File000140

Module XXVII – Investigating Network Traffic

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Internet Traffic Begins to Bypass the U.S.

Source: http://www.nytimes.com/



News: TCP Flooder Program Released for Free

Source: http://www.mxlogic.com/



Scenario

Jessica was missing from her home for a week. She has left a note for her father mentioning that she was going to meet her school friend. Few weeks later Jessica’s dead body was found near a dumping yard.

Investigators were called in to reveal the mystery that surrounded Jessica’s death. Preliminary investigation of Jessica’s computer and logs revealed some facts which helped the cops trace the killer.



Module Objective

• Overview of Network Protocols• Overview of Physical and Data-link Layer of the OSI Model• Overview of Network and Transport Layer of the OSI Model• Types of Network Attacks• Why to Investigate Network Traffic?• Evidence Gathering via Sniffing• Tools• Documenting the Evidence Gathered on a Network• Evidence Reconstruction for Investigation

This module will familiarize you with:



Module Flow

ToolsEvidence Reconstruction

for Investigation

Types of Network AttacksWhy to Investigate Network Traffic?

Evidence Gathering via Sniffing

Overview of Network and Transport Layer of the

OSI Model

Overview of Physical and Data-link Layer of the

OSI Model

Overview of Network Protocols

Documenting the Evidence Gathered on a Network



Network Addressing Schemes

• Each node in LAN has a MAC address that is factory-programmed into its NIC

• Data packets are addressed to either one of the nodes or all of the nodes

LAN Addressing

• Internet is a collection of LANs and/or other networks that are connected with routers

• Each network has a unique address and each node on the network has a unique address, so an Internet address is combination of network and node addresses

• IP is responsible for network layer addressing in the TCP/IP protocol

Internet Addressing

There are two types of network addressing schemes:



OSI Reference Model



Overview of Network Protocols

Data Unit Layer Function Protocols

Host Layer

Data

ApplicationNetwork process to application

HTTP, SMTP, NNTP, TELNET, FTP, NMP, TFTPPresentation

Data representation and encryption

Session Interhost communication

Segments TransportEnd-to-end connections and reliability

UDP, TCP

Media Layer

Packets NetworkPath determination and logical addressing (IP)

ARP, RARP, ICMP,IGMP, IP

Frames Data LinkPhysical addressing (MAC & LLC)

PPP, SLIP

Bits PhysicalMedia, signal and binary transmission



TCP/ IP Protocol



Overview of Physical and Data-Link Layer of the OSI Model

• It helps in transmitting data bits over a physical channel• It has a set of predefined rules that physical devices and

interfaces on a network have to follow for data transmission to take place

Physical layer:

• It controls error in transmission by adding a trailer to the end of the data frame

Data-link layer:



• It is responsible for sending information from the source to a destined address across various links

• It adds logical addresses of the sender and receiver to the header of the data packet

Network layer:

• The transport layer ensures the integrity and order of the message sent by the source to its destination

• It also controls the error and flow control in the transmission

Transport layer:

Overview of Network and Transport Layer of the OSI Model



Types of Network Attacks

IP Spoofing

Router attacks

Eavesdropping

Denial of service

Man-in-the-Middle Attack

Sniffer Attack

Data Modification



Why to Investigate Network Traffic

To locate suspicious network traffic

To know who is generating the troublesome traffic, and where the traffic is being transmitted to or received from

To identify network problems



Evidence Gathering Via Sniffing

Sniffer is a computer software or hardware that can intercept and log traffic passing over a digital network or part of a network

Sniffers, which put NICs in promiscuous mode, are used to collect digital evidence at the physical layer

SPANned ports, hardware taps help sniffing in a switched network

Sniffers collect traffic from the network and transport layers other than the physical and data-link layer

Investigators should configure sniffers for the size of frames to be captured



Acquiring Traffic Using DNS Poisoning Techniques

The substitution of a false Internet provider address at the domain name service level (e.g., where web addresses are converted into numeric Internet provider addresses)

DNS poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not

• Intranet DNS Spoofing (Local network)• Internet DNS Spoofing (Remote network)• Proxy Server DNS Poisoning• DNS Cache Poisoning

Types of DNS Poisoning:



Intranet DNS Spoofing (Local Network)

For this technique, you must be connected to the local area network (LAN) and be able to sniff packets

Works well against switches with ARP poisoning of the router

RouterIP 10.0.0.254

Rebecca types www.xsecurity.com in her Web BrowserIP: 10.0.0.3

Hacker runs arpspoof/dnsspoof www.xsecurity.com

Hacker sets up fake Website www.xsecurity.comIP: 10.0.0.5

DNS Request

What is the IP address of

www.xsecurity.com Real Website www.xsecurity.comIP: 200.0.0.45

Hacker’s fake website sniffs the credential and redirects the request to real website

1

23 4

Hacker poisons the router and all the router traffic is forwarded to

his machine



Internet DNS Spoofing (Remote Network)

Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker

Works across networks. Easy to set up and implement

Rebecca types www.xsecurity.com in her Web Browser

Hacker runs DNS Server in RussiaIP: 200.0.0.2

Real Website www.xsecurity.comIP: 200.0.0.45


5

Fake Website IP: 65.0.0.2

Hacker’s infects Rebecca’s computer by changing her DNS IP address to: 200.0.0.2

1

2

3

4



Internet DNS Spoofing

Steps to redirect all the DNS request traffic from a host machine to you:

1. • Set up a fake website on your computer

2.• Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk

will make you the DNS server

3. • Modify the file dns-spoofing.bat and replace the IP address with your IP address

4. • Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe)

5. • When the host clicks the trojaned file, it will replace Jessica’s DNS entry in her TCP/IP

properties with that of your machine’s

6. • You will become the DNS server for Jessica and her DNS requests will go through you

7. • When Jessica connects to XSECURITY.com, she resolves to the fake XSECURITY website; you

sniff the password and send her to the real website



Proxy Server DNS Poisoning

Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer to that of the attacker

Works across networks. Easy to set up and implement

Rebecca types www.xsecurity.com in her Web Browser

Hacker runs Proxy Server in RussiaIP: 200.0.0.2

Real Website www.xsecurity.comIP: 200.0.0.45


4

Fake Website IP: 65.0.0.2

Hacker sends Rebecca’s request to fake website

2

31

Hacker’s infects Rebecca’s computer by changing her IE Proxy address to: 200.0.0.2



DNS Cache Poisoning

To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information

If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, it will end up caching the incorrect entries locally and serve them to users that make the same request

• For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls

• He then creates fake entries for files on the server he controls with names matching those on the target server



Evidence Gathering from ARP Table

MAC address, a part of the data-link layer, is associated with the system hardware

The ARP table of a router comes in handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses

ARP table can be accessed using the c:\arp –a command in Windows OS



Evidence Gathering at the Data-link Layer: DHCP Database

The DHCP database determines the MAC addresses associated with the computer in custody

The DHCP server maintains a list of recent queries along with the MAC address and IP address

• Photographing the computer screen• Taking the screenshot of the table and saving it on

disk• Using the HyperTerminal logging facility

Documentation of the ARP table is done by:



Screenshot: DHCP Log



Gathering Evidence by IDS

IDS can be configured to capture the network traffic and generate alerts

Results of networking devices such as routers and firewalls, can be recorded through a serial cable using Windows HyperTerminal program or by a UNIX script

If the amount of information to be captured is huge, then record the onscreen event using a video camera or a relative software program



Traffic Capturing and Analysis Tools



Tool: Tcpdumphttp://www.tcpdump.org/

• Captured packet count• Received packet count• “dropped by kernel” packets count

Tcpdump report consists of:

• SunOS 3.x or 4.x , Solaris, HP-UX, IRIX, Linux, Ultrix and Digital UNIX, BSD

It supports the following platforms:

Tcpdump is a powerful tool that allows to sniff network packets and make statistical analysis of these dumps

It operates by putting the network card into promiscuous mode

It may be used to measure the response time, packet loss percentages, and view TCP/UDP connection Establishment and Termination



Screenshot: Tcpdump



Tool: Windumphttp://www.winpcap.org/

• C:\Windump –w filename.dmp• The packets are stored in the C drive with the filename. The

packets can be analyzed by using a notepad• C:\Windump –w filename.dmp –s 65535• The above command can be used to specify the size of the

Ethernet packet to be captured

Command for saving the captured data packets using Windump as a sniffer:

WinDump is a version of tcpdump for Windows platform



Tool: Windump (cont’d)http://www.winpcap.org/

• 20:50:00.037087 IP (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 > 64.12.24.42.5190: P [tcp sum ok] 157351:157357(6) ack 2475757024 win 8767 (DF)

Sample output of the Windump:

• timestamp 20:50:00.037087 • IP [protocol header] tos 0x0, ttl 128, id 2572, len 46• source IP:port 192.168.2.24.1036• destination IP:port 64.12.24.42.5190: • P [push flag] [tcp sum ok] 157351:157357 • [sequence numbers] (6) [bytes of data] • acknowledgement and sequence number ack 2475757024 • window size (DF) [don’t fragment set] win 8767

The above entry can be deciphered as:



Screenshot: Windump



Tool: NetIntercepthttp://www.sandstorm.net

NetIntercept captures and archives network traffic, so you can analyze problems as soon as they are detected

It correlates user sessions and reconstructs files transmitted or received over the network, giving you immediate evidence of misbehavior

Using NetIntercept, you can discover the security breaches, the points of regulatory non-compliance, the network problems, and shift your focus from finding problems to fixing them



Screenshot: NetIntercept



Tool: Wiresharkhttp://www.wireshark.org/

Wireshark is a network protocol analyzer for UNIX and Windows

It allows the users to examine data from a live network or from a file stored on the disk

The user can interactively browse the captured data, viewing summary and detailed information of each packet captured



Screenshot: Wireshark



Traffic Capturing and Analysis Tools

CommView monitors the network activity capable of capturing and analyzing packets on any Ethernet network

Softperfect Network Sniffer is a network protocol analyzer or sniffer



Traffic Capturing and Analysis Tools (cont’d)

HttpDetect (EffeTech HTTP Sniffer) is a HTTP sniffer, packet analyzer, content rebuilder and http traffic monitor

EtherDetect Packet Sniffer is a connection oriented packet sniffer and protocol analyzer




OmniPeek Workgroup is a full-featured, stand-alone network forensic analysis tool

Iris Network Traffic Analyzer is a vulnerability forensics solution used for network traffic analysis and reporting




SmartSniff is a TCP/IP packet capture program that allows you to inspect the network traffic that passes through the network adapter

NetSetMan allows you to quickly switch between pre-configured network settings




Distinct Network Monitor displays live network traffic Statistics

MaaTec Network Analyzer tool used for capturing, saving, and analyzing network traffic




Ntop is a network traffic probe that shows network usage on user terminal

EtherApe displays the network activity graphically by featuring link layer, IP, and TCP modes




Colasoft Capsa Network Analyzeris a TCP/IP Network Sniffer and Analyzer that offers real time monitoring and data analyzing of the network traffic

Colasoft EtherLook monitors real time network traffic flowing around local network and to/from the Internet efficiently




AnalogX Packetmon allows to capture IP packets that pass through network interface - whether they originate from machine on which PacketMon is installed, or a completely different machine on the network

BillSniff is a network protocol analyzer (sniffer) that provides detailed information about the current traffic, as well as overall protocol statistics




IE HTTP Analyzer is an add-in for Internet Explorer, that allows to capture HTTP/HTTPS traffic in real-time

EtherDetect Packet Sniffer captures and groups all network traffic and allows you to view real-time details for each packet, as well as the content




EtherScan Analyzer captures and analyzes the packets over local network

Sniphere is a WinPCAP network sniffer that supports most of the common protocols



IP sniffer is a protocol analyzer, that supports filtering rules, adapter selection, packet decoding, and advanced protocol description etc.

Atelier Web Ports Traffic Analyzer is a network traffic sniffer and logger that allows you to monitor all Internet and network traffic on your PC and view the actual content of the packets





IPgrab is a verbose packet sniffer for UNIX hosts

Nagios is a host and service monitor designed to run under the Linux operating system




Give Me Too is an affordable packet sniffer, network analyzer, and network sniffer that plugs into computer networks and monitors any Internet and e-mail activity that occurs in them

Sniff - O - Matic is a network protocol analyzer and packet sniffer that captures the network traffic and enables you to analyze the data



EtherSnoophttp://www.arechisoft.com/

EtherSnoop is a network sniffer, designed for capturing, and analyzing the packets going through the network

It captures the data passing through your dial-up connection or network Ethernet card, analyzes the data, and represents it in a readable form



GPRS Network Sniffer: Nokia LIG

• Lawful Interception Controller (LIC)• Lawful Interception Browser (LIB)• Lawful Interception Extension (LIE)

The architecture of implementation comprises:

The Nokia LIG sniffs GPRS traffic

It provides precise solution for constructing the GPRS interception system

It is sold only to Law enforcement agencies



GPRS Network Sniffer: Nokia LIG (cont’d)



Siemens Monitoring Centerhttp://networks.siemens.com/

When it comes to fighting, crime and thwarting terrorist attacks, law enforcement and government security agencies need the right tools to get results and fulfill their mandate

Therefore, state-of-the-art monitoring center solutions are must for lawful interception (LI)

The Siemens Monitoring Center (MC) has been specifically developed to fulfill the complex needs of law enforcement agencies worldwide

More than 90 Monitoring Center solutions have been installed by Siemens Voice and Data Recording (VDR) in over 60 countries

The VDR system intercepts voice, data, GPRS traffic, cell, e-mail messages, and encrypted data

It is sold only to Law Enforcement Agencies



Siemens Monitoring Center (cont’d)

• Fixed networks PSTN (local and international exchanges)• Mobile networks GSM, GPRS, and UMTS• Next Generation Networks (NGN)• IP Networks (local loop, ISP, and Internet backbone)• Automatic correlation of content of communication to IRI

Universal Monitoring Center concept for all monitoring requirements within telecommunication networks:



Siemens Monitoring Center (cont’d)

Mono and stereo, optionally compressed, and voice recording

Full duplex/no compression recording for data demodulation (fax, Internet, e-mails etc.)

Customized add-on applications

Centralized or distributed Monitoring Center (Monitoring Center-to-go)

Scalable and adaptable to customer requirements

Joint roadmap for upcoming telecommunications technology

Monitoring Center (UMTS, NGN, ETSI-Internet)



Screenshot: Siemens Monitoring Center



NetWitness® Investigatorhttp://www.netwitness.com/

It provides security operations staff, auditors, and fraud and forensics investigators the power to perform free-form contextual analysis of raw network data

Features:

• SSL Decryption (with server certificate)• Interactive time charts, and summary view• Interactive packet view and decode• Hash Pcap on Export• Enhanced content views• Real-time analytics • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.) • IPv6 support • Captures live from any wired or wireless interface • Full content search, with Regex support • Exports data in .pcap format • Imports packets from any open-source, home-grown and commercial packet capture system(e.g.

.pcap file import) • Bookmarking & History Tracking • Integrated GeoIP for resolving IP addresses to city/county, supporting Google Earth

visualization



Screenshot: NetWitness® Investigator



NetWitness® Informerhttp://www.netwitness.com/

NetWitness® Informer provides detailed reporting, charting and alerting on network performance, insider threats, data leakage, compliance monitoring, I/T asset misuse, hacker activities, and a host of other threats

Features:

• Predefined report rules, categories and templates • Flexible, WYSIWYG drag-and-drop report builder & scheduling engine • Fully customizable, XML-based rules and report library for infinite report and alert combinations • Live-charting for real-time dashboard of activity • Full role-based access controls • Supports CEF, SNMP, syslog, SMTP data push

Report Examples:

• Security - profile and alert on zero-day, BOTnet, DYN, DNS and intrusion activity with complete content • Compliance - audit network-based components of policies and regulations such as FISMA, HIPPA, ISO 1779, SOX\GLB,

and PCI standards • IT Operations - report and chart across application and network layer metrics • Business Intelligence - profile sensitive data flow in real-time with total access to all events and content surrounding

suspect activity • Insider Threat - monitor and profile computer, user, and resource activity across every application and device • Legal – support e-Discovery, criminal investigations, or liability audits through network entity profiling and analysis



Screenshot: NetWitness® Informer



NetResidenthttp://www.tamos.com/

NetResident is a network content monitoring program that captures, stores, analyzes, and reconstructs network events such as e-mail messages, web pages, downloaded files, instant messages, and VoIP conversations



nGenius InfiniStream http://www.netscout.com/

• Eliminating the need to sift through numerous packet trace files to find specific network or link behavior

• Alleviating the need to wait for an issue to reoccur by utilizing continuous packet capture and playback to view the packets associated with an issue

• Mining the recorded data in an efficient, flexible and logical methodology to reveal issues much faster and meet the challenges of the modern IP network

• Delivering the post-event forensic analysis necessary to diagnose problems quickly and minimize the impact on the end user

NetScout’s real-time analysis and packet recording minimizes mean time to resolution by:

InfiniStream, combined with NetScout analysis and reporting solutions, provides the critical KPI-to-Flow-to-Packet top-down workflow needed to quickly and efficiently detect, diagnose and verify the resolution of elusive and intermittent IT service problems



Screenshot: Infinistream Console



eTrust Network Forensicshttp://www3.ca.com/

eTrust Network Forensics captures raw network data and uses advanced forensics analysis to identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations

Its patented technology allows IT and security staff to visualize the network’s activity, uncover anomalous traffic, and investigate breaches with a single and convenient solution

• Powerful forensic analysis — links network data with security alerts

• Holistic view of network element dependencies through a knowledge base

• Quickly discovers network anomalies or trouble spots • Effectively visualizes communications in interactive 2D graphs • Enhances existing security investments with graphical reports



Screenshot: eTrust Network Forensics



ProDiscover Investigatorhttp://www.techpathways.com/

ProDiscover Investigator investigates the disk content throughout the network

It checks for illegal activity or for compliance to company policy and gathers evidence for potential use in legal proceedings



P2 Enterprise Shuttle (P2EES) http://www.paraben-enterprise.com/

P2EES is an enterprise investigation tool that views, acquires, and searches client’s data wherever it resides in an enterprise

It checks the main communications which pass through for the system as well as for the routers and firewalls

It acts as the central repository for all forensic images collected and is integrated with MYSQL



Screenshot: P2 Enterprise Shuttle



Show Traffichttp://demosten.com/

Show Traffic monitors network traffic on the chosen network interface and displays it continuously

It locates suspicious network traffic or evaluates current utilization of the network interface



Network Probehttp://objectplanet.com/

Network Probe identifies the problem causing in the network traffic

It shows who is generating the troublesome traffic, and where the traffic is being transmitted or received



Snort Intrusion Detection Systemhttp://snort.org/

Snort is a versatile, lightweight, and useful intrusion detection system

Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to log directories that are named based on the IP address of the foreign host

Plug-ins allow the detection and reporting subsystems to be extended

Available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization



Snort IDS Placement

Firewall



IDS Policy Managerhttp://www.activeworx.org

IDS Policy Manager has been the de facto standard for managing Snort rules on Windows. You can create Snort rules graphically



Documenting the Evidence Gathered on a Network

If the network logs are small, you can take a print-out and attest

Document the evidence gathering process by mentioning the name of the person who collected the evidence, from where it was collected

• The procedure used to collect evidence and the reason for collecting evidence

The process of documenting digital evidence on a network becomes more complex when the evidence is gathered from systems which are on remote locations



Evidence Reconstruction for Investigation

• Evidence is not static and is not concentrated at a single point on the network

• The variety of hardware and software found on the network makes the evidence gathering process more difficult

Gathering evidence trails on a network is cumbersome for the following reasons:

• Temporal analysis; helps to identify time and sequence of events

• Relational analysis; helps to identify the link between suspect and the victim with respect to the crime

• Functional analysis; helps to identify events that triggered the crime

Three fundamentals of reconstruction for investigating crime are:



Summary

There are two types of network addressing schemes: LAN Addressing and Internetwork Addressing

Sniffer is computer software or hardware that can intercept and log traffic passing over a digital network or part of a network

The ARP table of a router comes handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses

The DHCP server maintains a list of recent queries along with the MAC address and IP address

IDS can be configured to capture network traffic when an alert is generated

File000140

Technology

Transcript of File000140