April 2015

Michael Sonntag

Network Forensics

What is it?

Network Forensics 2

Evidence taken from the “network”

» In practice this means today the Internet (or LAN)

» In special cases: Telecommunication networks (as long as they are not yet changed to VoIP!)

Typically not available “after the fact”

» Requires suspicions and preparation in advance

Copying the communication content

» At the source (=within the suspects computer): “Online search” › This could also be a webserver, e.g. if it contains illegal content

› “Source” does NOT mean that this is the client/initiator of communication/…

» At the destination: See some part of the traffic Only if unavoidable or the only interesting part

» Somewhere on the way of the (all?) traffic: ISP, physically tapping the wires, home routers etc.

Problems of network forensics

Network Forensics 3

“So you have copied some Internet traffic – but how is it linked to the suspect?”

» The IP addresses involved must be tied to individual persons

» This might be easy (location of copying) or very hard

“When did it take place?”

» Packet captures typically have only relative timestamps

» But there may be lots of timestamps in the actual traffic! › As supporting evidence to some external documentation

“Is it unchanged?”

» These are naked packets, and their content can be changed

» Although it is possible to check e.g. checksums, this is a lot of work and normally not done

» Treat as any other normal digital evidence › Hash value + Chain of Custody; work on copies only

Scenario

Network Forensics 4

Suspect: Mallory Malison; released from jail on bail

» Suspicion of attempted corporate espionage

There is some suspicion that he may try to flee

» But we currently have no hard evidence at all Released

Soon after he actually disappears

What happened forensically:

» Copying all traffic outgoing from his computer

Your task: Find out all you can about his activities, spec.:

» Any (attempted) communication with others › Including all “names” and “aliases” used (his and counterparts)

› Including all content (text, files etc) if possible

» Any hints to locations

» All other information you can find › For our example only!

Source

Network Forensics 5

Packet capture “scenario.pcap”

» Contains the actual packet capture › Hash value (SHA256): sha256sum -b scenario.pcap f2bccff18f4966fc352d032df834c818e4da052bfd32494bd729

ff5c0c8a93f4 *scenario.pcap

› Time: 21.4.2015, approx. 9:19

» Created with tcpdump on a Linux system › tcpdump –ni enp0s3 -s 65535 -w scenario.pcap

Program for inspection/evaluation: Wireshark

» Can be used for capturing packets, but also for displaying/investigating traces from other sources

General overview

Network Forensics 6

Load the capture in wireshark and get an overview

Packets: 1389; Total time: 227.53… seconds ( 4 min.)

Statistics summary:

Protocol hierarchy

Network Forensics 7

Overview on what was going on

» Take care:

» Numbers are not necessarily reliable

» Packets can contain several/no protocols

» E.g. IMAP: Server response might be “TCP” and not counted under IMAP › If not dissected as such

Arp

Network Forensics 8

Could show us what other computers were present in the subnet

» Asking for 169.254.10.120: APIPA Not interesting

» Asking for 192.168.10.1 See later with DHCP!

» Asking for 192.168.10.254 One more computer! › In this case: Default gateway of this subnet/server

Other information: MAC addresses › Can be used for identification of devices (later or when known for filtering)

» 08:60:6e:42:d2:4f: Client computer (=suspect) › ASUSTek Computer Inc.

» 08:00:27:7f:a8:b4: Default gateway/server › CADMUS COMPUTER SYSTEMS; actually: Virtualbox uses these

For MAC/OUI identification see http://standards.ieee.org/develop/regauth/oui/public.html

DHCP

Network Forensics 9

Discover, Offer, Request and Ack This computer received a new IP address

» It has presumably not been in this subnet before › But: Discover contains option 50: “Request IP address”

So it has been in this subnet (or one very similar to it!) and it had then (=the last time) 192.168.10.1

» Add ICMP to it: › (bootp and udp and ip and eth and frame) or icmp

» Server tests with Ping whether the intended address is free

» Hostname (Request option 12): “malmals-laptop” › Some hint that it is indeed “Mallory Malisons” Laptop

» Requests lots of things; and gets them (Offer/Ack) › DNS: 192.168.10.254; Network: 192.168.10.254/24

› Domain name is “provider.com”

DNS

Network Forensics 10

Take care: DNS alone is often misleading/strange

» DNS is almost always the first step for something else

» Whatever this is, it will be invisible if showing DNS only!

Querying for its own name: “malmals-laptop”

Active Directory: _ldap._tcp.dc._msdcs.provider.com

Win. checking network connectivity: dns.msftncsi.com

» “Network Connectivity Status Indicator”

Autoconfiguration: wpad.provider.com, wpad

404 hijack identification: engcqdycrtvlgej.provider.com

En-us.appex-rf.msn.com

» Response: redirect to Akamai webhosting

foodanddrink.tile.appex.bing.com; finance.*, weather.*

» Windows 8.1 tile live data

DNS

Network Forensics 11

irc.gamesurge.com: See later (IRC)!

r00t.cf: See later (NTP)!

mail.provider.com: See later (SMTP)!

Thunderbird welcome page: live.mozillamessaging.com, www.mozilla.org

» ocsp.digicert.com: Certificate revocation check for this connection, which uses https

» mozorg.cdn.mozilla.net: Welcome page content

Netbios, WS-Discovery, SSDP

Network Forensics 12

Again we get the computer name: MALMALS-LAPTOP

But now we also get the “normal” Domain/Workgroup the computer belongs to

» In this case: Workgroup “WORKGROUP” (=standard value)

Web Services Discovery Protocol (UDP “data” protocol)

» Discovering other devices via a multicast (239.255.255.250)

» Works through SOAP on port 3702

» E.g. network printers, “people near me”

Simple Service Discovery Prot.; SSDP (identified as HTTP)

» Discovering other devices via a multicast (239.255.255.250)

» Works through HTTP on port 1900

» Basis for UPnP

Interesting: No answers; no one else is there or they are (specifically!) configured to not use these protocols

NTP

Network Forensics 13

We have two time synchronizations (packets 163-166)

(Client + Server ) * 2

Interesting: Windows is typically configured with a Microsoft time server, but here 188.40.92.202 is used

» What’s this? Check it manually!

» Or better: Switch back to “full view” (“Clear”) and see the DNS request immediately before “r00t.cf” › Note: Filtering in wireshark e.g. “ip.addr==188.40.92.202” does not work,

as this is a message content, not part of the packets!

› Note: “frame contains "188.40.92.202"” doesn’t work either, as this would only match string content!

› Note: “frame contains "\xbc\x28\x5c\xca"” works! (hex representation of IP address; but you might also want to check for other byte orders too!)

OCSP

Network Forensics 14

Certificate validation is present

» So obviously some secure connection was tried, successfully initiated, and then the certificate was checked for validity › Which one? We don’t know from the request! It only contains hashes of

the issuer, the key and the serial number of the certificate

Hashes are relatively useless…

› frame contains "\x03\x37\xb9\x28” leads to packet 342; following this TCP stream we find it stems from a https connection to 63.245.215.20

› Which immediately before has a DNS response for this IP with the name mozorg.dynect.mozilla.net

› It is the parent certificate of the certificate www.mozilla.org (packet 344)

Issued by DigiCert High Assurance EV Root CA

» So now we know from what connection it comes from and what certificate “initiated” the request

SMTP

Network Forensics 15

We see two sessions (tcp.port==25 and tcp.flags.syn==1)

» Starting at packets 677 and 1067

Session 1: 677

» Plain authentication (see later)

» Message from “jamespond@provider.com”

» Message to “trudy.miller@acme.biz”

» Simple text content + attachment › The text we can easily read/copy out: “Follow TCP stream” + mark + Ctrl-C

› But the attachment? We can copy it out, but it is “encrypted”!

› Filename: “Meeting.docx”, Transfer-encoding: base64

› So copy text, save as file, decode from base64 (d=decode, i=ignore garbage the linebreaks), view it

base64 –d –i attachment.txt >Recovered.docx

Message 1: Text

Network Forensics 16

Hi Trudy! I urgently need the data you "obtained" from ACME; my client is getting restless!! Meet me at the point shown in teh attachment! Only then our common future will be sure! See you soon, hottie Mallory

Doesn’t look to good for our suspect…

Message 1: Attachment

Network Forensics 17

Time + Location Nice!

“Carving” image from document

Network Forensics 18

Extracting the image might be helpful:

» We can compare it easily to other images on a computer

» We can calculate a hash value to search for it

How to do it: Trivial, because it is a docx!

» This means, it is actually a ZIP file with XML (and other) content

Make copy, rename to ZIP, extract, look for image

» Look in subdirectory “word/media” image1.png

Plain authentication

Network Forensics 19

This is a not-so-secure version of authentication

» See RFC 4616 for the description › “The client presents the authorization identity (identity to act as), followed

by a NUL (U+0000) character, followed by the authentication identity (identity whose password will be used), followed by a NUL (U+0000) character, followed by the clear-text password.“

› Strict recommendation: Use only with outer encryption, e.g. TLS

» Big advantage: Authenticate as user 1 but act (=impersonate) as user 2 (optional); e.g. Administrator can act as normal user

» Big problem: Lack of encryption or other security

» Single message from client to server › So no protection against replay, modification, sniffing etc.

In practice (SMTP) base64 encoding is used in addition

» AUTH PLAIN AGphbWVzcG9uZAA1dXAzcjVjdThh

» = AUTH PLAIN \0jamespond\05up3r5cu8a

Now we know his username and his mail password!

Second mail message sent

Network Forensics 20

Similar to first message (PLAIN LOGIN), but not attachment present

Recipient: carol.astor@bigcorp.com

Text: » My beloved Carol!

Unfortunately we will not be able to meet tomorrow evening for the candlelight dinner we planned - I have to leave town urgently. I'll make up for it when we meet in Venice! Always in love with you, Mallory P.S. Don't forget about teh data I asked you - otherwise I'll never be able to prove the wrong the company you're working for did to me.

Notice a common mistake: “the” “teh“

Also: Hint that he is going to disappear intentionally

» But: No date, and only “venice”

IMAP

Network Forensics 21

Retrieving messages: 2 conversations » tcp.port==143 and tcp.flags.syn==1

Again we get a server header (rather useless here)

But no content: STARTTLS is used

» We do get the certificate of the server, which is a self-signed one (and therefore useless)

» And the amount of data: › Session 1: Most going to server (large)

› Session 2: Approx. the same conten; buth this time coming from server

See also: “Interleaving”

» Might give an idea what was happening on a very high level

IMAP + SMTP

Network Forensics 22

IMAP (181@103 sec – 339@104 sec)

» Start connection, check for new mails

Long IMAP (418@114 sec – 657@117 sec)

» Retrieve long E-Mail

SMTP Send msg with attachm. (677@131 sec – 954@ 131 sec) Long IMAP (959@131 sec - 1045@134 sec)

» Send mail and copy it into “Sent” folder

IMAP (1053@145 sec - 1063@145 sec)

» New messages/changes?

SMTP send short (1067@156 sec – 1093@156 sec) Short IMAP (1095@156 sec – 1136@160 sec)

» Send mail and copy it into “Sent” folder

IMAP (1156@179 sec – 1186@180 sec) New messages/changes? Quit

SSH

Network Forensics 23

An encrypted communication also took place

» Client: SSH-2.0-PuTTY_Release_0.64

» Server: SSH-2.0-OpenSSH_4.3

Destination: 62.218.130.121

Could be used to validate identity of counterpart

What is actually being used (packet 1196): aes256-ctr, no compression, HMAC-SHA2-256

» AES 256 Bit Counter mode, with SHA2 (256 Bit) in HMAC mode for integrity checks Forget about breaking it…

We can create an estimate of the data transferred: 550102 bytes transferred (both directions!)

» Packets 1230-1360 are in close sequence; before and after is a time-gap Probably one transfer of approx. 520 kB outward › Actual file size: 510 kB

IRC

Network Forensics 24

Packets 156-158 are “strange”

» SYN packets without anything else

» At 71,74 and 80 seconds

» So nothing else was going on at that moment!

What is port “6667”? IRC (Internet Relay Chat)

» Also used by many Trojans!

Either the suspect has a trojan, or he (or his computer) tried to connect to an IRC server

Which one? See DNS request 154-155)

» irc.gamesurge.net Probably not a trojan control server

Is it up? Why did the communication not succeed? We don’t know, but it was not for the suspect not trying!

» So we might try to find some archived chats from there or identify the suspects user profile on that server

HTTP

Network Forensics 25

Several HTTP connections occurred, but none of them look interesting for this investigation

» Related to Windows 8.1 live tiles » http://en-US.appex-rf.msn.com/cgtile/v1/en-US/Sports/Today.xml?cgversion=v6

» http://foodanddrink.tile.appex.bing.com/api/feed/?view-name=data&name=livetile&market=en-US&version=2_0&format=xml

» http://en-US.appex-rf.msn.com/cgtile/v1/en-US/News/Today.xml

» http://en-US.appex-rf.msn.com/cgtile/v1/en-US/HealthAndFitness/Home.xml?cgversion=v6

» http://finance.services.appex.bing.com/Market.svc/AppTilev2?symbols=&contentType=-1&TileType=0&locale=en-US

» http://weather.tile.appex.bing.com/WeatherService.svc/PreInstallLiveTile?lang=en-US&region=US&appid=C9…36&FORM=APXWEA

Full text search approach

Network Forensics 26

We can also try a fulltext search for any information

» Directly within the network dump, e.g. using ngrep › Attention: This is often not in the normal repositories. You might have to

install/enable additional ones (CentOS: EPEL) or compile it manually

For this we need search words, but here we have few:

» “Mallory”, “Malison”

» Second step (after we found something): The E-Mail addresses

ngrep: Lots of parameters ngrep match_expression filter_expression

» -i: Ignore case in regular expression

» -: Just packet header (+payload if relevant)

» -v: Inverted match (show what doesn’t match the expression)

» -t: Print timestamp

» -S: Limit length of packet to check for the expression

» -I: Do not read from interface but rather from a dump file

» -O: Output not to console but a dump file http://ngrep.sourceforge.net/

Full text search

Network Forensics 27

ngrep “Mallory” –t –q –I scenario.pcap input: scenario.pcap

match: Mallory

T 2015/04/21 09:21:55.216949 192.168.10.1:49174 -> 192.168.10.254:25 [AP]

Message-ID: <5535FA92.4090704@provider.com>..Date: Tue, 21 Apr 2015 09:21:54 +0200..From: Mallory Malison <jamespond@provider.com>..User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0..MIME-Version: 1.0..To: trudy.miller@acme.biz..Subject: Seeing you soon..Content-Type: multipart/mixed;.. boundary="------------020006080700010304080400"....This is a multi-part message in MIME format...--------------020006080700010304080400..Content-Type: text/plain; charset=utf-8; format=flowed..Content-Transfer-Encoding: 7bit....Hi Trudy!....I urgently need the data you "obtained" from ACME; my client is getting..restless!!....Meet me at the point shown in the attachment!....Only then our common future will be sure!....See you soon, hottie.. Mallory....--------------020006080700010304080400..Content-Type: application/octet-stream;.. name="Meeting.docx"..Content-Transfer-Encoding: base64..Content-Disposition: attachment;..filename="Meeting.docx"....UEsDBBQABgAIAAAAIQCtsT5y2QEAANgDAAAQAAgBZG9jUHJvcHMvYXBwLnhtbCCiBAEooAAB..AAAAAA

Note: Unprintable characters are replaced by a dot

Full text search

Network Forensics 28

Second match T 2015/04/21 09:22:19.978928 192.168.10.1:49175 -> 192.168.10.254:25 [AP]

Message-ID: <5535FAAB.40300@provider.com>..Date: Tue, 21 Apr 2015 09:22:19 +0200..From: Mallory Malison <jamespond@provider.com>..User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0..MIME-Version: 1.0..To: carol.astor@bigcorp.com..Subject: Dinner postponement..Content-Type: text/plain; charset=utf-8; format=flowed..Content-Transfer-Encoding: 7bit....My beloved Carol!....Unfortunately we will not be able to meet tomorrow evening for the ..candlelight dinner we planned - I have to leave town urgently.....I'll make up for it when we meet in Venice!....Always in love with you,.. Mallory....P.S. Don't forget about teh data I asked you - otherwise I'll never be ..able to prove the wrong the company you're working for did to me...

What did we find? The two E-Mails he sent!

» And which we already know about

» But if we started like this, we now knew where to look

Searching for “Malison”: Almost same result

» Mail header: From: Mallory Malison <jamespond@provider.com>

“jamespond@” 4 results: 2*envelope + 2*mail content

Other E-Mails: 2 results each (envelope+content)

Timeline (1)

Network Forensics 29

21.4.2015 9:19:43: Start of capture

9:19:47: DHCP request from “malmals-laptop”

9:19:48: IP address 192.168.10.1 assigned

9:19:49: Workgroup join/domain browser/AD search

9:20:42: Web requests for tile content

9:20:55: IRC connection tries

9:21:14: Time synchronisation with r00t.cf

9:21:26: IMAP starts; download/display of large mail

9:21:55: First SMTP session

» Mail sent to trudy.miller@acme.biz

» Contains an attachment

9:21:55: Long IMAP session

» Probably copying the mail sent to the “Sent” folder

Timeline (2)

Network Forensics 30

9:22:19: Second SMTP message

» Mail sent to carol.astor@bigcorp.com

9:22:20: IMAP session

» Probably copying the mail sent to the “Sent” folder

9:22:58: SSH session begins

» Large outgoing data, little incoming (=“upload”)

9:23:17: SSH session ends

21.4.2015 9:23:31: Last message recorded; end of dump

Summary

Network Forensics 31

We found:

» Some info on the computer used › Previous IP, uncommon timeserver

» Two mail messages sent › Recipient and sender E-Mail address

› Full text

› Attachment with map (=location) and time for meeting

» Username and password for mail account

» Hints on the general usage of IRC with a specific server

» SSH large upload; probably SFTP

Thank you! Questions?

Thank you!

Any questions?

https://www.ins.jku.at

Network Forensics 32

Michael Sonntag

michael.sonntag@ins.jku.at

+43 (732) 2468 – 4137

S3 235 (Science park 3, 2nd floor)