This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
/ LEAD FEATURE
Frame 1 (82 bytes on wire, 82 bytes captured) by switches to construct loop-free paths through networks
Ethernet II, Src MAC: 00:11:d8:0c:0a:36, Dst MAC: 00:22:3f:5c:60:66 is another way for an attacker to redirect packet flows and
Internet Protocol, Src IP: 192.168.1.2, Dst IP: 192.168.1.1 leap on board the convoy of data, cutlass in hand. Network
User Datagram Protocol, Src Port: 52598, Dst Port: 53 logs, if they exist, can reveal both the protocol conversations
Domain Name System (query) and any attempts to subvert them, and switch and router
Transaction ID: 0x2963 configurations can add useful corroborating evidence. Most
Flags: 0x0100 (Standard query) network devices have the ability to log network traffic and
Questions: 1 events and it is good practice to monitor and log network
Answer RRs: 0 traffic as it travels across a network. Two standard, open-
Authority RRs: 0 source tools are commonly used for this – tcpdump (http://
Additional RRs: 0 www.tcpdump.org/) and Wireshark (http://www.wireshark.
Queries org/) – and becoming competent in their use is an essential
www.thedarkvisitor.com: type A, class IN skill for all network forensic investigators.
So, if everything is configured correctly, our DNS request’s
Figure 3. Example DNS query captured using the Wireshark packet analyser destination IP address will match a row in the routing table,
and the operating system will know which network interface
Your browser has constructed a packet ready to be sent to to use and which device to send it to. The operating system
the DNS server. Your operating system inspects the destina- must wrap the packet in a frame and address it to the correct
tion IP address and tries to match it against an entry in its device. To do so it needs the relevant MAC address; and we
routing table – a data structure held in RAM that tells the need to get to grips with yet another protocol. What started
operating system which network interface to use and which as a simple Web request is rapidly turning into a cascade of
device to send it to for the next stage of the journey. If it interrelated actions, each one with weaknesses that can be
can’t find a match, an error will be generated. Consequently, exploited and a variety of associated pieces of evidence. Let’s
the routing table is forensically significant as it determines continue on our journey.
what a device will do with a packet, assuming the host
firewall doesn’t interfere in any way (and thus the firewall / Asking for Directions
configuration is also important when reconstructing events). Within your operating system is another RAM-based data
On a typical PC, a route is added to the routing table when a structure called the ARP cache. The Address Resolution Proto-
network interface is configured or when a gateway is defined col (ARP) is used to enable computers to find out which MAC
to allow access to external networks. However, most of the address should be associated with a given IP address. Recent
intermediate devices in a journey across the Internet will be results from ARP requests are stored in the ARP cache.
routers, and they have dynamic routing tables that change From an attacker’s perspective, ARP is a wonderful protocol: a
as the routers talk to each other using a variety of routing computer broadcasts a request asking for the MAC address as-
protocols. Subverting these protocols or the protocols used sociated with a particular IP address and whoever responds to
the requesting computer is believed by it. You can even send a
computer a new MAC address for a given IP address at any time,
/ Ettercap
and it will just believe you. An analogy would be a banking pro-
One of the standard weapons in the hacker’s armoury is tocol for paying your credit card bill. You walk into a bank, grab
Ettercap, a powerful program that performs Man in the Middle
a paying-in slip, and ask in a loud voice what account number
(MITM) attacks and extracts passwords from network traffic.
Ettercap uses ARP poisoning to redirect switched traffic to
to use to send money to your credit card company. Whatever
an attacker and can retrieve passwords from many protocols,
gets shouted back – you don’t even check to see if it came from
including HTTP, IMAP 4, POP, FTP, RLOGIN, SSH1, TELNET, VNC, the shifty looking character with a below average leg count, eye
ICQ, IRC, MSN, NFS, SMB, MySQL, X11, BGP, SOCKS 5, LDAP,
patch, idiosyncratic hand replacement, and pet parrot – you
SNMP, HALF LIFE, and QUAKE 3.
Ettercap can inject, remove and modify packet contents
believe the reply and promptly fill out the slip.
based on selection criteria supplied by the attacker, and it
Hacker-friendly programs such as Ettercap exploit this pro-
can also be used to sniff SSL secured data by presenting tocol vulnerability to poison the ARP caches of a victim device
a fake certificate to victims. An attacker can use Ettercap
and its gateway so that all traffic in both directions is redirect-
to passively monitor network traffic and to collect detailed
information about hosts on the network (operating system
ed through an attacker’s device (see Figure 4). This Man in the
used, open ports, running services, etc.). In active mode, it
Middle (MITM) attack can be used to make it look as though
is easy to kill any network connection by selecting it from a
the victim has been doing things that he shouldn’t, or to gain
list, perform DHCP and DNS spoofing, view a victim’s Web
unauthorised access to systems or data. The deadly Siren
browsing activity in real time, and much more. As a network
security-monitoring tool, Ettercap can be used to spot ARP
calls that lure unwary traffic towards malicious servers can be
poisoning attempts and whether anyone is sniffing every
identified as suspicious ARP requests and responses within
packet on the network.
network logs, as in Figure 5, or in the contents of ARP caches
Ettercap is open source and freely available for all major
(before Ettercap cleans up after itself). This information can
operating systems including Linux, Windows, and Mac OS X.
See the official website at http://ettercap.sourceforge.net/.
be very useful when determining whether the evidence is
consistent with this type of network tampering.
11
DF1_08-13_Lead Feature.indd 11 29/10/09 5:06:29 pm
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52
Produced with Yudu - www.yudu.com