Enviar búsqueda
Cargar
File000141
•
0 recomendaciones
•
645 vistas
Desmond Devendran
Seguir
Tecnología
Denunciar
Compartir
Denunciar
Compartir
1 de 56
Descargar ahora
Descargar para leer sin conexión
Recomendados
File000142
File000142
Desmond Devendran
File000144
File000144
Desmond Devendran
File000140
File000140
Desmond Devendran
File000139
File000139
Desmond Devendran
File000143
File000143
Desmond Devendran
File000149
File000149
Desmond Devendran
File000150
File000150
Desmond Devendran
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Vi Tính Hoàng Nam
Recomendados
File000142
File000142
Desmond Devendran
File000144
File000144
Desmond Devendran
File000140
File000140
Desmond Devendran
File000139
File000139
Desmond Devendran
File000143
File000143
Desmond Devendran
File000149
File000149
Desmond Devendran
File000150
File000150
Desmond Devendran
Ce hv6 module 46 securing laptop computers
Ce hv6 module 46 securing laptop computers
Vi Tính Hoàng Nam
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
Mina Fawzy
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warez
Vi Tính Hoàng Nam
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devices
Vi Tính Hoàng Nam
File000148
File000148
Desmond Devendran
Ceh v5 module 17 physical security
Ceh v5 module 17 physical security
Vi Tính Hoàng Nam
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
Vi Tính Hoàng Nam
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
Vi Tính Hoàng Nam
File000146
File000146
Desmond Devendran
Ce hv6 module 62 case studies
Ce hv6 module 62 case studies
Vi Tính Hoàng Nam
CHFI 1
CHFI 1
Desmond Devendran
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional security
defquon
File000126
File000126
Desmond Devendran
Network protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devices
phanleson
BAIT1003 Chapter 11
BAIT1003 Chapter 11
limsh
File000154
File000154
Desmond Devendran
Network defenses
Network defenses
G Prachi
Ccna 1 8
Ccna 1 8
Vahdet Shehu
Cyber security tutorial2
Cyber security tutorial2
sweta dargad
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
DDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
Más contenido relacionado
La actualidad más candente
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
Mina Fawzy
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warez
Vi Tính Hoàng Nam
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Vi Tính Hoàng Nam
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devices
Vi Tính Hoàng Nam
File000148
File000148
Desmond Devendran
Ceh v5 module 17 physical security
Ceh v5 module 17 physical security
Vi Tính Hoàng Nam
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
Vi Tính Hoàng Nam
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
Vi Tính Hoàng Nam
File000146
File000146
Desmond Devendran
Ce hv6 module 62 case studies
Ce hv6 module 62 case studies
Vi Tính Hoàng Nam
CHFI 1
CHFI 1
Desmond Devendran
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional security
defquon
File000126
File000126
Desmond Devendran
Network protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devices
phanleson
BAIT1003 Chapter 11
BAIT1003 Chapter 11
limsh
File000154
File000154
Desmond Devendran
Network defenses
Network defenses
G Prachi
Ccna 1 8
Ccna 1 8
Vahdet Shehu
Cyber security tutorial2
Cyber security tutorial2
sweta dargad
La actualidad más candente
(20)
Ceh V5 Module 07 Sniffers
Ceh V5 Module 07 Sniffers
Ce hv6 module 50 software piracy and warez
Ce hv6 module 50 software piracy and warez
Ceh v5 module 15 hacking wireless networks
Ceh v5 module 15 hacking wireless networks
Ce hv6 module 41 hacking usb devices
Ce hv6 module 41 hacking usb devices
File000148
File000148
Ceh v5 module 17 physical security
Ceh v5 module 17 physical security
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 06 trojans and backdoors
Ceh v5 module 18 linux hacking
Ceh v5 module 18 linux hacking
File000146
File000146
Ce hv6 module 62 case studies
Ce hv6 module 62 case studies
CHFI 1
CHFI 1
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional security
File000126
File000126
Network protocols and vulnerabilities
Network protocols and vulnerabilities
Ch13 Protecting Networks with Security Devices
Ch13 Protecting Networks with Security Devices
BAIT1003 Chapter 11
BAIT1003 Chapter 11
File000154
File000154
Network defenses
Network defenses
Ccna 1 8
Ccna 1 8
Cyber security tutorial2
Cyber security tutorial2
Similar a File000141
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
DDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
Network security
Network security
Vikas Jagtap
Ceh v5 module 03 scanning
Ceh v5 module 03 scanning
Vi Tính Hoàng Nam
Where are we with Securing the Routing System?
Where are we with Securing the Routing System?
APNIC
Router forensics
Router forensics
Taruna Chauhan
6.Routing
6.Routing
phanleson
Introduction to cyber forensics
Introduction to cyber forensics
Anpumathews
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
Vamsi Krishna Kalavala
2014.7.9 detecting p2 p botnets through network behavior analysis and machine...
2014.7.9 detecting p2 p botnets through network behavior analysis and machine...
ericsuboy
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
hamsa nandhini
Unix Web servers and FireWall
Unix Web servers and FireWall
webhostingguy
Unix Web servers and FireWall
Unix Web servers and FireWall
webhostingguy
Java Abs Network Border Patrol
Java Abs Network Border Patrol
ncct
Networking in college
Networking in college
Harpreet Gaba
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
PT.pptx
PT.pptx
FranzLawrenzDeTorres1
CCNA FUNDAMENTAL
CCNA FUNDAMENTAL
Er Aadarsh Srivastava
Mr201304 open flow_security_eng
Mr201304 open flow_security_eng
FFRI, Inc.
Ce hv6 module 63 botnets
Ce hv6 module 63 botnets
Vi Tính Hoàng Nam
Similar a File000141
(20)
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffers
DDOS ATTACKS
DDOS ATTACKS
Network security
Network security
Ceh v5 module 03 scanning
Ceh v5 module 03 scanning
Where are we with Securing the Routing System?
Where are we with Securing the Routing System?
Router forensics
Router forensics
6.Routing
6.Routing
Introduction to cyber forensics
Introduction to cyber forensics
Basic ccna interview questions and answers ~ sysnet notes
Basic ccna interview questions and answers ~ sysnet notes
2014.7.9 detecting p2 p botnets through network behavior analysis and machine...
2014.7.9 detecting p2 p botnets through network behavior analysis and machine...
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
NP - Unit 4 - Routing - RIP, OSPF and Internet Multicasting
Unix Web servers and FireWall
Unix Web servers and FireWall
Unix Web servers and FireWall
Unix Web servers and FireWall
Java Abs Network Border Patrol
Java Abs Network Border Patrol
Networking in college
Networking in college
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PT.pptx
PT.pptx
CCNA FUNDAMENTAL
CCNA FUNDAMENTAL
Mr201304 open flow_security_eng
Mr201304 open flow_security_eng
Ce hv6 module 63 botnets
Ce hv6 module 63 botnets
Más de Desmond Devendran
Siam key-facts
Siam key-facts
Desmond Devendran
Siam foundation-process-guides
Siam foundation-process-guides
Desmond Devendran
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Desmond Devendran
Enterprise service-management-essentials
Enterprise service-management-essentials
Desmond Devendran
Service Integration and Management
Service Integration and Management
Desmond Devendran
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
Desmond Devendran
File000176
File000176
Desmond Devendran
File000175
File000175
Desmond Devendran
File000174
File000174
Desmond Devendran
File000173
File000173
Desmond Devendran
File000172
File000172
Desmond Devendran
File000171
File000171
Desmond Devendran
File000170
File000170
Desmond Devendran
File000169
File000169
Desmond Devendran
File000168
File000168
Desmond Devendran
File000167
File000167
Desmond Devendran
File000166
File000166
Desmond Devendran
File000165
File000165
Desmond Devendran
File000164
File000164
Desmond Devendran
File000163
File000163
Desmond Devendran
Más de Desmond Devendran
(20)
Siam key-facts
Siam key-facts
Siam foundation-process-guides
Siam foundation-process-guides
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
Enterprise service-management-essentials
Enterprise service-management-essentials
Service Integration and Management
Service Integration and Management
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
File000176
File000176
File000175
File000175
File000174
File000174
File000173
File000173
File000172
File000172
File000171
File000171
File000170
File000170
File000169
File000169
File000168
File000168
File000167
File000167
File000166
File000166
File000165
File000165
File000164
File000164
File000163
File000163
Último
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
Sergiu Bodiu
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Fwdays
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
DianaGray10
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Último
(20)
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
File000141
1.
Module XXVIII –
Router Forensics
2.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Spotted in the Wild: Home Router Attack Serves Up Counterfeit Pages Source: http://www.theregister.co.uk/
3.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Wifi Flu Viral Router Attack Could Hit Whole Cities Source: http://arstechnica.com/
4.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Scenario Two Pinehurst men, Dalton Johnson of 37 years and David Alan Brady of 40 years, were arrested on September 14, 2006, on the charges of selling prescription drugs over the Internet. Their company allegedly sold generic versions of the prescription steroids, drugs such as Valium and Xanax and sex-enhancing drugs such as Viagra and Cialis. They were accused of selling unregulated drugs manufactured in Belize and marketed through "spam" e-mails as low-price Canadian drugs. The e-mails would direct customers to one of the several web sites where they can order the drugs which would be shipped from Belize. The Drug Enforcement Agency (DEA) and the Food and Drug Administration (FDA) conducted the investigation along with other agencies. Moore County sheriff's deputies along with federal investigators raided the homes of the two Pinehurst men and arrested them.
5.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Router • Router Architecture • Routing Information Protocol • Types of Router Attacks • Router Forensics vs. Traditional forensics • Steps for Investigating Router Attacks • Investigating Routers • Incident Response • Router Logs • Router Auditing Tools This module will familiarize you with:
6.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Router Types of Router attacks Routing Information Protocol Router Forensics vs. Traditional Forensics Routing Architecture Incident Response Steps for Investigating Router Attacks Router Logs Router Auditing Tools
7.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Router is a computer networking device that forwards data packets across a network It is connected to atleast two networks, commonly a LAN and its ISP’s network or two LANs Routing occurs at layer 3 (the Network layer e.g. IP) of the OSI seven-layer protocol stack Router software determines which of the several possible paths between those addresses suite a particular transmission Uses headers and forwarding tables to determine the best path for forwarding the packets Uses protocols such as ICMP to communicate and configure the best route between any two hosts
8.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Functions of a Router Router decides the most effective path for a packet to reach its final destination It transfers link state data within and amid the routing groups It acts as a default gateway It limits the network broadcasts to the local LAN “Protocol translator”: Provided if there are suitable hardware and software
9.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited A Router in an OSI Model 1 2 3 4 5 6 7 1 2 3 4 5 6 7 Physical Data Link Network Transport Session Presentation Application Application Presentation Session Transport Network Data Link Physical 1 2 1 2 3 Network Network System A System B Router
10.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Routing Table and its Components Routing table determines the final destination of the data packets in a network • An address prefix • Interface on which packets corresponding to the address prefix are forwarded • A next-hop address • A preference value for choosing between several routes with similar prefix • Route duration • Specification showing whether the route is advertised in a routing advertisement • Kind of route It consists of the following:
11.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Architecture Internetwork Operating System(IOS) • Non-Volatile Random Access Memory (NVRAM): • Content: Startup Configuration • Static RAM/Dynamic RAM • Content: Current Internetwork Operating System(IOS), Routing tables • BootROM • Content: ROMMON Code Memory • Model/Series • Content: Motherboard, CPU, Input/Output Interfaces Hardware
12.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Routing Information Protocol RIP sends routing-update messages at regular intervals and when the network topology changes When a router receives a routing update that includes changes to an entry, it updates its routing table to reflect the new route The distance between the source and the destination network is calculated with the help of a hop-count metric RIP routers maintain only the best route (the route with the lowest metric value) to a destination After updating its routing table, the router immediately begins transmitting routing updates to inform other network routers of the change
13.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Implications of a Router Attack • Interrupt communications by dropping or misrouting packets passing through the router • Completely disable the router and its network • Compromise other routers in the network and possibly the neighboring networks • Observe and log both the incoming and outgoing traffic • May avoid firewalls and Intrusion Detection Systems • Forward any kind of traffic to the compromised network If an intruder can acquire control over a router, he/she can:
14.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Routers Vulnerabilities • Using a URL such as http://router.address/level/$NUMBER/exec/.... where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access HTTP Authentication Vulnerability • By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon NTP Vulnerability • Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload • In some cases, access-list statements on the SNMP service do not protect the device SNMP Parsing Vulnerability
15.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Types of Router Attacks Denial of Service attack Packet mistreating attacks Routing table poisoning Flooding Hit-and-run attacks Persistent attacks
16.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Attack Topology
17.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Denial of Service (DoS) Attacks DoS attack overloads the routers and renders it completely inaccessible to legitimate network users A DoS attack may lead to: • Damage the capability of the router to operate Destruction • Achieved by overflowing the router with numerous open connections at the same time Resource Utilization • Attempted to utilize the bandwidth capacity of the router’s network Bandwidth Consumption
18.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Packet “Mistreating” Attacks The attacker carrying out a packet mistreating attack might acquire an actual data packet and mistreat it This attack occurs in data transmission phase • Congestion • Denial-of-service • Decrease in throughput A compromised router misleads packets that results in:
19.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Routing Table Poisoning Routing table poisoning is accomplished by maliciously altering the routing data update packets needed by the routing protocols Wrong entries in routing table misdirects the data packets It leads to a breakdown of one or more systems on the network
20.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Hit-and-Run and Persistent Attacks • Attacker injects a single or a few bad packets into the router • Usually these type of attacks are difficult to detect Hit-and-run attacks • Attacker constantly injects bad packets into the router • Causes significant damage Persistent attacks
21.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Forensics vs. Traditional Forensics • System needs to be online for investigation purpose • Flash data most likely remains constant • Live system data needs to be recovered and is critical for analysis Router forensics • System needs to be shutdown for investigation purpose • Creates a copy for forensic investigations and analysis • Live system data is usually not recovered Traditional forensics
22.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Steps for Investigating Router Attacks Seize the router and maintain the chain of custody Identify the router configuration Incident response and session recording Accessing the router Volatile evidence gathering Examination and Analysis Report Generation
23.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Seize the Router and Maintain Chain of Custody Before starting the investigation process, seize the router so that nobody can change the configuration of the router The "chain of custody" is a concept which applies to the handling of the evidence and its integrity • Where you received the evidence • When you received the evidence • From whom you received the evidence • What your seizure methods were • Why you seized the evidence • Who collected and handled the evidence It tells about:
24.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Chain Of Custody (COC) Form
25.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sample Chain Of Custody (COC) Form (cont’d)
26.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Guidelines for the Router Forensic Start with a security policy and develop a plan to include collecting and defining data Create a reconnaissance methodology that provides information about the target Perform an analysis for identifying incidents, default passwords and setting information Develop an attack strategy for analyzing commands to access the network, access control lists, firewalls, and protocols
27.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Incident Response • Never restart the router • Do not modify, but record • Incident Response determines: • Where the incident happened • What to do about it • Whether the response is fraud related Guidelines for responding to a router attack incident:
28.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Recording Session Start recording the session before logging on to the router Show the current time using show clock detail command
29.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Accessing the Router Access the router to gain attack related information Certain Dos and Don’ts while accessing the router: • Access the router through the console • Record your entire console session • Record the actual time and the router’s time • Execute show commands • Record the volatile information Do’s: • REBOOT THE ROUTER • Access the router through the network • Run configuration commands • Rely only on persistent information Don’ts:
30.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Volatile Evidence • Current configuration • Access list • Time • Log file Volatile Evidence present in the router are as follows:
31.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Obtaining Configuration of Router To retrieve RAM and NVRAM, first establish connection to the router using the console port using RJ-45-RJ-45 rolled cable and an RJ-45-to-DB-9 female DTE adapter If direct connection is not possible then use the encrypted protocol secure shell to remotely access the router Log entire session with hyper terminal Capture both volatile and non-volatile configuration for comparison changes and documentation purposes • Stored configuration: It is non volatile configuration stored in the Non-Volatile RAM (NVRAM) • Current configuration: It is a volatile configuration which is kept in Random Access Memory There are two router configurations:
32.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Volatile Evidence Gathering Volatile evidence should be collected as early as possible • Direct Access: Using show commands • Indirect Access: Using Scanning Tool There are two ways to gather volatile evidence from the router:
33.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Direct Access: Using show Commands show clock: This command shows the time history of the router which helps in cross referencing with the incident show Version: It will show the name of hardware and software used by the router Show startup-configuration: This command is used to show the configuration of router which is used to boot the router show ip route: This command shows table of path which the router follows to forward packets show access list: It shows the access lists which are used to implement the security policies
34.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Indirect Access: Using Scanning Tool If the attacker modifies the password stored in the memory, the authorized user cannot logon the router He/she has to reboot the system which leads to loss of the attacker’s configuration command If the password is changed, gather the volatile evidence using the scanning tools such as Nmap Commands used in Nmap are: •nmap -v -sS -P0 -p 1- Router.domain.com •nmap -v -sU -P0 -p 1- Router.domain.com •nmap -v -sR -P0 -p 1- Router.domain.com Port scan •snmpwalk –v1 Router.domain.com public •snmpwalk –v1 Router.domain.com private SNMP Scan:
35.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Compare the Configuration of Router Compare the startup configuration with running configuration of the Router • show startup-config • show running-config Command used:
36.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine the Router Table Router table are shown using the command show ip route Routing table contains the path which shows how the router forwards packets Check the covert channel which is the unauthorized path to divert the packets
37.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Examine the Access Control List Control list is shown using the command show access list Examine the access control list of the router to identify the attacker Attacker can enter the network as a trusted network address Check the static control which helps the attacker to enter the website
38.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Logs Router log shows what happens on your routers It receives and stores all log messages It shows if anyone has been trying to get into your network It allows the user to access all the Internet resources but when it finds several harmful accesses, it warns the user It provides information to find out where the data are coming from and with factors, such as the port number, you can determine, if this is really a threat or just some annoying maintenance It also shows what IP addresses from inside the network went online, and where they went
39.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Logs (cont’d) With the help of IP address shown by the Router log, it is possible to determine the actual host name Run the ping or Nslookup commands from a command line: • Go to Start/Run and type "cmd" for XP/2K users and "command" for the 95/98/ME users • Type the Ping command along with the switch such as "-a" and then the IP address of the suspicious service
40.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Example of Router Logs
41.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NETGEAR Router Logs • Alerts you when someone on the Internet tried to access a blocked address in your LAN • Alerts you when someone on the Internet has tried to access a blocked address in your LAN • Identify port scans, attacks, and administrative logins • Collect statistics on outgoing traffic for administration purposes • Assess whether the keyword block rules are excluding the IP addresses you intended NETGEAR router logs can be used to: • The main purpose of logging is to collect information about traffic coming into LAN • If you use logging with firewall rules, and many entries are logged, it can reduce the router's regular traffic throughput • Routers can send up to 120 email notifications an hour • In a rule, the domain name can be blocked, but not subdivisions Features:
42.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited NETGEAR Router Logs (cont’d) • If multiple entries in the log show suspicious data being dropped, then there is an attack • In most cases, the same ports or source IP addresses are indicated in each log entry Example 1: • A single such message (ending with DOS — Denial of Service) may just be a random packet, however several messages indicate a probable attack Example 2: Log entries indicating an attack:
43.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Link Logger http://www.linklogger.com/ Link logger enables you to see and learn about Internet security and your network traffic It is designed to take logging information sent out from your router/firewall, process it and shows scans, attacks and what is happening on the router/firewall It shows when and where the attacks are coming from, and the type of attack It allows to monitor and administer the systems on the LAN The traffic analysis and reporting features help to monitor and understand the network traffic, and also help to communicate with others
44.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Link Logger: Screenshot
45.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sawmill: Linksys Router Log Analyzer http://www.sawmill.net/ Sawmill can process log files in LinkSys Router format, and generate dynamic statistics and analyze and report events from them It can parse LinkSys Router logs and import them into a SQL database It performs router analysis on any platform, including Window, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, and UNIX
46.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Sawmill: Linksys Router Log Analyzer (cont’d) • Field Internal Name • date/time date_time • day of week day_of_week • hour of day hour_of_day • source host source_host • destination host destination_host • source port source_port • destination port destination_port It stores the following fields in its database for LinkSys Router, generates reports for each field, and allows dynamic filtering on any combination of these fields • Numerical Field Internal Name • packets packets It stores the following numerical fields in its database for LinkSys Router, aggregating them, and including them as columns in most reports
47.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Logging • The syslog server receives and stores all the log messages Syslog logging • When show logging command is executed, contents of the router log buffer are revealed Buffer logging • Record console sessions Console logging • Record non-console sessions and view log messages Terminal logging • Log server accepts and records all SNMP traps SNMP logging • Access Control Lists configured for logging packets matching their rules by stopping the ACL using log or log-input keywords • Router’s log buffer receives and stores these log messages • These log messages are also sent to the syslog server ACL Violation Logging
48.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Real Time Forensics After removing or collecting information from the compromised router, you can use the router to monitor the network and itself by turning on logging if it was not previously Router#config terminal Router(config)#service timestamps log datatime msec localtime show-timezone Router(config)#no logging console Router(config)#logging on Router(config)#logging buffered 32000 Router(config)#logging buffered informational Router(config)#logging facility local6 Router(config)#logging trap informational Router(config)#logging Syslog-server.domain.com Router Time zone Log
49.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Real Time Forensics (cont’d) Using AAA provided even greater ability to log information; TACACS+ even allows you to log every command executed on the router to the Network Access Server Router#config terminal Router(config)#aaa accounting exec default start-stop group tacacs+ Router(config)#aaa accounting system default stop-only group tacacs+ Router(config)#aaa accounting connection default start-stop group tacacs+ Router(config)#aaa accounting network default start-stop group tacacs+ Router TACACS+ Log
50.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Real Time Forensics (cont’d) You can also use ACL logging to count packets and log specific events. By configuring syslog logging and analyzing your syslog files in real time, you can perform real time monitoring • access-list 149 permit tcp host 130.18.59.1 any eq 161 log-input • It will not block any packets, but will log all incoming SNMP requests from 130.18.59.1 to any internal host The ACL • access-list 148 deny tcp 130.18.59.0 0.0.0.255 any eq 53 log-input access-list 148 deny udp 130.18.59.0 0.0.0.255 any eq 53 log-input • It will block and log any DNS packets from the subnet 130.18.59.0/24 to any internal host The ACLs
51.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Router Audit Tool (RAT) http://www.cisecurity.org/ RAT is designed to help audit the configurations of Cisco routers quickly and efficiently It is a Perl Script program primarily meant for automating audits • snarf: downloads rtr config files • ncat: reads the rule base and configuration files and provides output in a text file • ncat_report: creates the html pages from the text files • ncat_config: performs localization of the rule base It consolidates other four Perl programs:
52.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited RAT Screenshot
53.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Generate the Report Note the name of the Investigator List the router evidence Document the evidence and other supporting items List tools used for investigation List devices and set up used in examination Describe briefly the examination steps Give details about the finding: • Information about the files • Internet related evidence • Data and image analysis Give conclusion of the investigation
54.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Router is a computer networking device that forwards data packets across a network Router decides the most effective path for a packet to reach its final destination Types of router attacks are Denial of Service attack, Packet mistreating attacks, Routing table poisoning, Flooding, Hit-and-run attacks, and Persistent attacks RIP sends routing-update messages at regular intervals and when the network topology changes Router log shows if anyone has been trying to get in to the network
55.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
56.
EC-Council Copyright © by
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Descargar ahora