Presentation is loading. Please wait.

Presentation is loading. Please wait.

F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.

Published byKenny Silk Modified over 9 years ago

Similar presentations

Presentation on theme: "F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA."— Presentation transcript:

1 F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA

2 JBR Bank Example Live response data is given in previous chapters The bank’s networking staff had Tcpdump running on a Linux monitoring platform sitting on a hub with visibility to the victim system 103.98.91.41. it had started Tcpdump using the following command: –Tcpdump –n –I eth0 –s 1515 –w capture_file.lpc Meaning of switches are given on page 95 –Incident response team split into two smaller files using Tcpslice called s2a.lpc and s2b.lpc.

3 First analysis Decided to analize the s2a.lpc file first. –Result given on page 96 – 3 minutes long capture, 8 MB in size. Lot of web activity. Port 80. (43.49% of all packets sent out by web servers, and web clients sending 44.05%) Alert Data: First Trace –Snort’s signature-matching engine can find patterns of malicious activity. –Nmap scanning tool. http://www.insecure.org/nmaphttp://www.insecure.org/nmap –Alert file in text viewer is given on page 98. See explanation such as web application attack, attempted information leak, etc. The source address is given as well. (destination is the victim server). Looking at page 101, we can see some reconnaissance (scan) activity. Beyond checking for vulnerabilities in the web service, the intruder is now looking for other services that present opportunities for exploitation. Perhaps the intruder is using the Nmap scanning tool.

4 Session Data – first trace –First we run against the Libcap data to transform it into session data Argus –d –r s2a.lpc –w s2a.argus –d switch tells Argus to run in the background –r switch reads data from the Libcap file s2a.lpc –w switch writes the Argus results into the file s2a.argus. Take a look at page 103 for results. All traffic is directed at port 80 TCP, mainly with a pattern of packets sent by the source and destination, which is consistent with scanning for web vulnerabilities. At the bottom of the page pattern also shows port scanning. The destination port is changed from 1359 to 305 to 698 and so on. The source sends one packet and destination sends one packet reply. Usually in web page multiple packets and responded with. Any time when only one or two packets are sent from the server, it is unusual.

5 More In contrast to the polite closes seen in the Web reconnaissance, these “sessions” are closed with an RST. These aren’t’ really “sessions” because the three-way handshake, which would have established a true conversation between source and destination was never completed. We can guess all the ports scanned here were closed because the source probably sent a single SYN packet and the destination replied with a single RST ACK packet. »When the scanned port is open, we see a pattern like on page 104. »Here the source sends two packets and the destination sends one. »The source probably sent a SYN, to which the destination replied SYN ACK. »To tear down the connection attempt the source sends an RST

6 More On page 104 lower end of page we see the snort.log file, where copies of the packets that caused Snort to alert are stored. The first highlighted field, GET/cgi-bin/, caused Snort to report an intruder was trying to determine whether the cgi- bin directory was present on the Web server This is a common vulnerability check because many Common Gateway Interface (CGI) programs are poorly written, offering opportunities for crafty attackers. The second highlighted field, Nikto/1.30, confirms suspicion that Nikto Web vulnerability assessment tool was fired against the Web server. The final highlighted field, 403 Access Forbidden is the web server’s response to this reconnaissance effort. This alert show snort can be programmed not only to watch for activity from intruders but also to monitor responses from victims.

7 Full Content Data: First trace –To confirm the interpretation of the suspected reconnaissance observed via Snort alerts and Argus session data, we turn to the original Libcap file s2a.lpc. –The following packets demonstrate how the attacker sends a single SYN packet, to which a closed port replies with a single RST ACK. –These are highlighted in the Tcpdump output on page 106 –A possible fingerprint is hex 5555 5555 5555 or ascii uuuuuu. Goggle search shows this is associated with Nmap reconnaissance tool. –For closef ports, the source sends one packet, and the destination replies with one packet, and the destination replies with one packet.

8 Statistical Data: Second Trace –We’ll run through Tcpdstat: page 108 –Most of the action of s2b.lpc appears in the “other” category, accounting for 83.64% of all traffic. –These are all the TCP and UDP protocols that Tcpdstat recognizes. Tcpdstat does NOT know how to interpret Microsoft’s NetBIOS/Server Message Block protocol running on TCP ports 139 and 445 or UDP ports 137 and 138. see page 109 sample source code lifted. A second difference from the first trace is the presence of 16 non-IP packets. You can see this by comparing the total number of packets to the number of IP packets. Although this could be a protocol such as NetBEUI for old Windows networking or IPX for Novell clients, it is probably ARP (Address Resolutions Protocol) traffic.

9 Alert Data: Second Trace –Command on page 110 –We see that 16 are ARP traffic. –ARP is used to resolve IP addresses to MAC addresses. –Checking the reference in the data on page 111 against the Common Vulnerabilities and Exposure (CVE) database, you find that CAN-2001-0241 is described as follows: Buffer overflow in Internet Printing ISAPI extension in Windows 2000 allows remote attackers to gain root privileges via along print request that is passed to the extension through IIS 5. This is bad news. Second event happed four minutes later and third 6 minutes later, from different IP addresses.The intruder may own both machines, or friends are involved.

10 Microsoft Technet – see p. 112 Clients make SMB requests for resources and servers make SMB responses. SMB (server message Block) is the protocol Microsoft uses to share files, printers, serial ports, and also to communicate between computers using named pipes and mail slots. By sending a specially crafted packet request, an attacker can mount a denial of service attack on the target server machine and crash the system.

11 Session Data: Second Trace Filter out the Web and SMB and ARP traffic which we already discussed in the first trace. See command on 115, not port 80, not port 137 and so on. –The second to the last entry on page 115 is very important. We see the victim Web server successfully connected to 95.145.128.17 on port 6667. This indicates the intruder forced the Web server to speak IRC in hopes of controlling it via that communications medium. –The final session data entry displayed here show s95.208.123.64 connecting to port 1465 TCP on the victim Web server.

12 Full content data: second trace –Rather than looking through full content data on a packet by packet basis, we’ll ask tcpflow to rebuild sessions of interest on ports 21, 60,906, 1,465, and 6,667 TCP Tcpflow –r s2b.lpc port 21 or port 60906 or port 1465 or port 6667 see page 116 –In this case, tcpflow produces eight files. The filename syntax shows: The source IP and port Followed by the destination IP and port The eight files on pg 116 are the data sent by the source and destination for four separate sessions. On the third file, using tcpflow, we realize the intruder has been allowed on the victim’s server. To see what the IRC session looks like, check the connection to port 6667. We can see that intruder tried to access files using ftp. Next we read the responses from the IRC server with destination port 1174 on page 121

13

Download ppt "F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA."

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Communication Protocols III Tenth Meeting. Connections in TCP A wants to send to B. What is the packet next move? A travels through hub and bridge to.

Communication Protocols III Tenth Meeting. Connections in TCP A wants to send to B. What is the packet next move? A travels through hub and bridge to.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols Network Fundamentals – Chapter.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Similar presentations

Ads by Google