Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 252 Computer Forensics

Published byเนาวรัตน์ บราวน์ Modified over 5 years ago

Similar presentations

Presentation on theme: "COEN 252 Computer Forensics"— Presentation transcript:

1 COEN 252 Computer Forensics
Tools for Package Analysis.

2 Legal Preliminaries Intercepting network activities can be the equivalent of a wiretap. Distinguish between content monitoring and non-content monitoring. Non-content monitoring: “Pen register” or “Trap and Trace” Full content monitoring: Allows full reconstruction of sessions. Including reading web-based .

3 TCPDump / Windump Low level package sniffer.
Good, if you see a new type of attack or try to diagnose a networking problem. Bad, since you have to look at all these packages and learn how to interpret them.

4 TCPDump / Windump: The Good
Provides an audit trail of network activity. Provides absolute fidelity. Universally available and cheap.

5 TCPDump / Windump: The Bad
Does not collect the payload by default. Does not scale well. State / connections are hidden. Very Limited analysis of packages. Collects a given number of bytes from each package: This could turn “trap and trace” monitoring into wiretaping.

6 Versions Unix Version 3.4. ftp.ee.lbl.gov/tcpdump.tar.Z Windump

7 Shadow Collects tcpdump data in hourly files. Analyzes for anomalies
Formats anomalous data in HTML Comes with Scripts Download it for free for UNIX

8 Shadow Collects data with tcpdump on a monitoring station.
Analyzes them on the analysis station with: tcpdump filters Perl Analysis System Audit Tools

9 Running TCPDump tcpdump –x looks at packages in hex format

10 Running TCPDump Interpret packages in that format.
Use the TCP/IP and tcpdump reference card from SANS.org.

11 Running tcpdump IP Header ICMP Header
20:20: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq 4864 d0f 81d2 13d3 81d2 13c d5ee a 6b6c 6d6e 6f a6b 6c6d 6e6f 6768

12 tcpdump Use reference card to identify fields IP Version 4
Header Length (Nr * 4B) 20:20: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq 4864 d0f 81d2 13d3 81d2 13c d5ee a 6b6c 6d6e 6f a6b 6c6d 6e6f 6768

13 tcpdump 20B header Type of Service Total Length: 0x80 = 128decimal
20:20: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq 4864 d0f 81d2 13d3 81d2 13c d5ee a 6b6c 6d6e 6f a6b 6c6d 6e6f 6768

14 tcpdump Length of capture: tcpdump –s 68 Default is 68B
We see only 54B, because the ethernet header is 14B long. Remember, this could become a legal problem if you see content.

15 tcpdump tcpdump –e host bobadilla Shows Source MAC Destination MAC
Displays data link data filtered by host named bobadilla. Shows Source MAC Destination MAC Protocol 20:37: :8:74:3f:2:46 0:d:56:8:e4:db ip 142: IP dhcp engr.scu.edu > Bobadilla.scu.edu: icmp 108: echo request seq 5376

16 Tcpdump Fragmentation Total Length
Total Length: Number of Bytes in Packet 20:42: IP Bobadilla.scu.edu.137 > : udp 50 e 892b aae1 81d2 13c6 efff fffa a adb9 8ce2 0000 b

17 Tcpdump Fragmentation Offset Header
Length 0x33c = 828 (-20B for header) Offset: 1ce8  = 7400 Leading 000 are flags. Multiply by 8: Offset = 59200 20:53: IP Bobadilla.scu.edu > dhcp engr.scu.edu: icmp (frag c ce d2 13c6 81d2 13d3 6e6f a 6b6c 6d6e 6f a6b 6c6d 6e6f 6566

18 TCPDump Filters Capture only packages that are useful.
Specify in the filter what items are interesting. Filters use common fields such as host or port. Filters also for individual bytes and bits in the datagram

19 TCPDump Filters Format 1: macro and value “tcpdump port 23”
Only displays packages going to or from port 23.

20 TCPDump Filters Format 2:
<protocol header> [offset:length] <relation> <value> “ip[9] = 1” Selects any record with the IP protocol of 1. “icmp[0] = 8” Selects any record that is an ICMP echo requests. That’s why you should learn to use the reference card.

21 TCPDump Filters Reference single bits through bit masking.
An example is TCP flag bits Byte 13 in a TCP header has the 8 flag fields. CWR,ECE,URG,ACK,PSH,RST,SYN,FIN

22 TCPDump Filters Assume we want to mask out the PSH field.
Translate the mask into binary. 0x04

23 TCPDump Filters Set filter to tcp[13] & 0x40 != 0. Your turn:
Filter for packets that have the Syn or the Ack flag set.

24 TCPDump Filters Your turn:
Filter for packets that have the Syn or the Ack flag set. tcp[13] & 0x12 != 0

25 TCPDump Filters We can of course use exact values for filtering.
tcp[13] = 0x20 looks only for tcp-packets that have the urg flag set.

26 TCPDump Filters Can combine filters with the and, or, not operators
(tcp and tcp[13]&0x0f != 0 and not port 25) or port 20 Filter can be written in file, specified with the –F flag.

27 TCPDump Filters Use –F filename to specify a file containing the filter.

28 TCPDump Use the –w extension to capture into a file.
Use the –c extension to limit the number of packets captured. Use –v, -vv, -vvv for verbosity. Use –x for ASCI values of package contents. Use –tttt to display time / day stamps. Use –r to specify capture file.

29 Target NMap Available in Windows and Unix version.
Scans host with many different connections. Uses responses to determine OS. Target Acquisition. Network mapping.

30 TCPDump Filter against NMap
Use Filters to check for NMap activity. For example, send a TCP packet with SYN|FIN|URG|PSH options set. Use packages with the first two TCP flags set of OS-mapping

31 tcptrace Uses a file with traffic captured from the network as input.
Understands dumpfile formats like tcpdump, snoop, etherpeek, tcpdump, … Beluga:/Users/mani> tcptrace tigris.dmp 1 arg remaining, starting with 'tigris.dmp' Ostermann's tcptrace -- version Fri Jun 13, 2003 87 packets seen, 87 TCP packets traced elapsed wallclock time: 0:00: , 2295 pkts/sec analyzed trace file elapsed time: 0:00: TCP connection info: 1: pride.cs.ohiou.edu: elephus.cs.ohiou.edu:ssh (a2b) 30> 30< (complete) 2: pride.cs.ohiou.edu: a apple.com:http (c2d) 12> 15< (complete)

32 tcptrace Found two tcp connections.
(a2b), (c2d) is a labelling scheme for ports. (complete) shows that the connection was gracefully shut down. Numbers are the number of packets sent and received. Beluga:/Users/mani> tcptrace tigris.dmp 1 arg remaining, starting with 'tigris.dmp' Ostermann's tcptrace -- version Fri Jun 13, 2003 87 packets seen, 87 TCP packets traced elapsed wallclock time: 0:00: , 2295 pkts/sec analyzed trace file elapsed time: 0:00: TCP connection info: 1: pride.cs.ohiou.edu: elephus.cs.ohiou.edu:ssh (a2b) 30> 30< (complete) 2: pride.cs.ohiou.edu: a apple.com:http (c2d) 12> 15< (complete)

33 tcptrace -l gives detailed statistics.
-lW estimates the congestion window in addition. -o can filter out connections: tcptrace –o3,5,7 Filters out all but the third, fifth, and seventh connection.

34 tcptrace Allows quick and accurate view of tcp connections.
With –u also analyzes udp traffic.

35 tcpflow Captures data transmitted as a TCP connection
A flow Reconstructs the actual data stream. Can be used to reconstruct , http sessions, …

36 Ethereal GUI tool that can do a lot of neat things
Reconstruct TCP sessions Handles IP fragmentation

37 Ethereal To follow a TCP stream, highlight packet.
Select Analyze  Follow TCP Stream

38 Ethereal

Download ppt "COEN 252 Computer Forensics"

Similar presentations

COEN 252 Computer Forensics Tools for Package Analysis.

COEN 252 Computer Forensics Tools for Package Analysis.
Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.

Overview The TCP/IP Stack. The Link Layer (L2). The Network Layer (L3). The Transport Layer (L4). Port scanning & OS/App detection techniques. Evasion.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer.

Department of Computer Science, The University of Houston 4. TCP/IP & Software Tools 1 Intrusion Detection Module Stephen Huang Department of Computer.
COEN 252 Computer Forensics Tools for Package Analysis.

COEN 252 Computer Forensics Tools for Package Analysis.
Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame 13 - 3-way handshake 15 - TCP flags 16 -

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.

Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.

Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
ECE-6612 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office: Klaus 3362.

ECE Prof. John A. Copeland fax Office: Klaus 3362.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,

CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.

Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
Port Scanning.

Port Scanning.

Similar presentations

Ads by Google