• Physical cables; support digital signalling
• Fibre optics
• Coaxial cable
• Twisted pair (TP)
• Between switches and routers
• Between stations on a LAN

• Tap into physical cabling
• Vampire taps
• Infrastructure taps
• Surreptitious fiber taps

• Via wireless networking
  
• RF waves (Travel through wood and brick)
• IR waves

• Need to gain access to traffic
• Encrypted traffic... need to gain the key
• Management frames & control frames are not encrypted
• Identify MAC in encrypted traffic
• Identify stations…suspicious stations…
• Volume-based statistical traffic analysis...

• Glue that hold LANs together
• Switches connected to other switches
• Then connected to other switches
• Form a complex switched network environment
• Core switch
• Edge switch

• CAM table (area of memory switch uses to store all the MAC addresses)
• MAC address…port and stations
• Configure one port to mirror traffic
• Then capture with a packet sniffer

• Stations on one LAN to stations on another LAN
• MANs
• WANs
• GAN

• Routing tables
• Trace the traffic path
• Logs denied traffic
• Logs flow record
• Logs on routers and logs on central

• Dynamic Host Configuration Protocol (DHCP) Servers
• Assigning IP addresses to LAN stations
• LAN stations and stations on other LANS can communicate
• Static IP address vs. Dynamic IP address (DHCP)
• DHCP often provided by edge devices
• DHCP also provided by infrastructure servers

• Begins with IP addresses
• Locate the devices (victim & hacker) physically
• Event logs on DHCP servers for assigned/released IPs
• Then: MAC address of the devices; time??

• Domain Name System (DNS)
• IP addresses to names (human-readable)
• No information to resolve
• Query another DNS server

• Log queries for IP address and hostname
• Revealing queries
• Connection attempts from internal to external systems
• Web sites, SSH servers, external email servers...
• Corresponding times
• Build a timeline of a suspect’s activities

• Provide centralised authentication services to users
• Manages user accounts in one place
• Streamline account provisioning
• Streamline audit tasks

• Log successful and/or failed login attempts
• Identify brute force (password-guessing) attacks
• Account logins at suspicious hours
• Account logins at unusual locations
• Unexpected privileged logins
• Information about all devices within an entire Authentication domain
• Desktops, servers, network devices...

• Network Intrusion Detection Systems (NIDSs)
• Network Intrusion Prevention Systems (NIPSs)
• Provide security analysts and forensic investigators about the security–related events
• Different methods of operation, NIDS/NIPS devices
• Monitor network traffic in real time
• Alert security personnel & provide event information

• Block the suspicious traffic

• Effectiveness: where sensors are placed, how many, can they cope with increasing volumes…

• Timely data
• Shows attacks in progress
• Shows systems already compromised
• Shows more than the source and destination IP addresses: TCP/UDP ports, event time…
• For ongoing investigation: NIDS to gather more granular data for specific events/sources and destinations

• Specialised routers
• Deeper inspection of network traffic
• Intelligent decisions
• Forward/block/log traffic
• IP/payload/port/protocol
• Internal/external/home firewall

• Event logging
• Configured to:
• Produce alerts
• Produce alerts log allowed or denied traffic
• Log system configuration changes
• Log errors
• Log events
• Serve as evidence for forensic analysts

• Two purposes:
• Locally caching web pages: performance
• To log, inspect, filter web traffic: security
• Allow/deny requested web page (blacklist)
• Anonymising proxies (proxy’s IP address)

• A gold mine
• A hard drive: web surfing habit of a user
• A web proxy: web surfing habit of all users
• Tools for visual reports
• Reveals inappropriate web surfing habits
• Identifies the source of web-based malware

• Organisation has a variety of application servers
• Depends on: mission, size, budget…
• Common types: Database, Web, Email, Chat, VoIP/voicemail servers

• Many possible sources of network-based evidence
• Database, Web, Email, Chat, VoIP/voicemail servers…

• Aggregate event logs from different sources
• Authentication servers, web proxies, firewalls
• Individual servers send logs
• To be time stamped, correlated, and analysed by automated tools and humans
• Easier than each device individually

• Individual server is compromised: logs from it may remain intact on the central
• Log server
• Routers may retain logs short time but the same logs may be sent to a central log server
• Preserved for months/years
• Commercial log analysis products: forensic analysts with complex reports and graphical representations of log data, correlated across a variety of sources

Captured network traffic must be analysed by:

• Analysing the protocols in use
  
• Searching for a specific string
  
• Carving out files
  

Example

You received an alert from an IDS about suspicious traffic from a particular host

• You would like to identify the cause
• Concerned that an employee is exporting confidential data (search for specific keywords)

You need to understand the fundamentals of:

• Protocol analysis

• Packet analysis
• Multi-packet stream analysis

You need to know how to analyse :

• Fields within protocols
• Protocols within packets
• Packets within streams
• Reconstruct higher-layer protocol data from streams

Challenges:

• Packet data may be corrupted or truncated
• The contents may be encrypted at different layers
• The protocols in use may be undocumented
• Sophisticated tools/techniques

Protocol Analysis is the examination of one or more fields within a protocol's data structure during a network investigation to determine:

• How a particular protocol works
  
• What it’s used for
  
• How to identify it
  
• How to dissect it
  

Protocol Analysis may not be as straightforward as packet analysis as many protocols are deliberately kept secret by their inventors to:

• protect intellectual property
• keep out competition
• for the purposes of covert communications

Some protocols are publicly documented such as those in the IETF-specified standards.

• You never know what you’ll find actually traversing the networks
• This fact is exploited by attackers to:
• Bypass IDSs and firewall rules
• Smuggle data in strange places
• Generally create mayhem

Where to Get Information on Protocols

Standards bodies:

• IETF Request for Comments (RFC)
• Institute of Electrical and Electronics Engineers Standards Association (IEEE-SA)
• International Organisation for Standardisation (ISO)

Vendors:

• Cisco
• Microsoft

Researchers:

• Build your own protocol
• Required: a laptop, some networking equipment, free software/tools

• Wireshark
• tshark
• tcpdump

Include built-in protocol dissectors for hundreds of different protocols

Using the NetBee PDML & PSML languages as a foundation

Wireshark

An excellent tool for protocol analysis which displays packets in three panels (top, middle, bottom)

Packet List (top panel)

• Captured packets (one per line)
• Very brief details about them (time, source and destination IP, the highest level protocol in use, a brief snippet of protocol data)

Packet Details (middle panel)

• Shows the details of the protocols for the selected packet in all Layers that Wireshark can interpret

Packet Bytes (bottom panel)

• Hexadecimal and ASCII representation of the packet (including Layer 2 data)

Protocol Analysis is necessary for packet analysis to properly interpret the communications structures and to understand the contents and analyse packets or streams

Freely available tools:

• Wireshark
• tshark
• Tcpdump

Hackers

• Can develop new protocols
• Can develop extensions to old ones

In order to:

• Communicate covertly
• Add functionality to existing protocols

Protocol Analysis Techniques:

• Protocol identification
• Protocol decoding
• Data exportation
• Metadata extraction

Inspecting the protocols within a set of packets

• To identify packets of interest
  
• To understand their structure and relationship
  
• To gather evidence and facilitate further analysis
  

Filtering techniques to isolate packets

• Based on protocol fields
  
• Based on their contents
  
• Search for strings or patterns in packet contents
  

Dissect packets and extract all kinds of details

• Wireshark
  
• tshark Display Filters
  
• Ngrep
  
• Hex editors
  

Packet Analysis Techniques

• Pattern Matching
  
• Parsing Protocol Fields
  
• Packet Filtering
  

Pattern Matching

Identify packets of interest by matching specific values within the packet capture

• “dirty word list”
• Example tool: “Ngrep”

Parsing Protocol Fields

Extract the contents of protocol fields

• Example tool: Tshark

Packet Filtering

Separate packets based on the values of fields in protocol metadata or payload

• Filtering with BPF
• Wireshark display filter
• Example tool: tcpdump

Common examples of higher-layer protocols include:

• Hypertext Transfer Protocol (HTTP)
• Simple Mail Transfer Protocol (SMTP)
• Domain Name System (DNS)
• Dynamic Host Configuration Protocol (DHCP)

Hypertext Transfer Protocol (HTTP)

• HTTP operates according to a request/response model
• HTTP client sends a request to a remote server
• HTTP server processes the request and sends a response
• HTTP servers operate over TCP port 80
• A Uniform Resource Identifier (URI) is a string used to specify the location of a resource

• HTTP designed to run on top of a reliable, connection-oriented protocol such as TCP
• No built-in mechanisms to track session state: cookies are created on top of HTTP
• HTTP requests and responses are referred to as messages
• HTTP messages can include:
• Message header
• Message body

Methods defined by RFC 2616 for HTTP include:

• OPTIONS - Obtain information about communicating with the remote server
• GET - Retrieve the information identified by the URI
• HEAD - Retrieve the information identified by the URI, without returning a message body
• POST - Send data to the resource specified by the URI for processing
• PUT - Upload information to be stored under the specified URI
• DELETE - Delete the resource specified by the URI
• TRACE - Echo a request message back to the client
• CONNECT - Reserved “for use with a proxy that can dynamically switch to being a tunnel”

Only the “GET” and “HEAD” methods must be supported by a web server

HTTP response sent from the server includes:

• A three-digit a status code
• A human readable reason phrase

There are five categories for status codes, organised by the first digit

Dynamic Host Configuration Protocol (DHCP)

• To take advantage of IP based routing: each computer needs to be assigned a 32-bit (IPv4) or 128-bit (IPv6) IP address
• Static IP address: not scale-able
• Need dynamic IP addresses for the huge IP address demands
• To dynamically assign IP addresses to network cards
• Layer 7 protocol which operates over UDP on ports 67 and 68

When a computer is connected to the network:

• It broadcasts a DHCP request
• Local DHCP server will answer with a unicast reply (at Layer 3)
• DHCP server offers a DHCP lease

Lease includes: the IP address assigned, the netmask and gateway address, DNS server addresses, and time that the lease is valid

Most clients will request a lease renewal before the lease expires

A computer may be assigned the same IP address for days, weeks, or months

DHCP server logs and DHCP communications in packet captures can contain valuable information such as:

• Client MAC address
• Client hostname
• Routing information
• DHCP traffic
• timestamps

You will frequently see the following exchange

• Client: DHCP DISCOVER (Layer 2 broadcast)
• Server: DHCP OFFER
• Client: DHCP REQUEST
• Server: DHCP ACK

DNS is a query-response protocol, resolving the names with the 32-bit IPv4 or 128-bit IPv6 numerical addresses.

The client's question and the server's response typically fit within a single UDP packet.

Possible to route normal DNS traffic over TCP

• When the server’s response is too large for a single UDP packet
• Therefore the client resubmits the query via a TCP connection
• This often occurs when there is a request for an AXFR record: DNS “zone transfer”

It asks the server to tell the client everything it knows about a particular domain

These types of requests provide valuable reconnaissance information for attackers. As a result, DNS over TCP port 53 is often blocked

$ dig www.google.com

This will result in an address record (A) query from the default nameserver. Specific nameservers can be queried with dig as follows:

$ dig @ns.google.com www.google.com

Reverse “PTR” records and other records such as nameserver

delegations can be obtained as well:

$ dig @ns.modwest.com 204.11.246.86 PTR

$ dig lmgsecurity.com NS

A wide variety of tools available that interpret higher-layer protocols and automatically print:

• Important details
• Carve out files
• Decode data,
• Produce professional forensic reports
• oftcat
• NetworkMiner
• smtpdump
• findsmtpinfo.py