SlideShare a Scribd company logo

T2 7 Chappell Network Forensics

Pramod Sana
Pramod Sana

The document is an introduction to network forensics presented by Laura Chappell at the SHARKFEST '08 conference from March 31 to April 2, 2008. It discusses case studies of network intrusions including a company being locked out on Thanksgiving from a foreign country and examining unusual network traffic to identify data leaks. It also covers topics like where to find evidence of reconnaissance like port scans and OS fingerprinting, evidence of attacks like unusual connection pairs, and reviewing peculiar traffic patterns in trace files to identify infections. The document recommends resources for network forensic signatures and provides information on obtaining Laura's Lab Kit v9 with sample packet captures and

1 of 7
An Introduction to Network Forensics Identifying Reconnassance and Attack Processes on the Network Laura Chappell Founder | Wireshark University SHARKFEST '08 Foothill College March 31 - April 2, 2008 SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
Case Studies 1. Company servers ‘locked down’ on Thanksgiving morning; traffic paths indicate tunnel into network from a foreign country 2. Network traffic to and from the compromised host revealed a back back- channel and the propagator of the malicious code 3. Excessive outbound traffic alerted the staff to a possible data leak; examination of the data flow and the target confirmed the leak 4. Unique peer-to-peer data flow prompted the IT team to investigate; peer the investigation revealed improper network use, but no security leak
Tap-In Points Tap-in points Hub networks: Easy Switch networks: Issues Routed networks: Issues Full-duplex: Issues
Evidence of Reconnaissance UDP scans TCP scans IP scans (excessive (excessive ICMP (excessive RSTs) ICMP Type 3/Code 2) Type 3/Code 3) OS fingerprinting Address scans (‘dark (ICMP type 13, 15 Application scans IP’ or ‘dark MAC’ and 17) (unusual responses) hits) Download the free ICMP protocol poster: www.packet-level.com/downloads.htm level.com/downloads.htm
Evidence of Attacks and Breaches Unusual communication pairs Unusual protocols and ports Excessive failed connections Unusual inbound connections Unusual outbound connections Peer-to- Peer-to-peer traffic paths
Reviewing Unusual Traffic bootup-infection.pcap (not a public trace file) nmap-ipscan.pcap (LLK9) active-scan.pcap (LLK9) sick-client.pcap (LLK9) Signature information: www.snort.org www.bleedingthreats.net
What’s Next? Laura’s Lab Kit v9 In show bags as well as… ISO image: www.novell.com/connectionmagazine/laurachappell.html

Recommended

Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wiresharkBasaveswar Kureti
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffingMukul Sahu
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark TutorialCoursenvy.com
 
Contents namp
Contents nampContents namp
Contents nampshwetha mk
 
Wireshark
WiresharkWireshark
Wiresharklakshya dubey
 
Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol AnalyzerSourav Roy
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Wireshark
WiresharkWireshark
WiresharkVijay kumar
 

Recommended

Packet analysis using wireshark
Packet analysis using wiresharkPacket analysis using wireshark
Packet analysis using wiresharkBasaveswar Kureti
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffingMukul Sahu
 
Wireshark Tutorial
Wireshark TutorialWireshark Tutorial
Wireshark TutorialCoursenvy.com
 
Contents namp
Contents nampContents namp
Contents nampshwetha mk
 
Wireshark
WiresharkWireshark
Wiresharklakshya dubey
 
Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol AnalyzerSourav Roy
 
Network Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using WiresharkNetwork Forensics: Packet Analysis Using Wireshark
Network Forensics: Packet Analysis Using Wiresharkn|u - The Open Security Community
 
Wireshark
WiresharkWireshark
WiresharkVijay kumar
 
Wireshark lab getting started one’s unde
Wireshark lab getting started one’s undeWireshark lab getting started one’s unde
Wireshark lab getting started one’s undepiya30
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffersKunal Thakur
 
Wireshark
Wireshark Wireshark
Wireshark antivirusspam
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
pathtrace
pathtracepathtrace
pathtraceLong Tran
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorialChaman Poorani
 
Wireshark
WiresharkWireshark
WiresharkDeepika Ojha
 
Scanning & Penetration Testing
Scanning & Penetration Testing Scanning & Penetration Testing
Scanning & Penetration Testing Deris Stiawan
 
Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Yoram Orzach
 
Wireshark
WiresharkWireshark
WiresharkKasun Madusanke
 
Ntwrk monitoring capsa
Ntwrk monitoring capsaNtwrk monitoring capsa
Ntwrk monitoring capsaAmit Dahal
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Device finger printing
Device finger printingDevice finger printing
Device finger printingMohammed Muzzamil
 
Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol AnalyzerSourav Roy
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - BasicsYoram Orzach
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisNetwork analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LANArpit Suthar
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Ciscoguestd05b31
 
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...boundary_slides
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.cnetworks
 
Network Forensics
Network ForensicsNetwork Forensics
Network ForensicsConferencias FIST
 

More Related Content

What's hot

Wireshark lab getting started one’s unde
Wireshark lab getting started one’s undeWireshark lab getting started one’s unde
Wireshark lab getting started one’s undepiya30
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
Scanning & Penetration Testing
Scanning & Penetration Testing Scanning & Penetration Testing
Scanning & Penetration Testing Deris Stiawan
 
Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Yoram Orzach
 
Ntwrk monitoring capsa
Ntwrk monitoring capsaNtwrk monitoring capsa
Ntwrk monitoring capsaAmit Dahal
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing softwaredharmesh nakum
 
Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol AnalyzerSourav Roy
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - BasicsYoram Orzach
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisNetwork analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisYoram Orzach
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LANArpit Suthar
 

What's hot (19)

Wireshark lab getting started one’s unde
Wireshark lab getting started one’s undeWireshark lab getting started one’s unde
Wireshark lab getting started one’s unde
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Wireshark
Wireshark Wireshark
Wireshark
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
pathtrace
pathtracepathtrace
pathtrace
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
 
Wireshark
WiresharkWireshark
Wireshark
 
Scanning & Penetration Testing
Scanning & Penetration Testing Scanning & Penetration Testing
Scanning & Penetration Testing
 
Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis Network Analysis Using Wireshark -10- arp and ip analysis
Network Analysis Using Wireshark -10- arp and ip analysis
 
Wireshark
WiresharkWireshark
Wireshark
 
Ntwrk monitoring capsa
Ntwrk monitoring capsaNtwrk monitoring capsa
Ntwrk monitoring capsa
 
Wireshark network analysing software
Wireshark network analysing softwareWireshark network analysing software
Wireshark network analysing software
 
Device finger printing
Device finger printingDevice finger printing
Device finger printing
 
Network Protocol Analyzer
Network Protocol AnalyzerNetwork Protocol Analyzer
Network Protocol Analyzer
 
Wireshark - Basics
Wireshark - BasicsWireshark - Basics
Wireshark - Basics
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP AnalysisNetwork analysis Using Wireshark Lesson 11: TCP and UDP Analysis
Network analysis Using Wireshark Lesson 11: TCP and UDP Analysis
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LAN
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 

Viewers also liked

Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...boundary_slides
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.cnetworks
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisPriyanka Aash
 

Viewers also liked (7)

Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
 
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.Codec Networks Providing Courses in Cyber forensic,Network Forensics.
Codec Networks Providing Courses in Cyber forensic,Network Forensics.
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logs
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Network Forensics and Practical Packet Analysis
Network Forensics and Practical Packet AnalysisNetwork Forensics and Practical Packet Analysis
Network Forensics and Practical Packet Analysis
 

Similar to T2 7 Chappell Network Forensics

Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamOWASP Delhi
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Operating System Fingerprinting Prevention
Operating System Fingerprinting PreventionOperating System Fingerprinting Prevention
Operating System Fingerprinting Preventiondcalhoun1984
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxMahdiHasanSowrav
 
How does ping_work_style_1_gv
How does ping_work_style_1_gvHow does ping_work_style_1_gv
How does ping_work_style_1_gvvgy_a
 
Introduction to OSI and QUIC
Introduction to OSI and QUICIntroduction to OSI and QUIC
Introduction to OSI and QUICFarzad Soltani
 
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User ComputersA Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User ComputersJoshua Gorinson
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesNathanAn
 
Group Apres
Group ApresGroup Apres
Group Apresramya5a
 

Similar to T2 7 Chappell Network Forensics (20)

Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Operating System Fingerprinting Prevention
Operating System Fingerprinting PreventionOperating System Fingerprinting Prevention
Operating System Fingerprinting Prevention
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
 
How does ping_work_style_1_gv
How does ping_work_style_1_gvHow does ping_work_style_1_gv
How does ping_work_style_1_gv
 
Firewall Facts
Firewall FactsFirewall Facts
Firewall Facts
 
Ceh v5 module 03 scanning
Ceh v5 module 03 scanningCeh v5 module 03 scanning
Ceh v5 module 03 scanning
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 
Introduction to OSI and QUIC
Introduction to OSI and QUICIntroduction to OSI and QUIC
Introduction to OSI and QUIC
 
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPERINTERNATIONAL INDEXED REFEREED RESEARCH PAPER
INTERNATIONAL INDEXED REFEREED RESEARCH PAPER
 
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User ComputersA Study Of Open Ports As Security Vulnerabilities In Common User Computers
A Study Of Open Ports As Security Vulnerabilities In Common User Computers
 
New Creators
New CreatorsNew Creators
New Creators
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 
Sudheer tech seminor
Sudheer tech seminorSudheer tech seminor
Sudheer tech seminor
 
Tcp
TcpTcp
Tcp
 
ICMPV4
ICMPV4ICMPV4
ICMPV4
 
CREST CCT Exam Prep Notes
CREST CCT Exam Prep NotesCREST CCT Exam Prep Notes
CREST CCT Exam Prep Notes
 
3.Network
3.Network3.Network
3.Network
 
Group Apres
Group ApresGroup Apres
Group Apres
 

T2 7 Chappell Network Forensics

  • 1. An Introduction to Network Forensics Identifying Reconnassance and Attack Processes on the Network Laura Chappell Founder | Wireshark University SHARKFEST '08 Foothill College March 31 - April 2, 2008 SHARKFEST '08 | Foothill College | March 31 - April 2, 2008
  • 2. Case Studies 1. Company servers ‘locked down’ on Thanksgiving morning; traffic paths indicate tunnel into network from a foreign country 2. Network traffic to and from the compromised host revealed a back back- channel and the propagator of the malicious code 3. Excessive outbound traffic alerted the staff to a possible data leak; examination of the data flow and the target confirmed the leak 4. Unique peer-to-peer data flow prompted the IT team to investigate; peer the investigation revealed improper network use, but no security leak
  • 3. Tap-In Points Tap-in points Hub networks: Easy Switch networks: Issues Routed networks: Issues Full-duplex: Issues
  • 4. Evidence of Reconnaissance UDP scans TCP scans IP scans (excessive (excessive ICMP (excessive RSTs) ICMP Type 3/Code 2) Type 3/Code 3) OS fingerprinting Address scans (‘dark (ICMP type 13, 15 Application scans IP’ or ‘dark MAC’ and 17) (unusual responses) hits) Download the free ICMP protocol poster: www.packet-level.com/downloads.htm level.com/downloads.htm
  • 5. Evidence of Attacks and Breaches Unusual communication pairs Unusual protocols and ports Excessive failed connections Unusual inbound connections Unusual outbound connections Peer-to- Peer-to-peer traffic paths
  • 6. Reviewing Unusual Traffic bootup-infection.pcap (not a public trace file) nmap-ipscan.pcap (LLK9) active-scan.pcap (LLK9) sick-client.pcap (LLK9) Signature information: www.snort.org www.bleedingthreats.net
  • 7. What’s Next? Laura’s Lab Kit v9 In show bags as well as… ISO image: www.novell.com/connectionmagazine/laurachappell.html