Network%20Forensics - PowerPoint PPT Presentation

About This Presentation
Title:

Network%20Forensics

Description:

We have a packet capture of the activity, said security ... Notice that Wireshark automatically associates TCP port 443 with its IANA-assigned default ... – PowerPoint PPT presentation

Number of Views:350
Avg rating:3.0/5.0
Slides: 28
Provided by: souEdu
Learn more at: http://webpages.sou.edu
Category:

less

Transcript and Presenter's Notes

Title: Network%20Forensics


1
Case study Ann
  • Section 3.1
  • Network Forensics
  • TRACKING HACKERS THROUGH CYBERSPACE

2
Scenario Anns Bad AIM
  • Anarchy-R-Us, Inc. suspects that one of their
    employees, Ann Dercover, is really a secret agent
    working for their competitor. Ann has access to
    the companys prize asset, the secret recipe.
    Security staff are worried that Ann may try to
    leak the companys secret recipe.
  • Security staff have been monitoring Anns
    activity for some time, but havent found
    anything suspicious until now. Today an
    unexpected laptop briefly appeared on the company
    wireless network. Staff hypothesize it may have
    been someone in the parking lot, because no
    strangers were seen in the building. Anns
    computer, (192.168.1.158) sent IMs over the
    wireless network to this computer. The rogue
    laptop disappeared shortly thereafter.
  • We have a packet capture of the activity, said
    security staff, but we cant figure out whats
    going on. Can you help?
  • http//forensicscontest.com/2009/09/25/puzzle-1-an
    ns-bad-aim

3
Mission
  • You are the forensic investigator. Your mission
    is to figure out who Ann was IM-ing, what she
    sent, and recover evidence including
  • 1. What is the name of Anns IM buddy?2. What
    was the first comment in the captured IM
    conversation?3. What is the name of the file Ann
    transferred?4. What is the magic number of the
    file you want to extract (first four bytes)?5.
    What was the MD5sum of the file?6. What is the
    secret recipe?

4
What protocol is being used?
  • Remember that the count byte offset is 0.
  • Look for bits that are commonly associated with a
    protocol.
  • Example 0x0045 -gt beginning of an IPv4 packet
  • Tcpdump from Anns Bad AIM packet capture

5
Wireshark - TCP
  • IP protocol details displayed within Wireshark.
    Notice that the IP packet contains information
    about the encapsulated protocol (in this case,
    0x06, or TCP). Pg 85

6
TCp / udp port numbers
  • http//www.iana.org/assignments/port-numbers
  • /etc/services
  • Example chunk of file

7
UDP port association
  • UDP Protocol Details displayed within Wireshark.
    Notice that Wireshark automatically associates
    the UDP port, 123, with its IANA-assigned default
    service, NTP. Pg 86

8
Wireshark is not always correct
  • TCP packet details displayed within Wireshark.
    Notice that Wireshark automatically associates
    TCP port 443 with its IANA-assigned default
    service, HTTPS. However, this interpretation is
    INCORRECT (as evidenced by the fact that the
    packet contents are not encrypted, and no
    protocol details are displayed under the heading
    Secure Socket Layer). Pg. 87

9
Find out about the mystery ip
  • A simple whois lookup can provide a lot of
    information. Below is only a snippet of the data
    provided about IP address 64.12.24.50

10
Make a reasonable hypothesis
  • Facts
  • AOL provides services including HTTP and instant
    messaging
  • Packet 112 source is port 5190, which Wireshark
    associates with AOL
  • Packet begins with 0x4F465432, or OFT2 in ASCII
    which matches OSCAR protocol

11
OSCAR Protocol
  • Byte 6 and 7 indicate type
  • 0x0101 of packet 112 specifies the Prompt value
  • Sender is ready to transmit file

12
Protocol decoding
  • Message becomes clear when the protocol is decoded

13
Exporting fields
  • Easy to do in Wireshark File gt Export Selected
    Packet Bytes
  • Saves contents of selected fields for further
    study
  • Tshark will print out any or all fields defined
    within the protocol
  • Examples of command line instructions
  • tshark -r evidence.pcap -X lua_scriptoft
    -tsk.lua -R "oft" -n -R frame.
  • number 112 -V
  • tshark -r evidence01.pcap -X lua_scriptoft
    -tsk.lua -R "oft" -n -R frame.
  • number 112 -T pdml

14
Packet analysis
  • Dirty word search using ngrep

15
Parsing Protocol fields
  • Use tshark to extract all of the AIM message data
    from the package capture

16
Packet filtering
  • Filtering with BPF
  • Resulting file

17
Find the file transfer
  • Use Wireshark display filters to search for
    channel 2 ICBM packet sent to AOL server

18
Flow analysis
  • List conversations
  • List TCP flow

19
Export TCP flow
  • Once you have identified the flow most likely to
    contain the file, export it using a BPF filter
  • Tcpflow will automatically extract flows, also
    using BPF filter
  • Notice that tcpflow extracted two half-duplex
    flows

20
Export tcp flow continued
  • Manually export using Wireshark
  • Warning! Does not scale well, not good for large
    projects!
  • Select Frame 109 gt Right click gt click on
    Follow TCP Stream
  • Save in raw format

21
File and data carving
  • Open full duplex saved dump file in hex editor
  • First 4 bytes are OFT2
  • Bytes 6-7 (Type) are 0x0101
  • Bytes 28 31 (Total Size) are 0x00002EE8
  • 12,008 bytes
  • File name begins at Byte 192 0xc0
  • Padded with null to 64 bytes
  • Byte 256 new header
  • 0x0202 acknowledge

22
File and data carving continued
  • Look for magic number for beginning of .docx file
  • 0x504B or PK in ASCII
  • Byte 512 (0x200)
  • To find the end of the file add the file size to
    the starting byte
  • 0x0200 0x2EE8 0x30E8
  • Byte 0x30E8 shows Type 0x0204 done
  • Size of transfer Byte 0x3108 0x2EE8 which is a
    match to the file size

23
File and data carving continued again
  • Use Bless cut tool to carve out the file
  • Select extra data at the end of the file and
    click cut
  • Select extra data at the beginning of the file
    and click cut
  • Save file as recipe.docx
  • Get cryptographic hashes of file
  • Double check file size
  • Verify the file type

24
Carved file
  • Open a copy of the file to verify the contents

25
Extract file automatically
  • Use tcpextract
  • Uses 0x504B0304 by default to mark the beginning
    of a file
  • Try saving the first instance 00000023.zip as
    recipe-tcpxtract.docx and open a copy in
    document editor
  • Do not forget to take the cryptographic hashes

26
networkMiner
  • All of the work is done for us in NetworkMiner

27
Disclaimer All information and data pulled
directly from this book. Pages 88 - 134
  • Works Cited
  • Davidoff, S., Ham, J. (2012). Network Forensics
    Tracking Hackers Through Cyberspace. Boston
    Prentice Hall.
  •  
Write a Comment
User Comments (0)
About PowerShow.com