File000141

Module XXVIII – Router Forensics

EC-Council
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Spotted in the Wild: Home Router
Attack Serves Up Counterfeit Pages
Source: http://www.theregister.co.uk/

EC-Council
News: Wifi Flu Viral Router Attack
Could Hit Whole Cities
Source: http://arstechnica.com/

EC-Council
Scenario
Two Pinehurst men, Dalton Johnson of 37 years and David Alan Brady of
40 years, were arrested on September 14, 2006, on the charges of selling
prescription drugs over the Internet. Their company allegedly sold generic
versions of the prescription steroids, drugs such as Valium and Xanax and
sex-enhancing drugs such as Viagra and Cialis. They were accused of
selling unregulated drugs manufactured in Belize and marketed through
"spam" e-mails as low-price Canadian drugs. The e-mails would direct
customers to one of the several web sites where they can order the drugs
which would be shipped from Belize.
The Drug Enforcement Agency (DEA) and the Food and Drug
Administration (FDA) conducted the investigation along with other
agencies. Moore County sheriff's deputies along with federal investigators
raided the homes of the two Pinehurst men and arrested them.

EC-Council
Module Objective
• Router
• Router Architecture
• Routing Information Protocol
• Types of Router Attacks
• Router Forensics vs. Traditional forensics
• Steps for Investigating Router Attacks
• Investigating Routers
• Incident Response
• Router Logs
• Router Auditing Tools
This module will familiarize you with:

EC-Council
Module Flow
Router
Types of Router attacks
Routing Information
Protocol
Router Forensics vs.
Traditional Forensics
Routing Architecture
Incident Response
Steps for Investigating
Router Attacks
Router Logs Router Auditing Tools

EC-Council
Router
Router is a computer networking device that forwards data packets
across a network
It is connected to atleast two networks, commonly a LAN and its
ISP’s network or two LANs
Routing occurs at layer 3 (the Network layer e.g. IP) of the OSI
seven-layer protocol stack
Router software determines which of the several possible paths
between those addresses suite a particular transmission
Uses headers and forwarding tables to determine the best path for
forwarding the packets
Uses protocols such as ICMP to communicate and configure the best
route between any two hosts

EC-Council
Functions of a Router
Router decides the most effective path for a packet to reach its final
destination
It transfers link state data within and amid the routing groups
It acts as a default gateway
It limits the network broadcasts to the local LAN
“Protocol translator”: Provided if there are suitable hardware and software

EC-Council
A Router in an OSI Model
1
2
3
4
5
6
7
1
2
3
4
5
6
7
Physical
Data Link
Network
Transport
Session
Presentation
Application Application
Presentation
Session
Transport
Network
Data Link
Physical
1
2
1
2
3
Network Network
System A System B
Router

EC-Council
Routing Table and its Components
Routing table determines the final destination of the
data packets in a network
• An address prefix
• Interface on which packets corresponding to the
address prefix are forwarded
• A next-hop address
• A preference value for choosing between several
routes with similar prefix
• Route duration
• Specification showing whether the route is
advertised in a routing advertisement
• Kind of route
It consists of the following:

EC-Council
Router Architecture
Internetwork Operating System(IOS)
• Non-Volatile Random Access Memory
(NVRAM):
• Content: Startup Configuration
• Static RAM/Dynamic RAM
• Content: Current Internetwork Operating
System(IOS), Routing tables
• BootROM
• Content: ROMMON Code
Memory
• Model/Series
• Content: Motherboard, CPU, Input/Output
Interfaces
Hardware

EC-Council
Routing Information Protocol
RIP sends routing-update messages at regular intervals and when the
network topology changes
When a router receives a routing update that includes changes to an
entry, it updates its routing table to reflect the new route
The distance between the source and the destination network is
calculated with the help of a hop-count metric
RIP routers maintain only the best route (the route with the lowest
metric value) to a destination
After updating its routing table, the router immediately begins
transmitting routing updates to inform other network routers of the
change

EC-Council
Implications of a Router Attack
• Interrupt communications by dropping or misrouting
packets passing through the router
• Completely disable the router and its network
• Compromise other routers in the network and
possibly the neighboring networks
• Observe and log both the incoming and outgoing
traffic
• May avoid firewalls and Intrusion Detection Systems
• Forward any kind of traffic to the compromised
network
If an intruder can acquire control
over a router, he/she can:

EC-Council
Routers Vulnerabilities
• Using a URL such as
http://router.address/level/$NUMBER/exec/.... where
$NUMBER is an integer between 16 and 99, it is possible
for a remote user to gain full administrative access
HTTP Authentication Vulnerability
• By sending a crafted NTP control packet, it is possible to
trigger a buffer overflow in the NTP daemon
NTP Vulnerability
• Malformed SNMP messages received by affected systems
can cause various parsing and processing functions to
fail, which results in a system crash and reload
• In some cases, access-list statements on the SNMP
service do not protect the device
SNMP Parsing Vulnerability

EC-Council
Types of Router Attacks
Denial of Service attack
Packet mistreating attacks
Routing table poisoning
Flooding
Hit-and-run attacks
Persistent attacks

EC-Council
Router Attack Topology

EC-Council
Denial of Service (DoS) Attacks
DoS attack overloads the routers and renders it completely
inaccessible to legitimate network users
A DoS attack may lead to:
• Damage the capability of the router to operate
Destruction
• Achieved by overflowing the router with numerous
open connections at the same time
Resource Utilization
• Attempted to utilize the bandwidth capacity of the
router’s network
Bandwidth Consumption

EC-Council
Packet “Mistreating” Attacks
The attacker carrying out a packet mistreating attack
might acquire an actual data packet and mistreat it
This attack occurs in data transmission phase
• Congestion
• Denial-of-service
• Decrease in throughput
A compromised router misleads
packets that results in:

EC-Council
Routing Table Poisoning
Routing table poisoning is accomplished by maliciously altering the routing
data update packets needed by the routing protocols
Wrong entries in routing table misdirects the data packets
It leads to a breakdown of one or more systems on the network

EC-Council
Hit-and-Run and Persistent Attacks
• Attacker injects a single or a few bad packets into
the router
• Usually these type of attacks are difficult to detect
Hit-and-run attacks
• Attacker constantly injects bad packets into the
router
• Causes significant damage
Persistent attacks

EC-Council
Router Forensics vs.
Traditional Forensics
• System needs to be online for
investigation purpose
• Flash data most likely remains
constant
• Live system data needs to be
recovered and is critical for analysis
Router forensics
• System needs to be shutdown for
investigation purpose
• Creates a copy for forensic
investigations and analysis
• Live system data is usually not
recovered
Traditional
forensics

EC-Council
Steps for Investigating Router
Attacks
Seize the router and maintain the chain of custody
Identify the router configuration
Incident response and session recording
Accessing the router
Volatile evidence gathering
Examination and Analysis
Report Generation

EC-Council
Seize the Router and Maintain
Chain of Custody
Before starting the investigation process, seize the router so that
nobody can change the configuration of the router
The "chain of custody" is a concept which applies to the handling of
the evidence and its integrity
• Where you received the evidence
• When you received the evidence
• From whom you received the evidence
• What your seizure methods were
• Why you seized the evidence
• Who collected and handled the evidence
It tells about:

EC-Council
Sample Chain Of Custody (COC)
Form

EC-Council
Sample Chain Of Custody (COC)
Form (cont’d)

EC-Council
Guidelines for the Router
Forensic
Start with a security policy and develop a plan to
include collecting and defining data
Create a reconnaissance methodology that provides
information about the target
Perform an analysis for identifying incidents, default
passwords and setting information
Develop an attack strategy for analyzing commands to
access the network, access control lists, firewalls, and
protocols

EC-Council
Incident Response
• Never restart the router
• Do not modify, but record
• Incident Response determines:
• Where the incident happened
• What to do about it
• Whether the response is fraud related
Guidelines for responding to a
router attack incident:

EC-Council
Recording Session
Start recording the session before logging on to the router
Show the current time using show clock detail command

EC-Council
Accessing the Router
Access the router to gain attack related information
Certain Dos and Don’ts while accessing the router:
• Access the router through the console
• Record your entire console session
• Record the actual time and the router’s time
• Execute show commands
• Record the volatile information
Do’s:
• REBOOT THE ROUTER
• Access the router through the network
• Run configuration commands
• Rely only on persistent information
Don’ts:

EC-Council
Volatile Evidence
• Current configuration
• Access list
• Time
• Log file
Volatile Evidence present in the
router are as follows:

EC-Council
Obtaining Configuration of
Router
To retrieve RAM and NVRAM, first establish connection to the router using the console
port using RJ-45-RJ-45 rolled cable and an RJ-45-to-DB-9 female DTE adapter
If direct connection is not possible then use the encrypted protocol secure shell to
remotely access the router
Log entire session with hyper terminal
Capture both volatile and non-volatile configuration for comparison changes and
documentation purposes
• Stored configuration: It is non volatile configuration stored in the Non-Volatile RAM
(NVRAM)
• Current configuration: It is a volatile configuration which is kept in Random Access
Memory
There are two router configurations:

EC-Council
Volatile Evidence Gathering
Volatile evidence should be collected as early as possible
• Direct Access: Using show commands
• Indirect Access: Using Scanning Tool
There are two ways to gather
volatile evidence from the router:

EC-Council
Direct Access: Using show
Commands
show clock: This command shows the time history of the router
which helps in cross referencing with the incident
show Version: It will show the name of hardware and software
used by the router
Show startup-configuration: This command is used to show
the configuration of router which is used to boot the router
show ip route: This command shows table of path which the
router follows to forward packets
show access list: It shows the access lists which are used to
implement the security policies

EC-Council
Indirect Access: Using Scanning
Tool
If the attacker modifies the password stored in the memory, the authorized user cannot
logon the router
He/she has to reboot the system which leads to loss of the attacker’s configuration
command
If the password is changed, gather the volatile evidence using the scanning tools such as
Nmap
Commands used in Nmap are:
•nmap -v -sS -P0 -p 1- Router.domain.com
•nmap -v -sU -P0 -p 1- Router.domain.com
•nmap -v -sR -P0 -p 1- Router.domain.com
Port scan
•snmpwalk –v1 Router.domain.com public
•snmpwalk –v1 Router.domain.com private
SNMP Scan:

EC-Council
Compare the Configuration of
Router
Compare the startup configuration with running
configuration of the Router
• show startup-config
• show running-config
Command used:

EC-Council
Examine the Router Table
Router table are shown using the command
show ip route
Routing table contains the path which shows how the router
forwards packets
Check the covert channel which is the unauthorized path to divert
the packets

EC-Council
Examine the Access Control List
Control list is shown using the command
show access list
Examine the access control list of the router to identify
the attacker
Attacker can enter the network as a trusted network
address
Check the static control which helps the attacker to enter
the website

EC-Council
Router Logs
Router log shows what happens on your routers
It receives and stores all log messages
It shows if anyone has been trying to get into your network
It allows the user to access all the Internet resources but when it finds several harmful
accesses, it warns the user
It provides information to find out where the data are coming from and with factors, such
as the port number, you can determine, if this is really a threat or just some annoying
maintenance
It also shows what IP addresses from inside the network went online, and where they went

EC-Council
Router Logs (cont’d)
With the help of IP address shown by the Router log, it is possible to
determine the actual host name
Run the ping or Nslookup commands from a command line:
• Go to Start/Run and type "cmd" for XP/2K users and "command" for the
95/98/ME users
• Type the Ping command along with the switch such as "-a" and then the IP address
of the suspicious service

EC-Council
Example of Router Logs

EC-Council
NETGEAR Router Logs
• Alerts you when someone on the Internet tried to access a
blocked address in your LAN
• Alerts you when someone on the Internet has tried to access a
blocked address in your LAN
• Identify port scans, attacks, and administrative logins
• Collect statistics on outgoing traffic for administration purposes
• Assess whether the keyword block rules are excluding the IP
addresses you intended
NETGEAR router logs can be used to:
• The main purpose of logging is to collect information about
traffic coming into LAN
• If you use logging with firewall rules, and many entries are
logged, it can reduce the router's regular traffic throughput
• Routers can send up to 120 email notifications an hour
• In a rule, the domain name can be blocked, but not subdivisions
Features:

EC-Council
NETGEAR Router Logs (cont’d)
• If multiple entries in the log show suspicious data being dropped, then there is an
attack
• In most cases, the same ports or source IP addresses are indicated in each log entry
Example 1:
• A single such message (ending with DOS — Denial of Service) may just be a random
packet, however several messages indicate a probable attack
Example 2:
Log entries indicating an attack:

EC-Council
Link Logger
http://www.linklogger.com/
Link logger enables you to see and learn about Internet security and your network traffic
It is designed to take logging information sent out from your router/firewall, process it
and shows scans, attacks and what is happening on the router/firewall
It shows when and where the attacks are coming from, and the type of attack
It allows to monitor and administer the systems on the LAN
The traffic analysis and reporting features help to monitor and understand the network
traffic, and also help to communicate with others

EC-Council
Link Logger: Screenshot

EC-Council
Sawmill: Linksys Router Log Analyzer
http://www.sawmill.net/
Sawmill can process log files in LinkSys Router format, and generate dynamic
statistics and analyze and report events from them
It can parse LinkSys Router logs and import them into a SQL database
It performs router analysis on any platform, including Window, Linux,
FreeBSD, OpenBSD, Mac OS, Solaris, and UNIX

EC-Council
Sawmill: Linksys Router Log
Analyzer (cont’d)
• Field Internal Name
• date/time date_time
• day of week day_of_week
• hour of day hour_of_day
• source host source_host
• destination host destination_host
• source port source_port
• destination port destination_port
It stores the following fields in its database for LinkSys
Router, generates reports for each field, and allows
dynamic filtering on any combination of these fields
• Numerical Field Internal Name
• packets packets
It stores the following numerical fields in its database
for LinkSys Router, aggregating them, and including
them as columns in most reports

EC-Council
Logging
• The syslog server receives and stores all the log messages
Syslog logging
• When show logging command is executed, contents of the router log buffer are revealed
Buffer logging
• Record console sessions
Console logging
• Record non-console sessions and view log messages
Terminal logging
• Log server accepts and records all SNMP traps
SNMP logging
• Access Control Lists configured for logging packets matching their rules by stopping the ACL using
log or log-input keywords
• Router’s log buffer receives and stores these log messages
• These log messages are also sent to the syslog server
ACL Violation Logging

EC-Council
Real Time Forensics
After removing or collecting information from the compromised router, you
can use the router to monitor the network and itself by turning on logging if
it was not previously
Router#config terminal
Router(config)#service timestamps log datatime msec
localtime show-timezone
Router(config)#no logging console
Router(config)#logging on
Router(config)#logging buffered 32000
Router(config)#logging buffered informational
Router(config)#logging facility local6
Router(config)#logging trap informational
Router(config)#logging Syslog-server.domain.com
Router Time zone Log

EC-Council
Real Time Forensics (cont’d)
Using AAA provided even greater ability to log information; TACACS+
even allows you to log every command executed on the router to the
Network Access Server
Router#config terminal
Router(config)#aaa accounting exec default start-stop
group tacacs+
Router(config)#aaa accounting system default stop-only
group tacacs+
Router(config)#aaa accounting connection default
start-stop group tacacs+
Router(config)#aaa accounting network default
start-stop group tacacs+
Router TACACS+ Log

EC-Council
Real Time Forensics (cont’d)
You can also use ACL logging to count packets and log specific events. By
configuring syslog logging and analyzing your syslog files in real time, you
can perform real time monitoring
• access-list 149 permit tcp host 130.18.59.1 any eq
161 log-input
• It will not block any packets, but will log all incoming SNMP requests
from 130.18.59.1 to any internal host
The ACL
• access-list 148 deny tcp 130.18.59.0 0.0.0.255 any
eq 53 log-input
access-list 148 deny udp 130.18.59.0 0.0.0.255 any
eq 53 log-input
• It will block and log any DNS packets from the subnet 130.18.59.0/24 to
any internal host
The ACLs

EC-Council
Router Audit Tool (RAT)
http://www.cisecurity.org/
RAT is designed to help audit the configurations of Cisco routers
quickly and efficiently
It is a Perl Script program primarily meant for automating audits
• snarf: downloads rtr config files
• ncat: reads the rule base and configuration files
and provides output in a text file
• ncat_report: creates the html pages from the text
files
• ncat_config: performs localization of the rule base
It consolidates other four Perl
programs:

EC-Council
RAT Screenshot

EC-Council
Generate the Report
Note the name of the Investigator
List the router evidence
Document the evidence and other supporting items
List tools used for investigation
List devices and set up used in examination
Describe briefly the examination steps
Give details about the finding:
• Information about the files
• Internet related evidence
• Data and image analysis
Give conclusion of the investigation

EC-Council
Summary
Router is a computer networking device that forwards data packets across a network
Router decides the most effective path for a packet to reach its final destination
Types of router attacks are Denial of Service attack, Packet mistreating attacks,
Routing table poisoning, Flooding, Hit-and-run attacks, and Persistent attacks
RIP sends routing-update messages at regular intervals and when the network
topology changes
Router log shows if anyone has been trying to get in to the network

EC-Council

File000141

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a File000141

Similar a File000141 (20)

Más de Desmond Devendran

Más de Desmond Devendran (20)

Último

Último (20)

File000141