

Citation preview

Module XXVIII – Router Forensics

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

News: Spotted in the Wild: Home Router Attack Serves Up Counterfeit Pages


EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

News: Wifi Flu Viral Router Attack Could Hit Whole Cities


EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited


Two Pinehurst men, Dalton Johnson of 37 years and David Alan Brady of 40 years, were arrested on September 14, 2006, on the charges of selling prescription drugs over the Internet. Their company allegedly sold generic versions of the prescription steroids, drugs such as Valium and Xanax and sex-enhancing drugs such as Viagra and Cialis. They were accused of selling unregulated drugs manufactured in Belize and marketed through "spam" e-mails as low-price Canadian drugs. The e-mails would direct customers to one of the several web sites where they can order the drugs which would be shipped from Belize.

The Drug Enforcement Agency (DEA) and the Food and Drug Administration (FDA) conducted the investigation along with other agencies. Moore County sheriff's deputies along with federal investigators raided the homes of the two Pinehurst men and arrested them.

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Module Objective

• Router • Router Architecture• Routing Information Protocol• Types of Router Attacks• Router Forensics vs. Traditional forensics• Steps for Investigating Router Attacks• Investigating Routers • Incident Response• Router Logs• Router Auditing Tools

This module will familiarize you with:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Module Flow


Types of Router attacks

Routing Information Protocol

Router Forensics vs.Traditional Forensics

Routing Architecture

Incident Response

Steps for InvestigatingRouter Attacks

Router Logs Router Auditing Tools

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited


Router is a computer networking device that forwards data packets across a network

It is connected to atleast two networks, commonly a LAN and its ISP’s network or two LANs

Routing occurs at layer 3 (the Network layer e.g. IP) of the OSI seven-layer protocol stack

Router software determines which of the several possible paths between those addresses suite a particular transmission

Uses headers and forwarding tables to determine the best path for forwarding the packets

Uses protocols such as ICMP to communicate and configure the best route between any two hosts

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Functions of a Router

Router decides the most effective path for a packet to reach its final destination

It transfers link state data within and amid the routing groups

It acts as a default gateway

It limits the network broadcasts to the local LAN

“Protocol translator”: Provided if there are suitable hardware and software

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

A Router in an OSI Model
















Data Link





Application Application





Data Link






Network Network

System A System B


EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Routing Table and its Components

Routing table determines the final destination of the data packets in a network

• An address prefix• Interface on which packets corresponding to the

address prefix are forwarded• A next-hop address• A preference value for choosing between several

routes with similar prefix• Route duration • Specification showing whether the route is

advertised in a routing advertisement• Kind of route

It consists of the following:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Router Architecture

Internetwork Operating System(IOS)

• Non-Volatile Random Access Memory (NVRAM): • Content: Startup Configuration

• Static RAM/Dynamic RAM• Content: Current Internetwork Operating

System(IOS), Routing tables

• BootROM• Content: ROMMON Code


• Model/Series• Content: Motherboard, CPU, Input/Output



EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Routing Information Protocol

RIP sends routing-update messages at regular intervals and when the network topology changes

When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route

The distance between the source and the destination network is calculated with the help of a hop-count metric

RIP routers maintain only the best route (the route with the lowest metric value) to a destination

After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Implications of a Router Attack

• Interrupt communications by dropping or misrouting packets passing through the router

• Completely disable the router and its network• Compromise other routers in the network and

possibly the neighboring networks• Observe and log both the incoming and outgoing

traffic• May avoid firewalls and Intrusion Detection Systems• Forward any kind of traffic to the compromised


If an intruder can acquire control over a router, he/she can:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Routers Vulnerabilities

• Using a URL such as http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access

HTTP Authentication Vulnerability

• By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon

NTP Vulnerability

• Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload

• In some cases, access-list statements on the SNMP service do not protect the device

SNMP Parsing Vulnerability

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Types of Router Attacks

Denial of Service attack

Packet mistreating attacks

Routing table poisoning


Hit-and-run attacks

Persistent attacks

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Router Attack Topology

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Denial of Service (DoS) Attacks

DoS attack overloads the routers and renders it completely inaccessible to legitimate network users

A DoS attack may lead to:

• Damage the capability of the router to operate


• Achieved by overflowing the router with numerous open connections at the same time

Resource Utilization

• Attempted to utilize the bandwidth capacity of the router’s network

Bandwidth Consumption

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Packet “Mistreating” Attacks

The attacker carrying out a packet mistreating attack might acquire an actual data packet and mistreat it

This attack occurs in data transmission phase

• Congestion• Denial-of-service• Decrease in throughput

A compromised router misleads packets that results in:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Routing Table Poisoning

Routing table poisoning is accomplished by maliciously altering the routing data update packets needed by the routing protocols

Wrong entries in routing table misdirects the data packets

It leads to a breakdown of one or more systems on the network

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Hit-and-Run and Persistent Attacks

• Attacker injects a single or a few bad packets into the router

• Usually these type of attacks are difficult to detect

Hit-and-run attacks

• Attacker constantly injects bad packets into the router

• Causes significant damage

Persistent attacks

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Router Forensics vs. Traditional Forensics

• System needs to be online for investigation purpose

• Flash data most likely remains constant

• Live system data needs to be recovered and is critical for analysis

Router forensics

• System needs to be shutdown for investigation purpose

• Creates a copy for forensic investigations and analysis

• Live system data is usually not recovered

Traditional forensics

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Steps for Investigating Router Attacks

Seize the router and maintain the chain of custody

Identify the router configuration

Incident response and session recording

Accessing the router

Volatile evidence gathering

Examination and Analysis

Report Generation

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Seize the Router and Maintain Chain of Custody

Before starting the investigation process, seize the router so that nobody can change the configuration of the router

The "chain of custody" is a concept which applies to the handling of the evidence and its integrity

• Where you received the evidence• When you received the evidence• From whom you received the evidence• What your seizure methods were• Why you seized the evidence• Who collected and handled the evidence

It tells about:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Sample Chain Of Custody (COC) Form

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Sample Chain Of Custody (COC) Form (cont’d)

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Guidelines for the Router Forensic

Start with a security policy and develop a plan to include collecting and defining data

Create a reconnaissance methodology that provides information about the target

Perform an analysis for identifying incidents, default passwords and setting information

Develop an attack strategy for analyzing commands to access the network, access control lists, firewalls, and protocols

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Incident Response

• Never restart the router• Do not modify, but record• Incident Response determines:

• Where the incident happened• What to do about it• Whether the response is fraud related

Guidelines for responding to a router attack incident:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Recording Session

Start recording the session before logging on to the router

Show the current time using show clock detail command

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Accessing the Router

Access the router to gain attack related information

Certain Dos and Don’ts while accessing the router:

• Access the router through the console• Record your entire console session• Record the actual time and the router’s time• Execute show commands• Record the volatile information


• REBOOT THE ROUTER• Access the router through the network• Run configuration commands• Rely only on persistent information


EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Volatile Evidence

• Current configuration• Access list• Time• Log file

Volatile Evidence present in the router are as follows:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Obtaining Configuration of Router

To retrieve RAM and NVRAM, first establish connection to the router using the console port using RJ-45-RJ-45 rolled cable and an RJ-45-to-DB-9 female DTE adapter

If direct connection is not possible then use the encrypted protocol secure shell to remotely access the router

Log entire session with hyper terminal

Capture both volatile and non-volatile configuration for comparison changes and documentation purposes

• Stored configuration: It is non volatile configuration stored in the Non-Volatile RAM (NVRAM)

• Current configuration: It is a volatile configuration which is kept in Random Access Memory

There are two router configurations:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Volatile Evidence Gathering

Volatile evidence should be collected as early as possible

• Direct Access: Using show commands• Indirect Access: Using Scanning Tool

There are two ways to gather volatile evidence from the router:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Direct Access: Using show Commands

show clock: This command shows the time history of the router which helps in cross referencing with the incident

show Version: It will show the name of hardware and software used by the router

Show startup-configuration: This command is used to show the configuration of router which is used to boot the router

show ip route: This command shows table of path which the router follows to forward packets

show access list: It shows the access lists which are used to implement the security policies

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Indirect Access: Using Scanning Tool

If the attacker modifies the password stored in the memory, the authorized user cannot logon the router

He/she has to reboot the system which leads to loss of the attacker’s configuration command

If the password is changed, gather the volatile evidence using the scanning tools such as Nmap

Commands used in Nmap are:

•nmap -v -sS -P0 -p 1-•nmap -v -sU -P0 -p 1-•nmap -v -sR -P0 -p 1-

Port scan

•snmpwalk –v1 public•snmpwalk –v1 private

SNMP Scan:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Compare the Configuration of Router

Compare the startup configuration with running configuration of the Router

• show startup-config • show running-config

Command used:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Examine the Router Table

Router table are shown using the command

show ip route

Routing table contains the path which shows how the router forwards packets

Check the covert channel which is the unauthorized path to divert the packets

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Examine the Access Control List

Control list is shown using the command

show access list

Examine the access control list of the router to identify the attacker

Attacker can enter the network as a trusted network address

Check the static control which helps the attacker to enter the website

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Router Logs

Router log shows what happens on your routers

It receives and stores all log messages

It shows if anyone has been trying to get into your network

It allows the user to access all the Internet resources but when it finds several harmful accesses, it warns the user

It provides information to find out where the data are coming from and with factors, such as the port number, you can determine, if this is really a threat or just some annoying maintenance

It also shows what IP addresses from inside the network went online, and where they went

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Router Logs (cont’d)

With the help of IP address shown by the Router log, it is possible to determine the actual host name

Run the ping or Nslookup commands from a command line:

• Go to Start/Run and type "cmd" for XP/2K users and "command" for the 95/98/ME users

• Type the Ping command along with the switch such as "-a" and then the IP address of the suspicious service

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Example of Router Logs

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

NETGEAR Router Logs

• Alerts you when someone on the Internet tried to access a blocked address in your LAN

• Alerts you when someone on the Internet has tried to access a blocked address in your LAN

• Identify port scans, attacks, and administrative logins• Collect statistics on outgoing traffic for administration purposes• Assess whether the keyword block rules are excluding the IP

addresses you intended

NETGEAR router logs can be used to:

• The main purpose of logging is to collect information about traffic coming into LAN

• If you use logging with firewall rules, and many entries are logged, it can reduce the router's regular traffic throughput

• Routers can send up to 120 email notifications an hour • In a rule, the domain name can be blocked, but not subdivisions


EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

NETGEAR Router Logs (cont’d)

• If multiple entries in the log show suspicious data being dropped, then there is an attack

• In most cases, the same ports or source IP addresses are indicated in each log entry

Example 1:

• A single such message (ending with DOS — Denial of Service) may just be a random packet, however several messages indicate a probable attack

Example 2:

Log entries indicating an attack:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Link Logger

Link logger enables you to see and learn about Internet security and your network traffic

It is designed to take logging information sent out from your router/firewall, process it and shows scans, attacks and what is happening on the router/firewall

It shows when and where the attacks are coming from, and the type of attack

It allows to monitor and administer the systems on the LAN

The traffic analysis and reporting features help to monitor and understand the network traffic, and also help to communicate with others

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Link Logger: Screenshot

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Sawmill: Linksys Router Log Analyzer

Sawmill can process log files in LinkSys Router format, and generate dynamic statistics and analyze and report events from them

It can parse LinkSys Router logs and import them into a SQL database

It performs router analysis on any platform, including Window, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, and UNIX

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Sawmill: Linksys Router Log Analyzer (cont’d)

• Field Internal Name• date/time date_time• day of week day_of_week• hour of day hour_of_day• source host source_host• destination host destination_host• source port source_port• destination port destination_port

It stores the following fields in its database for LinkSysRouter, generates reports for each field, and allows dynamic filtering on any combination of these fields

• Numerical Field Internal Name• packets packets

It stores the following numerical fields in its database for LinkSys Router, aggregating them, and including them as columns in most reports

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited


• The syslog server receives and stores all the log messages

Syslog logging

• When show logging command is executed, contents of the router log buffer are revealed

Buffer logging

• Record console sessions

Console logging

• Record non-console sessions and view log messages

Terminal logging

• Log server accepts and records all SNMP traps

SNMP logging

• Access Control Lists configured for logging packets matching their rules by stopping the ACL using log or log-input keywords

• Router’s log buffer receives and stores these log messages• These log messages are also sent to the syslog server

ACL Violation Logging

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Real Time Forensics

After removing or collecting information from the compromised router, you can use the router to monitor the network and itself by turning on logging if it was not previously

Router#config terminalRouter(config)#service timestamps log datatime msec\localtime show-timezoneRouter(config)#no logging consoleRouter(config)#logging onRouter(config)#logging buffered 32000Router(config)#logging buffered informationalRouter(config)#logging facility local6Router(config)#logging trap informationalRouter(config)#logging

Router Time zone Log

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Real Time Forensics (cont’d)

Using AAA provided even greater ability to log information; TACACS+ even allows you to log every command executed on the router to the Network Access Server

Router#config terminalRouter(config)#aaa accounting exec default start-stop \group tacacs+Router(config)#aaa accounting system default stop-only \group tacacs+Router(config)#aaa accounting connection default \start-stop group tacacs+Router(config)#aaa accounting network default \start-stop group tacacs+

Router TACACS+ Log

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Real Time Forensics (cont’d)

You can also use ACL logging to count packets and log specific events. By configuring syslog logging and analyzing your syslog files in real time, you can perform real time monitoring

• access-list 149 permit tcp host any eq \161 log-input

• It will not block any packets, but will log all incoming SNMP requests from to any internal host


• access-list 148 deny tcp any \eq 53 log-inputaccess-list 148 deny udp any \eq 53 log-input

• It will block and log any DNS packets from the subnet to any internal host

The ACLs

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Router Audit Tool (RAT)

RAT is designed to help audit the configurations of Cisco routers quickly and efficiently

It is a Perl Script program primarily meant for automating audits

• snarf: downloads rtr config files• ncat: reads the rule base and configuration files

and provides output in a text file• ncat_report: creates the html pages from the text

files• ncat_config: performs localization of the rule base

It consolidates other four Perl programs:

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

RAT Screenshot

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

Generate the Report

Note the name of the Investigator

List the router evidence

Document the evidence and other supporting items

List tools used for investigation

List devices and set up used in examination

Describe briefly the examination steps

Give details about the finding:

• Information about the files • Internet related evidence• Data and image analysis

Give conclusion of the investigation

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited


Router is a computer networking device that forwards data packets across a network

Router decides the most effective path for a packet to reach its final destination

Types of router attacks are Denial of Service attack, Packet mistreating attacks, Routing table poisoning, Flooding, Hit-and-run attacks, and Persistent attacks

RIP sends routing-update messages at regular intervals and when the network topology changes

Router log shows if anyone has been trying to get in to the network

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited

EC-Council Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited