Management Protocol (IGMP)
Defined by RFC 1112. IGMP messages use IP Protocol 2 IGMP are used to join and leave
multicast groups.
TCP/IP Related Evidence
Sniffer LogsA computer intrusion left a program called router behind. Investigation of the binary code revealed that it was a Portuguese language sniffer storing data in a given file.
The sniffer file contained log entries of log-ins from Brazil to a non-authenticated account as well as further activities.
TCP/IP Related Evidence
Authentication, Server Logs
Maury Travis Case:
During a series of homicides in St. Louis, a reporter received a letter with the location of an additional victim.
The FBI determined that the map was from Expedia.com.
The web server logs showed that only one IP address requested that particular map around the time that the letter was sent.
TCP/IP Related Evidence
The IP address belonged to an ISP.
The ISP logs showed that this IP address was registered to Maury Travis. The telephone number from the connection was made also belonged to Maury Travis.
A (warranted) search of Maury Travis’ home found a torture chamber and videotapes of Maury torturing and killing victims.
Maury killed himself while in custody. The total number of victims is unknown.
TCP/IP Related Evidence
Internet dial-up logs are created by RADIUS and TACACS authentication servers.
These servers are also used for VPN concentrators.
Kerberos logs authentication requests.
…
TCP/IP Related Evidence
Application Logs When someone defaces web servers,
they usually view them shortly before and after defacement.
The web logs might contain evidence of someone checking for vulnerabilities before defacement.
With the IP address that they used.
TCP/IP Related Evidence
Application Logs Mail servers log details of message.
Example: An email spoofer makes a typo. Logs contains entries with backspaces, …
OS log connections. Network devices log.