Professional Documents
Culture Documents
X
Section 4.2
Network Forensics
TRACKING HACKERS THROUGH CYBERSPACE
THE MISSION
The case: While a fugitive in Mexico, Mr. X remotely infiltrates the Arctic Nuclear Fusion Research Facility (ANFRF) lab network over the Internet. Sadly, Mr. X is not yet very stealthy. Meanwhile . . . Unfortunately for Mr. X, the ANFRF network is instrumented to capture flow record data. Security staff notice port scanning from his external IP address, 172.30.1.77, beginning at 2011-04-27 12:51:46 in the Cisco ASA flow record logs. His activities are discovered and analyzed . . . by you! Challenge: You are the forensic investigator. Your mission is to: Identify any compromised systems Determine what the attacker found out about the network architecture Evaluate the risk of data exfiltration Since the Arctic Nuclear Fusion Research Facility stores a lot of confidential information , management is highly concerned about the risk of data exfiltration. If you find suspicious traffic, provide an analysis of the risk that Secret Information was compromised. Be sure to carefully justify your conclusions.
DMZ: 10.30.30.0/24
The Internet: 172.30.1.0/24 [Note that for the purposes of this case study, we are treating the 172.30.1.0/24 subnet as the Internet. In real life, this is a reserved nonroutable IP address space.]
Evidence: Security staff at ANFRF collect network flow data from a Cisco ASA switch/ firewall that connects all three subnets at the perimeter. The flow record data is exported in Ciscos NetFlow v9 format to a collector running nfcapd. (Note that to collect data in Ciscos proprietary NetFlow v9 format, a specific fork of the nfdump suite, nfdump-1.5.8-NSEL, was used for collection and analysis.) In addition, the Cisco ASA is also configured with a SPAN port that monitors the Internal and DMZ subnets. There is an Argus listener connected to the SPAN port, which retains flow record data in Argus format from the two subnets (192.168.30.0/24 and 10.30.30.0/24). You are provided with two files containing data to analyze: cisco-asa-nfcapd.zip A zip archive containing flow records from the perimeter Cisco ASA, stored by the nfdump collector utility (nfcapd) in 5-minute increments.
argus-collector.ra An Argus archive containing flow record data collected from the Internal and DMZ subnets via a SPAN port.
IMPORTANT NOTES
As you will see in the flow record data, there is a time skew of approximately 8 seconds between the Cisco ASA and the Argus listener. In addition, be aware that Network Address Translation (NAT) is used on this network. The DMZ IP address 10.30.30.20 translates to the external address 172.30.1.231, and the internal IP address 192.168.30.101 translates to the external address 172.30.1.227. Please note that the command output shown in the analysis had been modified to fit the page (in some cases, extraneous columns have been removed for brevity).
Flows that were not DENIED by the firewall reached the target system and lead to a response
Notice port 22
Port 22 = ssh
Common target for brute-force Process is commonly automated Regular intervals Same small amount of data
Notice the byte change at 2011-04-27 13:00:41.962 followed by a quick connection At 2011-04-27 13:01:00.133 a flow was created: 170.30.1.77 (attacker) 172.30.1.231 (target).
HYPOTHESIS SO FAR
Flow records indicate:
PORT 22
Attacker initiated a connection three times
Next we see several short connections every six seconds Sent TCP SYN, received SYN ACK, handshake established, sent FIN, received FIN Successful Layer 4 TCP communication
PORT 22 CONTINUED
For more than 15 minutes the connection and subsequent data transfers continue
Notice that at 13:03:31 it begins to send TCP SYN to internal systems on port 80 and 443 and at 13:03:44 the IP dst addresses become sequential and incremental
Port sweep Also notice that most systems did not respond
Search records for packets sent from target system back to port scanner greater then zero
A CHANGE IN BEHAVIOR
At 04-27-11 13:03:49, 10.30.30.20 began sending SYN packets only to a range of ports on the two system that responded Port scan
OPEN PORTS
Sort and count the dst ports targeted
NEXT STEP
From 13:04:09 through 13:04:14 10.30.30.20 sends TCP SYN packets to sequential IP addresses on 192.168.30.1/24 port 3389 Targeted port sweep Microsofts Remote Control Desktop Protocol
Who responded?
PORT 3389
Series of flows from the DMZ 10.30.30.20 to 192.168.30.101
Remember that during the same time frame there was also an SSH connection 172.30.1.77 (external) and 10.30.30.20 (DMZ victim)
Notice the 16,874 bytes of exported data from 192.168.30.101 (an internal system) to the external attacker
Remember:
192.168.30.101 is NAT-ed = 172.30.1.227 8 second time skew Notice the Layer 4 payload size is smaller then the Argus reported
TIMELINE
Notes: April 27, 2011 Times are adjusted to match Argus Educated guess based on evidence
12:49:33Flow captures begin. 12:51:54Port scanning begins from 172.30.1.77 (attacker) against 172.30.1.231 (DMZ victim). The attacker likely found that port 22 (TCP) was open on the DMZ victim system. 12:52:38172.30.1.77 begins likely brute-force password-guessing attack against an SSH server on DMZ victim 13:00:45172.30.1.77 ends likely brute-force password-guessing attack 13:01:08172.30.1.77 begins extended connection to SSH port on DMZ victim
13:03:31DMZ victim begins port sweep of internal and DMZ networks on TCP ports 80 and 443. Two systems on the internal network responded: 192.168.30.30 and 192.168.30.90
13:03:49DMZ victim ends port sweep of internal and DMZ networks on TCP ports 80 and 443
TIMELINE CONTINUED
13:03:49DMZ victim begins port scan of 192.168.30.30 and 192.168.30.90. 1,000 ports were targeted. The attacker found 192.168.30.90:22 (TCP), 192.168.30.30:22 (TCP), and 192.168.30.30:514 (TCP) open.
PG 195
THEORY CONTINUED
From the DMZ victim 172.30.1.231 (10.30.30.20), the attacker also conducted a port sweep of the internal network for open port 3389 (RDP). Three systems had port 3389 open: 192.168.30.100, 192.168.30.101, and 92.168.30.102. The attacker, pivoting through the DMZ victim 172.30.1.231 (10.30.30.20), logged into 192.168.30.101 via RDP. On 192.168.30.101 (172.30.1.227), the attacker used FTP to connect outbound to 172.30.1.77. The attacker transferred a file from the internal system 192.168.30.101 (172.30.1.227) to the attackers system, 172.30.1.77.
RESPONSE 2
Determine what the attacker found out about the network architecture
DMZ has access to internal systems for TCP ports 22, 80, 443, 514 and 3389
FTP traffic is allowed outbound from internal network
RESPONSE 3
Evaluate the risk of data exfiltration
HIGH
Flow records strongly indicate that an external FTP connection was made and a significant amount of data was transfered
NEXT STEP
Containment/Eradication
Change passwords
Rebuild the compromised systems Tighten firewall rules Block outbound TCP connections on ports 20/21
Firewall logs
HDD of compromised systems
Disclaimer: All information and data pulled directly from this book. Pages 184 - 196
Works Cited Davidoff, S., & Ham, J. (2012). Network Forensics Tracking Hackers Through Cyberspace. Boston: Prentice Hall.