File000140
-
Upload
desmond-devendran -
Category
Technology
-
view
262 -
download
0
Transcript of File000140
![Page 1: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/1.jpg)
Module XXVII – Investigating Network Traffic
![Page 2: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/2.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Internet Traffic Begins to Bypass the U.S.
Source: http://www.nytimes.com/
![Page 3: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/3.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: TCP Flooder Program Released for Free
Source: http://www.mxlogic.com/
![Page 4: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/4.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Scenario
Jessica was missing from her home for a week. She has left a note for her father mentioning that she was going to meet her school friend. Few weeks later Jessica’s dead body was found near a dumping yard.
Investigators were called in to reveal the mystery that surrounded Jessica’s death. Preliminary investigation of Jessica’s computer and logs revealed some facts which helped the cops trace the killer.
![Page 5: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/5.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Overview of Network Protocols• Overview of Physical and Data-link Layer of the OSI Model• Overview of Network and Transport Layer of the OSI Model• Types of Network Attacks• Why to Investigate Network Traffic?• Evidence Gathering via Sniffing• Tools• Documenting the Evidence Gathered on a Network• Evidence Reconstruction for Investigation
This module will familiarize you with:
![Page 6: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/6.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
ToolsEvidence Reconstruction
for Investigation
Types of Network AttacksWhy to Investigate Network Traffic?
Evidence Gathering via Sniffing
Overview of Network and Transport Layer of the
OSI Model
Overview of Physical and Data-link Layer of the
OSI Model
Overview of Network Protocols
Documenting the Evidence Gathered on a Network
![Page 7: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/7.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Addressing Schemes
• Each node in LAN has a MAC address that is factory-programmed into its NIC
• Data packets are addressed to either one of the nodes or all of the nodes
LAN Addressing
• Internet is a collection of LANs and/or other networks that are connected with routers
• Each network has a unique address and each node on the network has a unique address, so an Internet address is combination of network and node addresses
• IP is responsible for network layer addressing in the TCP/IP protocol
Internet Addressing
There are two types of network addressing schemes:
![Page 8: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/8.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
OSI Reference Model
![Page 9: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/9.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Overview of Network Protocols
Data Unit Layer Function Protocols
Host Layer
Data
ApplicationNetwork process to application
HTTP, SMTP, NNTP, TELNET, FTP, NMP, TFTPPresentation
Data representation and encryption
Session Interhost communication
Segments TransportEnd-to-end connections and reliability
UDP, TCP
Media Layer
Packets NetworkPath determination and logical addressing (IP)
ARP, RARP, ICMP,IGMP, IP
Frames Data LinkPhysical addressing (MAC & LLC)
PPP, SLIP
Bits PhysicalMedia, signal and binary transmission
![Page 10: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/10.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
TCP/ IP Protocol
![Page 11: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/11.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Overview of Physical and Data-Link Layer of the OSI Model
• It helps in transmitting data bits over a physical channel• It has a set of predefined rules that physical devices and
interfaces on a network have to follow for data transmission to take place
Physical layer:
• It controls error in transmission by adding a trailer to the end of the data frame
Data-link layer:
![Page 12: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/12.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
• It is responsible for sending information from the source to a destined address across various links
• It adds logical addresses of the sender and receiver to the header of the data packet
Network layer:
• The transport layer ensures the integrity and order of the message sent by the source to its destination
• It also controls the error and flow control in the transmission
Transport layer:
Overview of Network and Transport Layer of the OSI Model
![Page 13: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/13.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Types of Network Attacks
IP Spoofing
Router attacks
Eavesdropping
Denial of service
Man-in-the-Middle Attack
Sniffer Attack
Data Modification
![Page 14: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/14.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Why to Investigate Network Traffic
To locate suspicious network traffic
To know who is generating the troublesome traffic, and where the traffic is being transmitted to or received from
To identify network problems
![Page 15: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/15.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Gathering Via Sniffing
Sniffer is a computer software or hardware that can intercept and log traffic passing over a digital network or part of a network
Sniffers, which put NICs in promiscuous mode, are used to collect digital evidence at the physical layer
SPANned ports, hardware taps help sniffing in a switched network
Sniffers collect traffic from the network and transport layers other than the physical and data-link layer
Investigators should configure sniffers for the size of frames to be captured
![Page 16: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/16.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquiring Traffic Using DNS Poisoning Techniques
The substitution of a false Internet provider address at the domain name service level (e.g., where web addresses are converted into numeric Internet provider addresses)
DNS poisoning is a technique that tricks a DNS server into believing it has received authentic information when, in reality, it has not
• Intranet DNS Spoofing (Local network)• Internet DNS Spoofing (Remote network)• Proxy Server DNS Poisoning• DNS Cache Poisoning
Types of DNS Poisoning:
![Page 17: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/17.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Intranet DNS Spoofing (Local Network)
For this technique, you must be connected to the local area network (LAN) and be able to sniff packets
Works well against switches with ARP poisoning of the router
RouterIP 10.0.0.254
Rebecca types www.xsecurity.com in her Web BrowserIP: 10.0.0.3
Hacker runs arpspoof/dnsspoof www.xsecurity.com
Hacker sets up fake Website www.xsecurity.comIP: 10.0.0.5
DNS Request
What is the IP address of
www.xsecurity.com Real Website www.xsecurity.comIP: 200.0.0.45
Hacker’s fake website sniffs the credential and redirects the request to real website
1
23 4
Hacker poisons the router and all the router traffic is forwarded to
his machine
![Page 18: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/18.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet DNS Spoofing (Remote Network)
Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker
Works across networks. Easy to set up and implement
Rebecca types www.xsecurity.com in her Web Browser
Hacker runs DNS Server in RussiaIP: 200.0.0.2
Real Website www.xsecurity.comIP: 200.0.0.45
Hacker’s fake website sniffs the credential and redirects the request to real website
5
Fake Website IP: 65.0.0.2
Hacker’s infects Rebecca’s computer by changing her DNS IP address to: 200.0.0.2
1
2
3
4
![Page 19: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/19.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Internet DNS Spoofing
Steps to redirect all the DNS request traffic from a host machine to you:
1. • Set up a fake website on your computer
2.• Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk
will make you the DNS server
3. • Modify the file dns-spoofing.bat and replace the IP address with your IP address
4. • Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe)
5. • When the host clicks the trojaned file, it will replace Jessica’s DNS entry in her TCP/IP
properties with that of your machine’s
6. • You will become the DNS server for Jessica and her DNS requests will go through you
7. • When Jessica connects to XSECURITY.com, she resolves to the fake XSECURITY website; you
sniff the password and send her to the real website
![Page 20: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/20.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Proxy Server DNS Poisoning
Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer to that of the attacker
Works across networks. Easy to set up and implement
Rebecca types www.xsecurity.com in her Web Browser
Hacker runs Proxy Server in RussiaIP: 200.0.0.2
Real Website www.xsecurity.comIP: 200.0.0.45
Hacker’s fake website sniffs the credential and redirects the request to real website
4
Fake Website IP: 65.0.0.2
Hacker sends Rebecca’s request to fake website
2
31
Hacker’s infects Rebecca’s computer by changing her IE Proxy address to: 200.0.0.2
![Page 21: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/21.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
DNS Cache Poisoning
To perform a cache poisoning attack, the attacker exploits a flaw in the DNS server software that can make it accept incorrect information
If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, it will end up caching the incorrect entries locally and serve them to users that make the same request
• For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls
• He then creates fake entries for files on the server he controls with names matching those on the target server
![Page 22: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/22.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Gathering from ARP Table
MAC address, a part of the data-link layer, is associated with the system hardware
The ARP table of a router comes in handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses
ARP table can be accessed using the c:\arp –a command in Windows OS
![Page 23: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/23.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Gathering at the Data-link Layer: DHCP Database
The DHCP database determines the MAC addresses associated with the computer in custody
The DHCP server maintains a list of recent queries along with the MAC address and IP address
• Photographing the computer screen• Taking the screenshot of the table and saving it on
disk• Using the HyperTerminal logging facility
Documentation of the ARP table is done by:
![Page 24: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/24.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: DHCP Log
![Page 25: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/25.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Gathering Evidence by IDS
IDS can be configured to capture the network traffic and generate alerts
Results of networking devices such as routers and firewalls, can be recorded through a serial cable using Windows HyperTerminal program or by a UNIX script
If the amount of information to be captured is huge, then record the onscreen event using a video camera or a relative software program
![Page 26: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/26.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools
![Page 27: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/27.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Tcpdumphttp://www.tcpdump.org/
• Captured packet count• Received packet count• “dropped by kernel” packets count
Tcpdump report consists of:
• SunOS 3.x or 4.x , Solaris, HP-UX, IRIX, Linux, Ultrix and Digital UNIX, BSD
It supports the following platforms:
Tcpdump is a powerful tool that allows to sniff network packets and make statistical analysis of these dumps
It operates by putting the network card into promiscuous mode
It may be used to measure the response time, packet loss percentages, and view TCP/UDP connection Establishment and Termination
![Page 28: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/28.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Tcpdump
![Page 29: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/29.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Windumphttp://www.winpcap.org/
• C:\Windump –w filename.dmp• The packets are stored in the C drive with the filename. The
packets can be analyzed by using a notepad• C:\Windump –w filename.dmp –s 65535• The above command can be used to specify the size of the
Ethernet packet to be captured
Command for saving the captured data packets using Windump as a sniffer:
WinDump is a version of tcpdump for Windows platform
![Page 30: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/30.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Windump (cont’d)http://www.winpcap.org/
• 20:50:00.037087 IP (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036 > 64.12.24.42.5190: P [tcp sum ok] 157351:157357(6) ack 2475757024 win 8767 (DF)
Sample output of the Windump:
• timestamp 20:50:00.037087 • IP [protocol header] tos 0x0, ttl 128, id 2572, len 46• source IP:port 192.168.2.24.1036• destination IP:port 64.12.24.42.5190: • P [push flag] [tcp sum ok] 157351:157357 • [sequence numbers] (6) [bytes of data] • acknowledgement and sequence number ack 2475757024 • window size (DF) [don’t fragment set] win 8767
The above entry can be deciphered as:
![Page 31: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/31.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Windump
![Page 32: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/32.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: NetIntercepthttp://www.sandstorm.net
NetIntercept captures and archives network traffic, so you can analyze problems as soon as they are detected
It correlates user sessions and reconstructs files transmitted or received over the network, giving you immediate evidence of misbehavior
Using NetIntercept, you can discover the security breaches, the points of regulatory non-compliance, the network problems, and shift your focus from finding problems to fixing them
![Page 33: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/33.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: NetIntercept
![Page 34: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/34.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Tool: Wiresharkhttp://www.wireshark.org/
Wireshark is a network protocol analyzer for UNIX and Windows
It allows the users to examine data from a live network or from a file stored on the disk
The user can interactively browse the captured data, viewing summary and detailed information of each packet captured
![Page 35: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/35.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Wireshark
![Page 36: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/36.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools
CommView monitors the network activity capable of capturing and analyzing packets on any Ethernet network
Softperfect Network Sniffer is a network protocol analyzer or sniffer
![Page 37: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/37.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
HttpDetect (EffeTech HTTP Sniffer) is a HTTP sniffer, packet analyzer, content rebuilder and http traffic monitor
EtherDetect Packet Sniffer is a connection oriented packet sniffer and protocol analyzer
![Page 38: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/38.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
OmniPeek Workgroup is a full-featured, stand-alone network forensic analysis tool
Iris Network Traffic Analyzer is a vulnerability forensics solution used for network traffic analysis and reporting
![Page 39: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/39.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
SmartSniff is a TCP/IP packet capture program that allows you to inspect the network traffic that passes through the network adapter
NetSetMan allows you to quickly switch between pre-configured network settings
![Page 40: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/40.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
Distinct Network Monitor displays live network traffic Statistics
MaaTec Network Analyzer tool used for capturing, saving, and analyzing network traffic
![Page 41: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/41.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
Ntop is a network traffic probe that shows network usage on user terminal
EtherApe displays the network activity graphically by featuring link layer, IP, and TCP modes
![Page 42: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/42.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
Colasoft Capsa Network Analyzeris a TCP/IP Network Sniffer and Analyzer that offers real time monitoring and data analyzing of the network traffic
Colasoft EtherLook monitors real time network traffic flowing around local network and to/from the Internet efficiently
![Page 43: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/43.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
AnalogX Packetmon allows to capture IP packets that pass through network interface - whether they originate from machine on which PacketMon is installed, or a completely different machine on the network
BillSniff is a network protocol analyzer (sniffer) that provides detailed information about the current traffic, as well as overall protocol statistics
![Page 44: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/44.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
IE HTTP Analyzer is an add-in for Internet Explorer, that allows to capture HTTP/HTTPS traffic in real-time
EtherDetect Packet Sniffer captures and groups all network traffic and allows you to view real-time details for each packet, as well as the content
![Page 45: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/45.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
EtherScan Analyzer captures and analyzes the packets over local network
Sniphere is a WinPCAP network sniffer that supports most of the common protocols
![Page 46: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/46.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IP sniffer is a protocol analyzer, that supports filtering rules, adapter selection, packet decoding, and advanced protocol description etc.
Atelier Web Ports Traffic Analyzer is a network traffic sniffer and logger that allows you to monitor all Internet and network traffic on your PC and view the actual content of the packets
Traffic Capturing and Analysis Tools (cont’d)
![Page 47: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/47.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
IPgrab is a verbose packet sniffer for UNIX hosts
Nagios is a host and service monitor designed to run under the Linux operating system
![Page 48: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/48.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Traffic Capturing and Analysis Tools (cont’d)
Give Me Too is an affordable packet sniffer, network analyzer, and network sniffer that plugs into computer networks and monitors any Internet and e-mail activity that occurs in them
Sniff - O - Matic is a network protocol analyzer and packet sniffer that captures the network traffic and enables you to analyze the data
![Page 49: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/49.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EtherSnoophttp://www.arechisoft.com/
EtherSnoop is a network sniffer, designed for capturing, and analyzing the packets going through the network
It captures the data passing through your dial-up connection or network Ethernet card, analyzes the data, and represents it in a readable form
![Page 50: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/50.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GPRS Network Sniffer: Nokia LIG
• Lawful Interception Controller (LIC)• Lawful Interception Browser (LIB)• Lawful Interception Extension (LIE)
The architecture of implementation comprises:
The Nokia LIG sniffs GPRS traffic
It provides precise solution for constructing the GPRS interception system
It is sold only to Law enforcement agencies
![Page 51: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/51.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
GPRS Network Sniffer: Nokia LIG (cont’d)
![Page 52: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/52.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Siemens Monitoring Centerhttp://networks.siemens.com/
When it comes to fighting, crime and thwarting terrorist attacks, law enforcement and government security agencies need the right tools to get results and fulfill their mandate
Therefore, state-of-the-art monitoring center solutions are must for lawful interception (LI)
The Siemens Monitoring Center (MC) has been specifically developed to fulfill the complex needs of law enforcement agencies worldwide
More than 90 Monitoring Center solutions have been installed by Siemens Voice and Data Recording (VDR) in over 60 countries
The VDR system intercepts voice, data, GPRS traffic, cell, e-mail messages, and encrypted data
It is sold only to Law Enforcement Agencies
![Page 53: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/53.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Siemens Monitoring Center (cont’d)
• Fixed networks PSTN (local and international exchanges)• Mobile networks GSM, GPRS, and UMTS• Next Generation Networks (NGN)• IP Networks (local loop, ISP, and Internet backbone)• Automatic correlation of content of communication to IRI
Universal Monitoring Center concept for all monitoring requirements within telecommunication networks:
![Page 54: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/54.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Siemens Monitoring Center (cont’d)
Mono and stereo, optionally compressed, and voice recording
Full duplex/no compression recording for data demodulation (fax, Internet, e-mails etc.)
Customized add-on applications
Centralized or distributed Monitoring Center (Monitoring Center-to-go)
Scalable and adaptable to customer requirements
Joint roadmap for upcoming telecommunications technology
Monitoring Center (UMTS, NGN, ETSI-Internet)
![Page 55: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/55.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Siemens Monitoring Center
![Page 56: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/56.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetWitness® Investigatorhttp://www.netwitness.com/
It provides security operations staff, auditors, and fraud and forensics investigators the power to perform free-form contextual analysis of raw network data
Features:
• SSL Decryption (with server certificate)• Interactive time charts, and summary view• Interactive packet view and decode• Hash Pcap on Export• Enhanced content views• Real-time analytics • Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.) • IPv6 support • Captures live from any wired or wireless interface • Full content search, with Regex support • Exports data in .pcap format • Imports packets from any open-source, home-grown and commercial packet capture system(e.g.
.pcap file import) • Bookmarking & History Tracking • Integrated GeoIP for resolving IP addresses to city/county, supporting Google Earth
visualization
![Page 57: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/57.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: NetWitness® Investigator
![Page 58: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/58.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetWitness® Informerhttp://www.netwitness.com/
NetWitness® Informer provides detailed reporting, charting and alerting on network performance, insider threats, data leakage, compliance monitoring, I/T asset misuse, hacker activities, and a host of other threats
Features:
• Predefined report rules, categories and templates • Flexible, WYSIWYG drag-and-drop report builder & scheduling engine • Fully customizable, XML-based rules and report library for infinite report and alert combinations • Live-charting for real-time dashboard of activity • Full role-based access controls • Supports CEF, SNMP, syslog, SMTP data push
Report Examples:
• Security - profile and alert on zero-day, BOTnet, DYN, DNS and intrusion activity with complete content • Compliance - audit network-based components of policies and regulations such as FISMA, HIPPA, ISO 1779, SOX\GLB,
and PCI standards • IT Operations - report and chart across application and network layer metrics • Business Intelligence - profile sensitive data flow in real-time with total access to all events and content surrounding
suspect activity • Insider Threat - monitor and profile computer, user, and resource activity across every application and device • Legal – support e-Discovery, criminal investigations, or liability audits through network entity profiling and analysis
![Page 59: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/59.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: NetWitness® Informer
![Page 60: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/60.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
NetResidenthttp://www.tamos.com/
NetResident is a network content monitoring program that captures, stores, analyzes, and reconstructs network events such as e-mail messages, web pages, downloaded files, instant messages, and VoIP conversations
![Page 61: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/61.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
nGenius InfiniStream http://www.netscout.com/
• Eliminating the need to sift through numerous packet trace files to find specific network or link behavior
• Alleviating the need to wait for an issue to reoccur by utilizing continuous packet capture and playback to view the packets associated with an issue
• Mining the recorded data in an efficient, flexible and logical methodology to reveal issues much faster and meet the challenges of the modern IP network
• Delivering the post-event forensic analysis necessary to diagnose problems quickly and minimize the impact on the end user
NetScout’s real-time analysis and packet recording minimizes mean time to resolution by:
InfiniStream, combined with NetScout analysis and reporting solutions, provides the critical KPI-to-Flow-to-Packet top-down workflow needed to quickly and efficiently detect, diagnose and verify the resolution of elusive and intermittent IT service problems
![Page 62: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/62.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: Infinistream Console
![Page 63: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/63.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
eTrust Network Forensicshttp://www3.ca.com/
eTrust Network Forensics captures raw network data and uses advanced forensics analysis to identify how business assets are affected by network exploits, internal data theft, and security or HR policy violations
Its patented technology allows IT and security staff to visualize the network’s activity, uncover anomalous traffic, and investigate breaches with a single and convenient solution
• Powerful forensic analysis — links network data with security alerts
• Holistic view of network element dependencies through a knowledge base
• Quickly discovers network anomalies or trouble spots • Effectively visualizes communications in interactive 2D graphs • Enhances existing security investments with graphical reports
![Page 64: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/64.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: eTrust Network Forensics
![Page 65: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/65.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
ProDiscover Investigatorhttp://www.techpathways.com/
ProDiscover Investigator investigates the disk content throughout the network
It checks for illegal activity or for compliance to company policy and gathers evidence for potential use in legal proceedings
![Page 66: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/66.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
P2 Enterprise Shuttle (P2EES) http://www.paraben-enterprise.com/
P2EES is an enterprise investigation tool that views, acquires, and searches client’s data wherever it resides in an enterprise
It checks the main communications which pass through for the system as well as for the routers and firewalls
It acts as the central repository for all forensic images collected and is integrated with MYSQL
![Page 67: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/67.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: P2 Enterprise Shuttle
![Page 68: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/68.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Show Traffichttp://demosten.com/
Show Traffic monitors network traffic on the chosen network interface and displays it continuously
It locates suspicious network traffic or evaluates current utilization of the network interface
![Page 69: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/69.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Network Probehttp://objectplanet.com/
Network Probe identifies the problem causing in the network traffic
It shows who is generating the troublesome traffic, and where the traffic is being transmitted or received
![Page 70: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/70.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snort Intrusion Detection Systemhttp://snort.org/
Snort is a versatile, lightweight, and useful intrusion detection system
Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to log directories that are named based on the IP address of the foreign host
Plug-ins allow the detection and reporting subsystems to be extended
Available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization
![Page 71: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/71.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Snort IDS Placement
Firewall
![Page 72: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/72.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
IDS Policy Managerhttp://www.activeworx.org
IDS Policy Manager has been the de facto standard for managing Snort rules on Windows. You can create Snort rules graphically
![Page 73: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/73.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Documenting the Evidence Gathered on a Network
If the network logs are small, you can take a print-out and attest
Document the evidence gathering process by mentioning the name of the person who collected the evidence, from where it was collected
• The procedure used to collect evidence and the reason for collecting evidence
The process of documenting digital evidence on a network becomes more complex when the evidence is gathered from systems which are on remote locations
![Page 74: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/74.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Evidence Reconstruction for Investigation
• Evidence is not static and is not concentrated at a single point on the network
• The variety of hardware and software found on the network makes the evidence gathering process more difficult
Gathering evidence trails on a network is cumbersome for the following reasons:
• Temporal analysis; helps to identify time and sequence of events
• Relational analysis; helps to identify the link between suspect and the victim with respect to the crime
• Functional analysis; helps to identify events that triggered the crime
Three fundamentals of reconstruction for investigating crime are:
![Page 75: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/75.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
There are two types of network addressing schemes: LAN Addressing and Internetwork Addressing
Sniffer is computer software or hardware that can intercept and log traffic passing over a digital network or part of a network
The ARP table of a router comes handy for investigating network attacks as the table contains IP addresses associated with the respective MAC addresses
The DHCP server maintains a list of recent queries along with the MAC address and IP address
IDS can be configured to capture network traffic when an alert is generated
![Page 76: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/76.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
![Page 77: File000140](https://reader038.fdocuments.net/reader038/viewer/2022110118/5553b660b4c905d9448b4d7a/html5/thumbnails/77.jpg)
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited