Upload
bathsheba-mason
View
223
Download
0
Tags:
Embed Size (px)
Citation preview
Forensics Book 4: Investigating Network Intrusions and Cybercrime
Chapter 4: Router Forensics
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Objectives
Understand router architecture Understand the use of Routing Information
Protocol (RIP) List the different types of router attacks Differentiate router forensics from traditional
forensics List the steps for investigating router attacks Conduct an incident response Read router logs List various router auditing tools
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Introduction to Router Forensics
Router Network-layer device or software application
that determines the next network point to which a data packet should be forwarded in a packet-switched network
Decides where to send information packets based on its current understanding of the state of the networks it is connected to, as well as the network portion of the Internet Protocol (IP) address
Routers use headers and forwarding tables to determine the best path for sending data packets
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Functions of a Router
Basic functions of a router: Forwarding packets Sharing routing information Packet filtering Network address translation (NAT) Encrypting or decrypting packets in the case
of virtual private networks (VPNs) Overall, a router:
Is the backbone of a network and performs significant network functions
Has the additional responsibility of protocol interpretation
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)
A router in the OSI model Operates at the network layer of the OSI model Relays packets among multiple interconnected
networks Forwards the packets to the next router on the
path until the destination is reached Generally sends the packets through that
particular route once the best route is identified Router architecture
Memory Hardware IOS
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)
Figure 4-1 Routers operate in the physical, data link, and network layers of the OSI model.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)
The routing table and its components Routing table
Database that stores the most efficient routes to particular network destinations
Components of a routing table Address prefix specifying the address of the
final destination of the packet Interface on which the packets corresponding
to the address prefix are transmitted Next hop address specifying the address of the
router to which a packet must be delivered en route to its final destination
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Functions of a Router (continued)
Components of a routing table (continued) Preference value for choosing between several
routes with similar prefixes Route duration Specification showing whether the route is
advertised in a routing advertisement Specification on how the route is aged Route type
Routing Information Protocol (RIP) Protocol used to manage router information
within a self-contained network
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Router Vulnerabilities
Common router vulnerabilities are likely avenues for attack: HTTP authentication vulnerability NTP vulnerability SNMP parsing vulnerability
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Router Attacks
Intruder that takes control of a router can perform many different attacks on a network Can gain knowledge of all possible vulnerabilities
in a network once the router has been accessed Attacker who has gained access to a router can
interrupt communication, disable the router, stop communication between compromised networks, as well as observe and record logs on both incoming and outgoing traffic
By compromising a router, attackers can avoid firewalls and intrusion detection systems (IDS), and can transmit any kind of traffic to a chosen network
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Types of Router Attacks
Denial-Of-Service (DoS) attacks Render a router unusable for network traffic
by overloading the router’s resources so that no one can access it
Goals: destruction, resource utilization, and bandwidth consumption
Packet-mistreating attacks Compromised router mishandles or mistreats
packets, resulting in congestion Mistreated packet could invoke the following
problems: denial of service, congestion, and lowering of connection throughput
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Types of Router Attacks (continued) Routing table poisoning
One of the most prominent types of attacks When an attacker maliciously alters, or poisons, a
routing table, the routing-data update packets are also maliciously modified
Misconfigured packets produce false entries in the routing table, such as a false destination address
Hit-and-run attacks Occur when an attacker injects a small number of
bad packets into the router to exploit the network Similar to a test attack: attacker gains knowledge
of whether the network is online and functioning
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Types of Router Attacks (continued) Persistent attacks
Attacker continuously injects bad packets into the router and exploits the vulnerabilities that are revealed during the course of the injection process
Can cause significant damage because the router can get flooded with packets and cease functioning due to the constant injection of packets
Comparatively easy to detect
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Router Forensics Versus Traditional Forensics
Router forensics does not differ much from traditional forensics Except in some particular steps taken during
investigations During router investigations, the system
needs to be online, whereas in traditional forensic investigations, the system needs to be powered off System must be online so the forensic
investigator can have exact knowledge of what type of traffic flows through the router
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigating Router Attacks
Guidelines: Start with a security policy and develop a plan that
includes collecting and defining data Create a reconnaissance methodology that provides
information about the target Perform an analysis check to identify incidents and
review default passwords and default information Develop an attack strategy for analyzing commands
to access the network, ACLs, firewalls, and protocols
Be careful while accessing the router Intrusion analysis is vital to identifying the attacker
and preventing the success of future attacks
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps
Seize the router and maintain the chain of custody Investigator should seize the router so that nobody
can change its configuration Chain of custody
Record of seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence
Perform incident response and session recording Router should not be rebooted unless absolutely
necessary Record all information and evidence acquired No modifications should be made to the information
and evidence acquired
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-2 Chain of custody forms document the evidence-gathering phase of an investigation.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Incidents that should be handled in specific ways: Direct-compromise incidents Routing table manipulation Theft of information Denial of service
Access the router (guidelines) Router must be accessed through the console Record the entire console session Record the actual time and the router time Only show commands should be executed Volatile information must be given priority
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-3 Every step an investigator takes must be recorded.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Gather volatile evidence Volatile evidence: evidence that can easily be
lost during the course of a normal investigation
Items considered volatile evidence: Current Configuration, Access list, Time, and Log files
Methods to collect volatile evidence: Direct access – carried out using show
commands Indirect access – carried out only if the attacker
has changed the passwords by port-scanning every router IP
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Identify the router configuration Establish a connection to the router to retrieve the
RAM and NVRAM Use the encrypted protocol secure shell to remotely
access the router if a direct connection is not possible
Log entire session with HyperTerminal Capture and save the volatile and nonvolatile router
configurations for documentation purposes Examine and analyze
Once the volatile evidence has been secured and the configuration has been obtained, the investigator can begin to analyze the retrieved information
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Router components that should be examined and analyzed: Router configuration Routing table Access control list Router logs: provide information about the
router’s activities Types of router logs:
Syslog log, log buffer, console lop, terminal log, SNMP log, and ACL violation log
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-4 Router log files can tell an investigator where a connection originated.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-5 The ping command can be used to find a host name.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
NETGEAR router logs Can be used for monitoring network activities for
specific types of attacks and reporting those attacks to a security monitoring program
Can be used to perform the following tasks: Alert when someone on a LAN has tried to access a
blocked WAN address Alert when someone on the Internet has tried to
access a blocked address in a LAN Identify port scans, attacks, and administrative
logins Collect statistics on outgoing traffic Assess whether keyword-blocking rules are
excluding an undesired IP address
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-6 NETGEAR router logs allow the user to apply various firewall rules.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Figure 4-7 Entries indicating suspicious data being dropped are a possible indication of an attack.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Real-time forensics Investigator should use the router to monitor
the network, after removing or collecting the data from the compromised router
AAA logging gathers the following information: Login time Logout time HTTP accesses Privilege level changes Commands executed
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Investigation Steps (continued)
Generate a report (steps) Note the name of the investigator List the router evidence Document the evidence and other supporting items Provide a list of tools used for the investigation List the devices and setup used in the examination Give a brief description of the examination steps Provide the following details about the findings:
Information about the files Internet-related evidence Data and image analysis
Provide conclusions for the investigation
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Router Audit Tool (RAT)
Figure 4-8 The RAT tool checks devices against settings in a benchmark.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Link Logger
Figure 4-9 Link Logger allows users to see and analyze firewall traffic.
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Sawmill
Table 4-1 Sawmill stores these nonnumerical fields in its Linksys router database
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Summary
A router is a computer networking device that forwards data packets across networks
A router decides the most effective path for a packet to reach its final destination
A routing table is a database that stores the most efficient routes to particular network destinations
The types of router attacks are denial-of-service attacks, packet-mistreating attacks, routing table poisoning, hit-and-run attacks, and persistent attacks
Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited
Summary (continued)
RIP sends routing update messages when the network topology changes
A router log shows whether anyone has been trying to get into a network
Investigators must be careful while accessing a router