forensics book 4: investigating network intrusions and cybercrime chapter 4: router forensics

Forensics Book 4: Investigating Network Intrusions and Cybercrime

Chapter 4: Router Forensics

Copyright © by EC-Council Press All rights reserved. Reproduction is strictly prohibited

Objectives

Understand router architecture Understand the use of Routing Information

Protocol (RIP) List the different types of router attacks Differentiate router forensics from traditional

forensics List the steps for investigating router attacks Conduct an incident response Read router logs List various router auditing tools


Introduction to Router Forensics

Router Network-layer device or software application

that determines the next network point to which a data packet should be forwarded in a packet-switched network

Decides where to send information packets based on its current understanding of the state of the networks it is connected to, as well as the network portion of the Internet Protocol (IP) address

Routers use headers and forwarding tables to determine the best path for sending data packets


Functions of a Router

Basic functions of a router: Forwarding packets Sharing routing information Packet filtering Network address translation (NAT) Encrypting or decrypting packets in the case

of virtual private networks (VPNs) Overall, a router:

Is the backbone of a network and performs significant network functions

Has the additional responsibility of protocol interpretation


Functions of a Router (continued)

A router in the OSI model Operates at the network layer of the OSI model Relays packets among multiple interconnected

networks Forwards the packets to the next router on the

path until the destination is reached Generally sends the packets through that

particular route once the best route is identified Router architecture

Memory Hardware IOS



Figure 4-1 Routers operate in the physical, data link, and network layers of the OSI model.



The routing table and its components Routing table

Database that stores the most efficient routes to particular network destinations

Components of a routing table Address prefix specifying the address of the

final destination of the packet Interface on which the packets corresponding

to the address prefix are transmitted Next hop address specifying the address of the

router to which a packet must be delivered en route to its final destination



Components of a routing table (continued) Preference value for choosing between several

routes with similar prefixes Route duration Specification showing whether the route is

advertised in a routing advertisement Specification on how the route is aged Route type

Routing Information Protocol (RIP) Protocol used to manage router information

within a self-contained network


Router Vulnerabilities

Common router vulnerabilities are likely avenues for attack: HTTP authentication vulnerability NTP vulnerability SNMP parsing vulnerability


Router Attacks

Intruder that takes control of a router can perform many different attacks on a network Can gain knowledge of all possible vulnerabilities

in a network once the router has been accessed Attacker who has gained access to a router can

interrupt communication, disable the router, stop communication between compromised networks, as well as observe and record logs on both incoming and outgoing traffic

By compromising a router, attackers can avoid firewalls and intrusion detection systems (IDS), and can transmit any kind of traffic to a chosen network


Types of Router Attacks

Denial-Of-Service (DoS) attacks Render a router unusable for network traffic

by overloading the router’s resources so that no one can access it

Goals: destruction, resource utilization, and bandwidth consumption

Packet-mistreating attacks Compromised router mishandles or mistreats

packets, resulting in congestion Mistreated packet could invoke the following

problems: denial of service, congestion, and lowering of connection throughput


Types of Router Attacks (continued) Routing table poisoning

One of the most prominent types of attacks When an attacker maliciously alters, or poisons, a

routing table, the routing-data update packets are also maliciously modified

Misconfigured packets produce false entries in the routing table, such as a false destination address

Hit-and-run attacks Occur when an attacker injects a small number of

bad packets into the router to exploit the network Similar to a test attack: attacker gains knowledge

of whether the network is online and functioning


Types of Router Attacks (continued) Persistent attacks

Attacker continuously injects bad packets into the router and exploits the vulnerabilities that are revealed during the course of the injection process

Can cause significant damage because the router can get flooded with packets and cease functioning due to the constant injection of packets

Comparatively easy to detect


Router Forensics Versus Traditional Forensics

Router forensics does not differ much from traditional forensics Except in some particular steps taken during

investigations During router investigations, the system

needs to be online, whereas in traditional forensic investigations, the system needs to be powered off System must be online so the forensic

investigator can have exact knowledge of what type of traffic flows through the router


Investigating Router Attacks

Guidelines: Start with a security policy and develop a plan that

includes collecting and defining data Create a reconnaissance methodology that provides

information about the target Perform an analysis check to identify incidents and

review default passwords and default information Develop an attack strategy for analyzing commands

to access the network, ACLs, firewalls, and protocols

Be careful while accessing the router Intrusion analysis is vital to identifying the attacker

and preventing the success of future attacks


Investigation Steps

Seize the router and maintain the chain of custody Investigator should seize the router so that nobody

can change its configuration Chain of custody

Record of seizure, custody, control, transfer, analysis, and disposition of physical and electronic evidence

Perform incident response and session recording Router should not be rebooted unless absolutely

necessary Record all information and evidence acquired No modifications should be made to the information

and evidence acquired


Investigation Steps (continued)

Figure 4-2 Chain of custody forms document the evidence-gathering phase of an investigation.



Incidents that should be handled in specific ways: Direct-compromise incidents Routing table manipulation Theft of information Denial of service

Access the router (guidelines) Router must be accessed through the console Record the entire console session Record the actual time and the router time Only show commands should be executed Volatile information must be given priority



Figure 4-3 Every step an investigator takes must be recorded.



Gather volatile evidence Volatile evidence: evidence that can easily be

lost during the course of a normal investigation

Items considered volatile evidence: Current Configuration, Access list, Time, and Log files

Methods to collect volatile evidence: Direct access – carried out using show

commands Indirect access – carried out only if the attacker

has changed the passwords by port-scanning every router IP



Identify the router configuration Establish a connection to the router to retrieve the

RAM and NVRAM Use the encrypted protocol secure shell to remotely

access the router if a direct connection is not possible

Log entire session with HyperTerminal Capture and save the volatile and nonvolatile router

configurations for documentation purposes Examine and analyze

Once the volatile evidence has been secured and the configuration has been obtained, the investigator can begin to analyze the retrieved information



Router components that should be examined and analyzed: Router configuration Routing table Access control list Router logs: provide information about the

router’s activities Types of router logs:

Syslog log, log buffer, console lop, terminal log, SNMP log, and ACL violation log



Figure 4-4 Router log files can tell an investigator where a connection originated.



Figure 4-5 The ping command can be used to find a host name.



NETGEAR router logs Can be used for monitoring network activities for

specific types of attacks and reporting those attacks to a security monitoring program

Can be used to perform the following tasks: Alert when someone on a LAN has tried to access a

blocked WAN address Alert when someone on the Internet has tried to

access a blocked address in a LAN Identify port scans, attacks, and administrative

logins Collect statistics on outgoing traffic Assess whether keyword-blocking rules are

excluding an undesired IP address



Figure 4-6 NETGEAR router logs allow the user to apply various firewall rules.



Figure 4-7 Entries indicating suspicious data being dropped are a possible indication of an attack.



Real-time forensics Investigator should use the router to monitor

the network, after removing or collecting the data from the compromised router

AAA logging gathers the following information: Login time Logout time HTTP accesses Privilege level changes Commands executed



Generate a report (steps) Note the name of the investigator List the router evidence Document the evidence and other supporting items Provide a list of tools used for the investigation List the devices and setup used in the examination Give a brief description of the examination steps Provide the following details about the findings:

Information about the files Internet-related evidence Data and image analysis

Provide conclusions for the investigation


Router Audit Tool (RAT)

Figure 4-8 The RAT tool checks devices against settings in a benchmark.


Link Logger

Figure 4-9 Link Logger allows users to see and analyze firewall traffic.


Sawmill

Table 4-1 Sawmill stores these nonnumerical fields in its Linksys router database


Summary

A router is a computer networking device that forwards data packets across networks

A router decides the most effective path for a packet to reach its final destination

A routing table is a database that stores the most efficient routes to particular network destinations

The types of router attacks are denial-of-service attacks, packet-mistreating attacks, routing table poisoning, hit-and-run attacks, and persistent attacks


Summary (continued)

RIP sends routing update messages when the network topology changes

A router log shows whether anyone has been trying to get into a network

Investigators must be careful while accessing a router

forensics book 4: investigating network intrusions and cybercrime chapter 4: router forensics

Documents

router basic functions

significant network

network portion

network layers

network intrusions

network point

information packets

data packets