GIU Digital Forensics Lecture 9 PDF

DIGITAL FORENSICS Lecture 9 Course Instructor: Dr. Marwa Zamzam Email: [email protected] Instructor Office: A214 Teaching Assistants Eng. Salma Abubakr These slides are based on the updated version of those by Assoc. Prof. Dr. Amr ElMougy. Network Attacks  Attacks on a network can come from external or internal sources, thus can be monitored using network analyzer such as Wireshark.  Network Analyzer: can be used to identify unusual patterns or packet contents in the network traffic including network scans, malformed packets, and unusual protocols, applications, and or conversations that should not be running on your network.  To detect a network attack, we must understand what constitutes normal network behavior and detect patterns that fall outside that.  An important distinction has to be made between malicious attempts and network problems (bugs) that may occur for any reason. 2 Network Attacks Forensics  ARP Spoofing  ICMP Flooding  TCP-SYN Scan  DoS Attack  Brute Force Attack 3 ARP Scans  ARP (Address Resolution Protocol) is used to map IP addresses to MAC addresses within a local network. Thus, devices on a network can communicate with each other.  The first step when sending data to a device is sending an ARP request to find the device’s MAC address. Once the MAC address is found, the communication can continue.  ARP scans, also called as ARP sweeps, are used to discover active localhosts on a network segment. ARP scan by itself is generally not an attack, but it can be used to gather information about a local network.  An ARP sweep can be difficult to detect unless you apply a display filter and observe a steady, incremental sweep from the same device, as seen in the following figure: 4 ARP Spoofing  ARP spoofing (or poisoning) can be an attack, where an attacker sends fake ARP messages to associate their MAC address with the IP address of another device, allowing them to intercept traffic and perform Man-in-the-Middle (MitM) attacks. 5 ARP Spoofing (When to Investigate?)  ARP requests and replies are a part of the regular network operation. Here are some rules of thumb to make sure they are actually so:  Requests from different sources: no problem, this is how a network works (as long as there are not too many of them!)  Many requests from a singles device: look at the source address and verify who is the device actually sending the requests to: It can be a management system that auto-discovers the network. It can be a router that scans to see who is on the local network. 1. ARP requests from unknown sources: If you don't identify the source, it might be a problem, like a worm or ARP poisoning. Start Investigation! 2. ARP replies without requests: If you see replies that are not to specific requests, it might be a problem. Start Investigation! 6 ICMP Scan  ICMP (Internet Control Message Protocol) is typically used for network diagnostics (e.g., ping to check connectivity).  An ICMP scan involves sending ICMP Echo Request messages to multiple hosts to identify which devices are alive on a network. This is a common network discovery technique.  ICMP flooding can be an attack, where an attacker floods a network with ICMP Echo Request messages to overwhelm the network or device. 7 ICMP Scan: Network Structure  There is a central server located on the left-hand side, which is accessed by users from remote sites.  These remote sites are likely connected to the central server through a wide area network (WAN) or some form of network backbone.  Users from all remote sites are reporting that the network is very slow.  They are accessing resources (servers) located on the center, the central server handles important tasks or services for these remote sites. 8 ICMP Scan  What I got when I connected Wireshark to a remote site (as illustrated below) was many ICMP requests, coming from the 10.0.0.1 to random destinations.  Also, look at the time between packets. If scanned, it will usually be very short. 9 ICMP Flooding (When to Investigate ? )  If you notice a massive number of pings (thousands or more), especially directed to various destinations in a short time frame, this is a clear indication of an attack.  Investigation Steps:  Sort by Destination: If you suspect a scan, sort packets by the destination address. This makes it easier to see the scan patterns and identify the devices being targeted.  Look for Short Packet Timing: If the packets are being sent with very little delay, it suggests automated scanning, which is typical of worms or other malicious tools.  Examine Multiple ICMP Requests: Unusual patterns, such as multiple requests from one source, multiple ICMP timestamp requests, or ping sweeps, can indicate scanning.  Check for Anomalies in Traffic: Too many ICMP requests are a red flag. If the requests are reaching many devices or repeating at high frequency, this could indicate a flood or attack. 10 ICMP Scan  Common Types of ICMP scans attacks:  ICMP Flood Attack: An attacker floods the target with a high volume of ICMP requests (ping packets), which overwhelms the target’s resources and causes it to slow down or crash.  Ping of Death: The attacker sends oversized ICMP packets that the target cannot handle, causing it to freeze or crash.  Smurf Attack: The attacker spoofs the source IP of the ICMP request, causing all network devices to respond to the spoofed IP. The target (the victim) gets flooded with replies. 11 TCP-SYN Scan  A TCP-SYN scan is a method of discovering open ports on a target machine. It is often used in reconnaissance or penetration testing to identify which ports on a system are open and listening for connections.  In this case, the attacker scans random TCP ports with TCP-SYN packets waiting for someone to answer with SYN-ACK. The moment it happens, there are two options:  The attacker will continue to send SYN packets and receive the SYN-ACKs, thus leaving many half-open connections on the device under attack (2).  The attacker will answer with ACK, thus initiating the connection, and leave it open or try to harm the device under attack with this connection (3). 12 TCP-SYN Scan  You will see many SYN packets without any response (ACK) from the node under attack.  Same source address and same destination address. 13 TCP-SYN Scan (firewall example)  When you have a firewall on the device that is under attack or will be attacked.  You will see many SYN packets when a TCP RST packet is sent as a response to each one of them. 14 TCP-SYN Scan (open and blocked ports)  If the port is open, the system responds with a SYN-ACK packet (synchronize- acknowledge), indicating that the port is open and ready to communicate.  If the port is closed, the system responds with a RST (reset) packet, indicating the port is closed and rejecting the connection.  This is illustrated in the following screenshot: 15 Discovering DOS and DDOS Attacks  Denial of Service (DoS) and Distributed Denial of Service (DDoS) are attacks that intend to deny users from accessing network services.  Services that can be denied to users can be: 1. Communication lines: This will usually be done by generating traffic that floods and blocks the communications line. 2. Applications and services (web services, mail services, and so on): This will usually be done by loading a server to a point at which it will not be able to serve clients' requests. 16 DOS Attack Example  When a communication line becomes very slow, for example, a connection to the Internet, connect Wireshark with port mirror to this line.  We see source addresses in the ascending order, generating traffic to the Internet address 94.23.71.12.  When you look at the time column that is configured with "time since the previously displayed packet", you see that there are 11-12 micro-seconds between frames. When you see TCP-SYN coming at this rate, something is wrong. Start Investigation! 17 DOS Attack Example (single MAC address)  Since the source addresses are unknown, I've checked their MAC address. What I got was:  The problem was that all source addresses came from a single MAC address.  Check for SYN scans, and verify which IP and MAC addresses they are coming from. It can be that a worm is generating source addresses that are not the addresses of the host. 18 Brute Force Attack  A brute-force attack is a trial-and-error method used to obtain information from the victim, for example, trying to find organizational servers, user directories, and crack passwords.  Brute-force attacks usually will not produce non-standard loads on the network, and the way they are discovered is usually by IDS systems or when there is a suspicion that someone is trying to hack into the network.  For DNS brute-force attacks, look for DNS queries that are asking for common names under your domain. 19 Brute Force Attack ( no response queries)  We can see DNS queries to common names such as dns (1) and dns2, a record for IPv4 (2) and a record for IPv6 (3), and intranet a record for IPv4 (4) and a record for IPv6 (5).  In the case of dns.icomm.co (1), we got a reply; in all other cases, we did not.  Many queries with no response can indicate a DNS brute attack, but also indicate someone who is looking for a server that does not exist. Look at the source address to see where it is coming from. 20 Brute Force Attack Example (HTTP error)  Also, look for too many HTTP error messages. Some examples are illustrated in the following screenshot. Choose Statistics | HTTP | Packet Counter | PC. If you get too many error messages, check for their source. 21 Brute Force Attack Example (correct guessing)  Another important issue is brute force attack, that is, when the attacker tries to guess the password in order to break into a server.  Since it is FTP, the first trial is with username anonymous (1), a password chosen by the attacker (2), login is, of course, approved (3), and the attacker gets in (4). 22 Brute Force Attack Example (wrong guessing)  In the following screenshot, you see what happens when the attacker tries other usernames that are not authorized.  Here, you can see that the attacker is trying to login with the usernames root (1), admin (2) and administrator (3). 23 Suspicious Network Traffic  These are some types of network traffic that might indicate malicious or suspicious activity, and that could require further investigation to ensure the security and integrity of your network:  MAC or IP address scans: These attempt to identify active hosts on the network.  TCP or UDP port scans: These attempt to identify active applications and services.  Clear text passwords: These are passwords that are sent over the network without encryption that you can see in the Wireshark's Packet Details or Packet Bytes fields. These are typical for File Transfer Protocol (FTP) logins, but not typical or acceptable elsewhere.  Password cracking attempts: These are repeated, systematic attempts to guess a password, typically by trying different combinations of characters until the right one is found, usually from a single device.  Flooding or Denial of Service (DOS) attacks: This is the traffic that is intentionally sent at a very high packet-per-second rate to one or more hosts in an attempt to flood the host(s) or network with so much traffic that no one else can access their services. Each of these types of activities could be signs of a system compromise or an active attack on your network. “network scanning” is the process done to determine all active hosts, applications and services on your network. 24 Network Attack Investigation  To investigate an attack, an investigator must do the following: 1. Obtain an updated network topology that contains:  Server IP addresses and IP address ranges in the network.  IP addresses of routers and switches and any other communication equipment.  Security defense systems such as firewalls, IDS/IPS, web application firewalls (WAF).  Applications that are allowed over the network and their port numbers. 2. Check traffic in the network  Normal: This is the traffic from known addresses and address ranges  Suspicious: This is the traffic from/to addresses that you don't know 25 Network Attack Investigation 3. Check Application and port numbers  Normal: This includes standard port numbers, 80 (HTTP), 137/8/9 (NetBIOS), 3389 (RDP), 20/21 (FTP), 25,110 (Mail), 53 (DNS), and so on. Be sure of the applications that run over the network, and verify that these are the only port numbers that you see.  Suspicious: This includes unusual port numbers, that is, port numbers that do not belong to applications that run on server (for example, RDP packets to web server). 26 Network Attack Investigation 4. Check that TCP patterns  Normal: TCP SYN/SYN-ACK/ACK that indicates a connection establishment, single reset (RST) that indicates a fast connection tear-down, FIN/FIN-ACK packets that indicate a regular tear-down of a connection, standard packets, and acknowledgments.  Suspicious: Large amount of SYN packets that go to a single or multiple destinations or coming from multiple sources, unusual flags combination (RST/FIN, URG), and so on. 27 Network Attack Investigation 5. Massive traffic to a single or multiple sites that you don't know about  Normal: Traffic patterns are usually not of fixed bandwidth. When you save or open files, browse the Internet, send or receive mails, or access a server with RDP, you see ups and downs.  Suspicious (in some cases): Fixed bandwidth patterns can indicate that someone is connected to your device, but it can also indicate that someone is listening to the radio over the Internet, watching video and so on. When you see a fixed bandwidth pattern of traffic, check what it is. A fixed bandwidth pattern is illustrated in the following figure: 28 Network Attack Investigation 6. Check for broadcasts  Normal: NetBIOS broadcasts, ARP broadcasts (not too many), DHCP (not too many), application broadcasts (usually once every several seconds and more), and so on.  Suspicious: Tens, hundreds, or thousands and more broadcasts per seconds per device. 7. DNS queries and responses  Normal: A standard query-response pattern up to several tens per second per client, occasionally.  Suspicious: Massive amount of DNS queries and/or responses, responses without queries, and so on. 29 Thank You 

GIU Digital Forensics Lecture 9 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue