router forensics
TRANSCRIPT
TARUNA SINGH1208213035
AGENDA Introduction Overview of Routers Router Attack Topology Common Router Attacks Performing Forensics Incidence Investigation Accessing the Router Documentation What are the “BAD GUYS” doing What are the “GOOD GUYS” doing Why do we need to protect Router Resources Why do we need outer Forensics
INTRODUCTION
It is the application of proven scientific methods and techniques in order to recover data from routers in case of an intruder attack and apply forensics( law enforcement, documentation of the incidence) .
WHAT IS ROUTER?
A computer that specializes in sending packets over the data network. They are responsible for interconnecting n/w by selecting the bestpath for a packetto travel to theirdestinations.
HOW DOES ROUTER WORK
Routers forward data packets from one router to another using various routing protocols and routing table, to choose the optimum path.
The routing table may contain various fields.
COMMUNICATION WITH ROUTERS
Through local cable Throughmodem Throughterminalemulation software
ROUTER COMPONENTS
ROM POST IOS RAM Flash memory NVRAM
PORTS ON ROUTER
LAN Ports
WAN Ports Administrative ports
-Console ports-Auxiliary ports
MODES OF ROUTER
Setup Mode User Mode Privileged Mode Global Configuration Mode Interface Mode
ROUTER ATTACK TOPOLOGY
Reconnaissance Scanning and enumerationGaining access Escalation of privilegeMaintaining accessCovering tracks and placing backdoors
COMMON ROUTER ATTACKS
Denial of Service AttacksPacket Mistreating AttacksRouting Table PoisoningHit and Run AttacksPersistent Attacks
PERFORMING FORENSICS
CollectionExaminationAnalysisReporting
GATHER VOLATILE ROUTER DATA
Connect to console port for this need cable and laptop with terminal emulation software.Record System Time and determine who is logged on Save the router configuration.Review the routing table to detect malicious static routes modified by attacker.View the ARP cache for evidence for IP or MAC spoofing
INCIDENCE INVESTIGATION
Direct compromise: via physical access,
listening services, password guessing by TFTP, console access
Routing table manipulations: by
modifying routing protocols( RIP, IGRP), review routing table with “show IP route”
Theft of Information: via access control
and network topology
DoS: resource and bandwidth consumption
reduces functionality and n/w bandwidth
Contd...
FOR RECOVERY:Eliminate listening servicesUpgrade of softwareAccess restrictionAuthenticationChange all passwordsAvoid password reuseRemove static routing entries
ACCESSING THE ROUTER
DO
Access the router through the console
Record your entire console session
Run show commandsRecord the actual
time and the router’s time
Record the volatile information
DON’T
REBOOT THE ROUTER
Access the router through the network
Run configuration commands
Rely only on persistent information
DOCUMENTATION
Chain of Custody: to prove the integrity
of the evidence
Case reports: employee remediation,
employee termination ,civil proceedings, criminal prosecution, case Summary, bookmarks
Incident response: it is the effort of an
organisation to define and document the nature and scope of a computer security incident.
WHAT THE “BAD GUYS” ARE DOING
Internet Router Protocol Attack Suite (IRPAS): A suite of tools designed to abuse
inherent design insecurity in routers and routing protocols –Tools: ass, igrp, hsrp
VIPPR: Can be used to establish MITM for
compromised routers
UltimaRatio: Working exploit tool for use
against 1000, 1600/1700 and 2600 series routers
Research
WHAT THE GOOD GUYS ARE DOING
Router Audit Tool (RAT): Written in Perl,
highly customizable, Passive tool to analyze a Cisco router, Scores the overall security of your router, Support for Unix and Windows systems
Books, white papers on securing routersEmploy strong authentication: encrypted
traffic mgmt, two phase authentication, centralised authentication source.
WHY WE NEED TO PROTECT ROUTER RESOURCES
Often the “heart” of the network Gaining a lot more attention from attackers Few procedures on hardening routersRouters are much slower to get upgraded to solve security bugsFew people monitor their configurations regularlyFew security measures in placeThere are millions of them
NEED FOR ROUTER FORENSICS
Operational TroubleshootingLog Monitoring Data RecoveryData AcquisitionDue Diligence/Regulatory compliance
