File000140

Module XXVII – Investigating Network
Traffic

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Internet Traffic Begins to
Bypass the U.S.
Source: http://www.nytimes.com/

EC-Council
News: TCP Flooder Program
Released for Free
Source: http://www.mxlogic.com/

EC-Council
Scenario
Jessica was missing from her home for a week. She has left
a note for her father mentioning that she was going to meet
her school friend. Few weeks later Jessica’s dead body was
found near a dumping yard.
Investigators were called in to reveal the mystery that
surrounded Jessica’s death. Preliminary investigation of
Jessica’s computer and logs revealed some facts which
helped the cops trace the killer.

EC-Council
Module Objective
• Overview of Network Protocols
• Overview of Physical and Data-link Layer of the OSI Model
• Overview of Network and Transport Layer of the OSI Model
• Types of Network Attacks
• Why to Investigate Network Traffic?
• Evidence Gathering via Sniffing
• Tools
• Documenting the Evidence Gathered on a Network
• Evidence Reconstruction for Investigation
This module will familiarize you with:

EC-Council
Module Flow
Tools
Evidence Reconstruction
for Investigation
Types of Network Attacks
Why to Investigate
Network Traffic?
Evidence Gathering
via Sniffing
Overview of Network and
Transport Layer of the
OSI Model
Overview of Physical and
Data-link Layer of the
OSI Model
Overview of Network
Protocols
Documenting the Evidence
Gathered on a Network

EC-Council
Network Addressing Schemes
• Each node in LAN has a MAC address that is factory-
programmed into its NIC
• Data packets are addressed to either one of the nodes or all
of the nodes
LAN Addressing
• Internet is a collection of LANs and/or other networks that
are connected with routers
• Each network has a unique address and each node on the
network has a unique address, so an Internet address is
combination of network and node addresses
• IP is responsible for network layer addressing in the
TCP/IP protocol
Internet Addressing
There are two types of network addressing schemes:

EC-Council
OSI Reference Model

EC-Council
Overview of Network Protocols
Data Unit Layer Function Protocols
Host
Layer
Data
Application
Network process to
application
HTTP, SMTP,
NNTP,
TELNET, FTP,
NMP, TFTPPresentation
Data representation and
encryption
Session Interhost communication
Segments Transport
End-to-end connections and
reliability
UDP, TCP
Media
Layer
Packets Network
Path determination and
logical addressing (IP)
ARP, RARP,
ICMP,IGMP, IP
Frames Data Link
Physical addressing (MAC &
LLC)
PPP, SLIP
Bits Physical
Media, signal and binary
transmission

EC-Council
TCP/ IP Protocol

EC-Council
Overview of Physical and Data-
Link Layer of the OSI Model
• It helps in transmitting data bits over a physical channel
• It has a set of predefined rules that physical devices and
interfaces on a network have to follow for data transmission to
take place
Physical layer:
• It controls error in transmission by adding a trailer to the end of
the data frame
Data-link layer:

EC-Council
• It is responsible for sending information from the source to a
destined address across various links
• It adds logical addresses of the sender and receiver to the header
of the data packet
Network layer:
• The transport layer ensures the integrity and order of the message
sent by the source to its destination
• It also controls the error and flow control in the transmission
Transport layer:
Overview of Network and
Transport Layer of the OSI Model

EC-Council
Types of Network Attacks
IP Spoofing
Router attacks
Eavesdropping
Denial of service
Man-in-the-Middle Attack
Sniffer Attack
Data Modification

EC-Council
Why to Investigate Network
Traffic
To locate suspicious network traffic
To know who is generating the troublesome traffic, and where the
traffic is being transmitted to or received from
To identify network problems

EC-Council
Evidence Gathering Via Sniffing
Sniffer is a computer software or hardware that can
intercept and log traffic passing over a digital network or
part of a network
Sniffers, which put NICs in promiscuous mode, are used to
collect digital evidence at the physical layer
SPANned ports, hardware taps help sniffing in a switched
network
Sniffers collect traffic from the network and transport
layers other than the physical and data-link layer
Investigators should configure sniffers for the size of
frames to be captured

EC-Council
Acquiring Traffic Using DNS
Poisoning Techniques
The substitution of a false Internet provider address at the domain name
service level (e.g., where web addresses are converted into numeric Internet
provider addresses)
DNS poisoning is a technique that tricks a DNS server into believing it has
received authentic information when, in reality, it has not
• Intranet DNS Spoofing (Local network)
• Internet DNS Spoofing (Remote network)
• Proxy Server DNS Poisoning
• DNS Cache Poisoning
Types of DNS Poisoning:

EC-Council
Intranet DNS Spoofing (Local
Network)
For this technique, you must be connected to the local area network (LAN) and be able
to sniff packets
Works well against switches with ARP poisoning of the router
Router
IP 10.0.0.254
Rebecca types
www.xsecurity.com in
her Web Browser
IP: 10.0.0.3
Hacker runs
arpspoof/dnsspoof
www.xsecurity.com
Hacker sets up fake
Website
www.xsecurity.com
IP: 10.0.0.5
DNS Request
What is the IP address of
www.xsecurity.com Real Website
www.xsecurity.com
IP: 200.0.0.45
Hacker’s fake website sniffs the credential
and redirects the request to real website
1
2
3 4
Hacker poisons
the router and all
the router traffic
is forwarded to
his machine

EC-Council
Internet DNS Spoofing (Remote
Network)
Send a Trojan to Rebecca’s machine and change her DNS IP address to that of the attacker
Works across networks. Easy to set up and implement
Rebecca types
www.xsecurity.com in her
Web Browser
Hacker runs DNS
Server in Russia
IP: 200.0.0.2
Real Website
www.xsecurity.com
IP: 200.0.0.45
Hacker’s fake website sniffs the
credential and redirects the
request to real website
5
Fake Website
IP: 65.0.0.2
Hacker’s infects Rebecca’s
computer by changing her DNS
IP address to: 200.0.0.2
1
2
3
4

EC-Council
Internet DNS Spoofing
Steps to redirect all the DNS request traffic from a host machine to you:
1.
• Set up a fake website on your computer
2.
• Install treewalk and modify the file mentioned in the readme.txt to your IP address. Treewalk
will make you the DNS server
3.
• Modify the file dns-spoofing.bat and replace the IP address with your IP address
4.
• Trojanize the dns-spoofing.bat file and send it to Jessica (ex: chess.exe)
5.
• When the host clicks the trojaned file, it will replace Jessica’s DNS entry in her TCP/IP
properties with that of your machine’s
6.
• You will become the DNS server for Jessica and her DNS requests will go through you
7.
• When Jessica connects to XSECURITY.com, she resolves to the fake XSECURITY website; you
sniff the password and send her to the real website

EC-Council
Proxy Server DNS Poisoning
Send a Trojan to Rebecca’s machine and change her proxy server settings in Internet Explorer to that
of the attacker
Works across networks. Easy to set up and implement
Rebecca types
www.xsecurity.com in her
Web Browser
Hacker runs Proxy
Server in Russia
IP: 200.0.0.2
Real Website
www.xsecurity.com
IP: 200.0.0.45
Hacker’s fake website sniffs
the credential and redirects
the request to real website
4
Fake Website
IP: 65.0.0.2
Hacker sends Rebecca’s request to fake website
2
3
1Hacker’s infects Rebecca’s
computer by changing her IE
Proxy address to: 200.0.0.2

EC-Council
DNS Cache Poisoning
To perform a cache poisoning attack, the attacker exploits a flaw in the DNS
server software that can make it accept incorrect information
If the server does not correctly validate DNS responses to ensure that they
have come from an authoritative source, it will end up caching the incorrect
entries locally and serve them to users that make the same request
• For example, an attacker poisons the IP address DNS entries for a target website on a
given DNS server, replacing them with the IP address of a server he controls
• He then creates fake entries for files on the server he controls with names matching
those on the target server

EC-Council
Evidence Gathering from ARP
Table
MAC address, a part of the data-link layer, is associated with the system
hardware
The ARP table of a router comes in handy for investigating network attacks as
the table contains IP addresses associated with the respective MAC addresses
ARP table can be accessed using the c:arp –a command in Windows OS

EC-Council
Evidence Gathering at the Data-
link Layer: DHCP Database
The DHCP database determines the MAC addresses associated with the
computer in custody
The DHCP server maintains a list of recent queries along with the MAC address
and IP address
• Photographing the computer screen
• Taking the screenshot of the table and saving it on
disk
• Using the HyperTerminal logging facility
Documentation of the ARP table is
done by:

EC-Council
Screenshot: DHCP Log

EC-Council
Gathering Evidence by IDS
IDS can be configured to capture the network traffic and generate alerts
Results of networking devices such as routers and firewalls, can be recorded
through a serial cable using Windows HyperTerminal program or by a UNIX
script
If the amount of information to be captured is huge, then record the onscreen
event using a video camera or a relative software program

EC-Council
Traffic Capturing and Analysis Tools

EC-Council
Tool: Tcpdump
http://www.tcpdump.org/
• Captured packet count
• Received packet count
• “dropped by kernel” packets count
Tcpdump report consists of:
• SunOS 3.x or 4.x , Solaris, HP-UX, IRIX, Linux, Ultrix and Digital UNIX, BSD
It supports the following platforms:
Tcpdump is a powerful tool that allows to sniff network packets and make statistical
analysis of these dumps
It operates by putting the network card into promiscuous mode
It may be used to measure the response time, packet loss percentages, and view
TCP/UDP connection Establishment and Termination

EC-Council
Screenshot: Tcpdump

EC-Council
Tool: Windump
http://www.winpcap.org/
• C:Windump –w filename.dmp
• The packets are stored in the C drive with the filename. The
packets can be analyzed by using a notepad
• C:Windump –w filename.dmp –s 65535
• The above command can be used to specify the size of the
Ethernet packet to be captured
Command for saving the captured data
packets using Windump as a sniffer:
WinDump is a version of tcpdump for Windows platform

EC-Council
Tool: Windump (cont’d)
http://www.winpcap.org/
• 20:50:00.037087 IP (tos 0x0, ttl 128, id 2572, len 46) 192.168.2.24.1036
> 64.12.24.42.5190: P [tcp sum ok] 157351:157357(6) ack 2475757024 win
8767 (DF)
Sample output of the Windump:
• timestamp  20:50:00.037087
• IP [protocol header]  tos 0x0, ttl 128, id 2572, len 46
• source IP:port  192.168.2.24.1036
• destination IP:port 64.12.24.42.5190:
• P [push flag] [tcp sum ok] 157351:157357
• [sequence numbers] (6) [bytes of data]
• acknowledgement and sequence number ack 2475757024
• window size (DF) [don’t fragment set] win 8767
The above entry can be deciphered as:

EC-Council
Screenshot: Windump

EC-Council
Tool: NetIntercept
http://www.sandstorm.net
NetIntercept captures and archives network traffic, so you can analyze
problems as soon as they are detected
It correlates user sessions and reconstructs files transmitted or received over
the network, giving you immediate evidence of misbehavior
Using NetIntercept, you can discover the security breaches, the points of
regulatory non-compliance, the network problems, and shift your focus from
finding problems to fixing them

EC-Council
Screenshot: NetIntercept

EC-Council
Tool: Wireshark
http://www.wireshark.org/
Wireshark is a network protocol analyzer for UNIX and Windows
It allows the users to examine data from a live network or from a file
stored on the disk
The user can interactively browse the captured data, viewing
summary and detailed information of each packet captured

EC-Council
Screenshot: Wireshark

EC-Council
Traffic Capturing and Analysis
Tools
CommView monitors the
network activity capable of
capturing and analyzing packets
on any Ethernet network
Softperfect Network Sniffer is
a network protocol analyzer or
sniffer

EC-Council
Tools (cont’d)
HttpDetect (EffeTech HTTP
Sniffer) is a HTTP sniffer, packet
analyzer, content rebuilder and http
traffic monitor
EtherDetect Packet Sniffer is a
connection oriented packet sniffer
and protocol analyzer

EC-Council
Tools (cont’d)
OmniPeek Workgroup is a full-
featured, stand-alone network forensic
analysis tool
Iris Network Traffic Analyzer is a
vulnerability forensics solution used
for network traffic analysis and
reporting

EC-Council
Tools (cont’d)
SmartSniff is a TCP/IP packet
capture program that allows you to
inspect the network traffic that passes
through the network adapter
NetSetMan allows you to quickly
switch between pre-configured
network settings

EC-Council
Tools (cont’d)
Distinct Network Monitor
displays live network traffic
Statistics
MaaTec Network Analyzer
tool used for capturing, saving,
and analyzing network traffic

EC-Council
Tools (cont’d)
Ntop is a network traffic probe that
shows network usage on user
terminal
EtherApe displays the network
activity graphically by featuring link
layer, IP, and TCP modes

EC-Council
Tools (cont’d)
Colasoft Capsa Network Analyzer
is a TCP/IP Network Sniffer and
Analyzer that offers real time
monitoring and data analyzing of the
network traffic
Colasoft EtherLook monitors real
time network traffic flowing around
local network and to/from the Internet
efficiently

EC-Council
Tools (cont’d)
AnalogX Packetmon allows to capture IP
packets that pass through network interface
- whether they originate from machine on
which PacketMon is installed, or a
completely different machine on the
network
BillSniff is a network protocol
analyzer (sniffer) that provides detailed
information about the current traffic,
as well as overall protocol statistics

EC-Council
Tools (cont’d)
IE HTTP Analyzer is an add-in for
Internet Explorer, that allows to capture
HTTP/HTTPS traffic in real-time
EtherDetect Packet Sniffer captures and
groups all network traffic and allows you to
view real-time details for each packet, as well
as the content

EC-Council
Tools (cont’d)
EtherScan Analyzer captures
and analyzes the packets over local
network
Sniphere is a WinPCAP network
sniffer that supports most of the
common protocols

EC-Council
IP sniffer is a protocol analyzer, that
supports filtering rules, adapter selection,
packet decoding, and advanced protocol
description etc.
Atelier Web Ports Traffic Analyzer is a
network traffic sniffer and logger that allows you
to monitor all Internet and network traffic on your
PC and view the actual content of the packets
Tools (cont’d)

EC-Council
Tools (cont’d)
IPgrab is a verbose packet sniffer
for UNIX hosts
Nagios is a host and service
monitor designed to run under the
Linux operating system

EC-Council
Tools (cont’d)
Give Me Too is an affordable packet
sniffer, network analyzer, and network
sniffer that plugs into computer
networks and monitors any Internet
and e-mail activity that occurs in them
Sniff - O - Matic is a network protocol
analyzer and packet sniffer that captures
the network traffic and enables you to
analyze the data

EC-Council
EtherSnoop
http://www.arechisoft.com/
EtherSnoop is a network
sniffer, designed for capturing,
and analyzing the packets going
through the network
It captures the data passing
through your dial-up connection
or network Ethernet card,
analyzes the data, and
represents it in a readable form

EC-Council
GPRS Network Sniffer: Nokia
LIG
• Lawful Interception Controller (LIC)
• Lawful Interception Browser (LIB)
• Lawful Interception Extension (LIE)
The architecture of implementation
comprises:
The Nokia LIG sniffs GPRS traffic
It provides precise solution for constructing the GPRS interception
system
It is sold only to Law enforcement agencies

EC-Council
GPRS Network Sniffer: Nokia
LIG (cont’d)

EC-Council
Siemens Monitoring Center
http://networks.siemens.com/
When it comes to fighting, crime and thwarting terrorist attacks, law
enforcement and government security agencies need the right tools
to get results and fulfill their mandate
Therefore, state-of-the-art monitoring center solutions are must for
lawful interception (LI)
The Siemens Monitoring Center (MC) has been specifically developed
to fulfill the complex needs of law enforcement agencies worldwide
More than 90 Monitoring Center solutions have been installed by
Siemens Voice and Data Recording (VDR) in over 60 countries
The VDR system intercepts voice, data, GPRS traffic, cell, e-mail
messages, and encrypted data
It is sold only to Law Enforcement Agencies

EC-Council
(cont’d)
• Fixed networks PSTN (local and international exchanges)
• Mobile networks GSM, GPRS, and UMTS
• Next Generation Networks (NGN)
• IP Networks (local loop, ISP, and Internet backbone)
• Automatic correlation of content of communication to IRI
Universal Monitoring Center concept for all
monitoring requirements within
telecommunication networks:

EC-Council
(cont’d)
Mono and stereo, optionally compressed, and voice recording
Full duplex/no compression recording for data demodulation (fax, Internet, e-
mails etc.)
Customized add-on applications
Centralized or distributed Monitoring Center (Monitoring Center-to-go)
Scalable and adaptable to customer requirements
Joint roadmap for upcoming telecommunications technology
Monitoring Center (UMTS, NGN, ETSI-Internet)

EC-Council
Screenshot: Siemens Monitoring
Center

EC-Council
NetWitness® Investigator
http://www.netwitness.com/
It provides security operations staff, auditors, and fraud and forensics investigators the
power to perform free-form contextual analysis of raw network data
Features:
• SSL Decryption (with server certificate)
• Interactive time charts, and summary view
• Interactive packet view and decode
• Hash Pcap on Export
• Enhanced content views
• Real-time analytics
• Extensive network and application layer filtering (e.g. MAC, IP, User, Keywords, Etc.)
• IPv6 support
• Captures live from any wired or wireless interface
• Full content search, with Regex support
• Exports data in .pcap format
• Imports packets from any open-source, home-grown and commercial packet capture system(e.g.
.pcap file import)
• Bookmarking & History Tracking
• Integrated GeoIP for resolving IP addresses to city/county, supporting Google Earth
visualization

EC-Council
Screenshot: NetWitness® Investigator

EC-Council
NetWitness® Informer
http://www.netwitness.com/
NetWitness® Informer provides detailed reporting, charting and alerting on network performance,
insider threats, data leakage, compliance monitoring, I/T asset misuse, hacker activities, and a host of
other threats
Features:
• Predefined report rules, categories and templates
• Flexible, WYSIWYG drag-and-drop report builder & scheduling engine
• Fully customizable, XML-based rules and report library for infinite report and alert combinations
• Live-charting for real-time dashboard of activity
• Full role-based access controls
• Supports CEF, SNMP, syslog, SMTP data push
Report Examples:
• Security - profile and alert on zero-day, BOTnet, DYN, DNS and intrusion activity with complete content
• Compliance - audit network-based components of policies and regulations such as FISMA, HIPPA, ISO 1779, SOXGLB,
and PCI standards
• IT Operations - report and chart across application and network layer metrics
• Business Intelligence - profile sensitive data flow in real-time with total access to all events and content surrounding
suspect activity
• Insider Threat - monitor and profile computer, user, and resource activity across every application and device
• Legal – support e-Discovery, criminal investigations, or liability audits through network entity profiling and analysis

EC-Council
Screenshot: NetWitness® Informer

EC-Council
NetResident
http://www.tamos.com/
NetResident is a
network content
monitoring program
that captures, stores,
analyzes, and
reconstructs network
events such as e-mail
messages, web pages,
downloaded files,
instant messages, and
VoIP conversations

EC-Council
nGenius InfiniStream
http://www.netscout.com/
• Eliminating the need to sift through numerous packet trace files to find
specific network or link behavior
• Alleviating the need to wait for an issue to reoccur by utilizing continuous
packet capture and playback to view the packets associated with an issue
• Mining the recorded data in an efficient, flexible and logical methodology
to reveal issues much faster and meet the challenges of the modern IP
network
• Delivering the post-event forensic analysis necessary to diagnose
problems quickly and minimize the impact on the end user
NetScout’s real-time analysis and packet recording
minimizes mean time to resolution by:
InfiniStream, combined with NetScout analysis and reporting solutions,
provides the critical KPI-to-Flow-to-Packet top-down workflow needed to
quickly and efficiently detect, diagnose and verify the resolution of elusive and
intermittent IT service problems

EC-Council
Screenshot: Infinistream
Console

EC-Council
eTrust Network Forensics
http://www3.ca.com/
eTrust Network Forensics captures raw network data and
uses advanced forensics analysis to identify how business
assets are affected by network exploits, internal data theft,
and security or HR policy violations
Its patented technology allows IT and security staff to
visualize the network’s activity, uncover anomalous traffic,
and investigate breaches with a single and convenient
solution
• Powerful forensic analysis — links network data with security
alerts
• Holistic view of network element dependencies through a
knowledge base
• Quickly discovers network anomalies or trouble spots
• Effectively visualizes communications in interactive 2D graphs
• Enhances existing security investments with graphical reports

EC-Council
Screenshot: eTrust Network
Forensics

EC-Council
ProDiscover Investigator
http://www.techpathways.com/
ProDiscover Investigator investigates the disk content throughout the network
It checks for illegal activity or for compliance to company policy and gathers
evidence for potential use in legal proceedings

EC-Council
P2 Enterprise Shuttle (P2EES)
http://www.paraben-enterprise.com/
P2EES is an enterprise investigation tool that views,
acquires, and searches client’s data wherever it
resides in an enterprise
It checks the main communications which pass
through for the system as well as for the routers and
firewalls
It acts as the central repository for all forensic
images collected and is integrated with MYSQL

EC-Council
Screenshot: P2 Enterprise
Shuttle

EC-Council
Show Traffic
http://demosten.com/
Show Traffic monitors network traffic on the chosen network interface and
displays it continuously
It locates suspicious network traffic or evaluates current utilization of the
network interface

EC-Council
Network Probe
http://objectplanet.com/
Network Probe identifies the
problem causing in the network
traffic
It shows who is generating the
troublesome traffic, and where
the traffic is being transmitted
or received

EC-Council
Snort Intrusion Detection System
http://snort.org/
Snort is a versatile, lightweight, and useful
intrusion detection system
Snort logs packets in either tcpdump binary
format or in Snort's decoded ASCII format to
log directories that are named based on the IP
address of the foreign host
Plug-ins allow the detection and reporting
subsystems to be extended
Available plug-ins include database logging,
small fragment detection, portscan detection,
and HTTP URI normalization

EC-Council
Snort IDS Placement
Firewall

EC-Council
IDS Policy Manager
http://www.activeworx.org
IDS Policy Manager has been the de facto standard for managing
Snort rules on Windows. You can create Snort rules graphically

EC-Council
Documenting the Evidence
Gathered on a Network
If the network logs are small, you can take a print-out and attest
Document the evidence gathering process by mentioning the name of
the person who collected the evidence, from where it was collected
• The procedure used to collect evidence and the reason for collecting
evidence
The process of documenting digital evidence on a network becomes
more complex when the evidence is gathered from systems which are
on remote locations

EC-Council
Evidence Reconstruction for
Investigation
• Evidence is not static and is not concentrated at a single
point on the network
• The variety of hardware and software found on the
network makes the evidence gathering process more
difficult
Gathering evidence trails on a network is
cumbersome for the following reasons:
• Temporal analysis; helps to identify time and sequence of
events
• Relational analysis; helps to identify the link between
suspect and the victim with respect to the crime
• Functional analysis; helps to identify events that triggered
the crime
Three fundamentals of reconstruction for
investigating crime are:

EC-Council
Summary
There are two types of network addressing schemes: LAN Addressing and
Internetwork Addressing
Sniffer is computer software or hardware that can intercept and log traffic
passing over a digital network or part of a network
The ARP table of a router comes handy for investigating network attacks as the
table contains IP addresses associated with the respective MAC addresses
The DHCP server maintains a list of recent queries along with the MAC address
and IP address
IDS can be configured to capture network traffic when an alert is generated

EC-Council

File000140

More Related Content

What's hot

Similar to File000140

More from Desmond Devendran

Recently uploaded

File000140