C.S. Projects

Archive for the ‘Network Forensic — Semester 5’ Category

Network Forensics — Week 11

Week 11

This session we learned about switches, routers as wells as firewalls.

Switches are in OSI Layer 2. This contains the MAC address in hexa code. This MAC address identifies the device that is being used as it is unique. However, this MAC address can be easily faked. ARP allows users to convert the MAC address into IP address.

On the other hand, routers are in OSI layer 3. Unlike switches, routers can make routing, meaning it can make a connection between different network whereas switches can’t.

Firewalls have the details on successful or failed connection attempts, protocols , and applications in the network.

Network Forensics — Week 10

Week 10

This session we learned about event log correlation and analysis. There are a different types of logs in a computer, such as event logs and security logs.

In order to see the event logs in Windows 10, search for ‘Event Viewer’. There are also several types of logs, such as:
Firewall
Recycle bin
IE browsing history
Shortcut files

There are also several analysis tools that can be used to analyse these logs:
Commercial tools :
Retrace
Splunk
Logmatic
Logentries

Open source tools :
Logstash
Graylog

Graylog is able to analyse all the logs when all the companies servers are connected to it. If one system is attacked, then the attack can be investigated through the data of the attack. Graylog’s features provides the time and source of each log. Thus, it makes it easier to identify if someone is trying to brute force their way into the system.

Network Forensics — Week 8

Week 8

This session we learned about network intrusion detection and analysis.

NIDS -> Network-based Intrusion Detection System, the tools here are used to detect if there are anomalies or suspicious behaviour in our personal network. It sees traffic flow in the network, if there is a suspicious activities such as traffic going down. However it does not prevent it, it just detect it. It is like an early warning system which informs the user that someone is trying to attack the network.

NIPS -> Network-based Intrusion Prevention System, the tools here are used to prevent any attack that is recognised by the system, such as if there are ransomware in the network, the system would try to isolate the server that would be impacted by that ransomware. It is one step after the NIDS.

HIDS -> Host-based Intrusion Detection System HIPS -> Host-based Intrusion Prevention System

Functionality

Both of HIDS and NIDS are rule based that issue alerts. The rules are based on the research of other people and if there are new pattern of attack, the researcher will add new rules to detect that attack. It is configured to capture suspicious packet sequences. In NIPS, the processing time is critical whereas in NIDS it is not. NIDS is only for detection, so there is no problem.

Types of IDS

There are two types of IDS

The first type is Commercial:

-> Check Point IPS Software Blade

-> Next-Generation Intrusion Prevention System (NGIPS)

-> Extreme NIPS

-> Tipping Point IPS



The second type is Open-Source:

For NIDS:

-> Snort

-> Bro

-> Suricata

-> Sagan



For HIDS:

-> OSSEC

-> Fail2Ban

-> AIDE

-> Samhain

Network Forensics — Week 7

Week 7

This session we learned about wireless devices that are used in network forensic. There are many wireless devices, such as:

bluetooth earphones
wifi
infrared devices such as TV remotes
wireless doorbells
Zigbee devices
cell phones
Wi-Fi
WiMAX
AM/FM radio

The cases involved with wireless include and are not limited to
1. Tracking a stolen laptop when it connects to a wireless network
2. Identifying rogue wireless access points which were installed by insiders in order to bypass security
3. Investigate malicious and suspicious activity or activities occurring via a wireless network
4. Investigate attacks on the wireless network (denial-of-service or encryption cracking etc.)

Network Forensics — Week 5

Week 5

This session we learned about evidence acquisition. The best possible outcome would be perfect-fidelity evidence with zero impact on network environment. However, it is not possible to achieve a zero footprint investigation, thus maximum effort must be made to minimise investigative footprint

Physical Interception is capturing or sniffing packets, the tools available for this are
* Inline Network Tap
* Induction Could (which are not commercially available)
* Fiber Optic Taps (similar to inline tap)

Well known software used to capture and sniff packets are
* wireshark
* tcpdump
* ngrep
* nmap

tcpdump has several commands that be use for analysis such as
tcpdump -D which list all possible network interfaces
tcpdump -I interface which shows all packet captured from the network interface

Network Forensics — Week 4

Week 4

This session we learned about the tools that are needed in order to find, sample, seal and dissect the evidence obtained. This is an extremely important part in network forensics. The evidence that will be investigated could come in many forms, such as a pcap file.

We also learned about flow analysis. Flow analysis is used in order to locate data in the operating system or to identify patterns in traffic.There are several tools that can be used for flow analysis. Those tools are Wireshark, tccpflor, pcapcat, tcpxtract.

Wireshark is available on windows and kali linux. This tool is used to read packet traffic in the operating system, see source and destination address and the details of the package caught.

There are also different types of flow analysis techniques, those techniques are
* list conversation and flow
* export a flow
* file and data carving

Network Forensic — Week 2

Week 2

This session we learned about Source of Network-based Evidence and Principles of Internetworking

There are different kinds of network-based evidence. Such as On the wire In the Air and Routers. On the wire is a physical cabling that carries data over the network. A wire tapping can provide real-time network data. There are different tap types, such as vampire tap, surreptitious fibre tap and infrastructure tap. Vampire tap punctures insulation and touches cables.Surreptitious fibre tapbends cable and cuts sheath which exposes light signal Infrastructure tap plugs into connectors and replicates signal.

In the air functions as wireless station to station signals. It may not be as useful as the others as the information obtained is usually encrypted, but there are still information that can be obtained such as:

• Management and controls frames
• Access Points
• Stations Probes for AP’s and APs
• MAC addresses of legitimate authenticated stations
• Volume-based statistical traffic analysis

Routers connect traffic on different subnets or networks. It allows different addressing schemes to communicate. Routers make MANs, WANs, and GANs possible. Routers are useful sources fo numerous reasons such as:

• Routing tables
• Map ports on the router to networks they connect
• Allows path tracing
• Function as packet filters
• Logging functions and flow records
• Deployed intrusion detection

Internetworking on the other hand is the connection and communication between many networks. A link between networks must be established, routing for delivery of data packets, an account to keep track of status information are needed in other to establish internetworking.

Network Forensic — Week 1

Week 1

Network Forensics can be defines as a section of digital forensics. It’s main objective centres on monitoring and analysing network traffic. The intention behind this is

• Intrusion Detection/Prevention
• Information Gathering
• Legal Evidence

Network Forensics is often confused with Computer Forensics. However, these two are very different as shown in the table below.

Computer Forensics	Network Forensics
Data is not much change for daily usage	Data is much change constantly
Evidence is contained within the file system	Evidence sometime exists only in RAM
Easy to perform a forensically sound acquisition	Most network devices does not have non-volatile storage
Seizing one or several computers would not make deep impact to the business	Taking network devices would be problematic

Network Forensics is needed to be able to determine how the incident occurred and how long it took. Furthermore, it can help identify what data was taken and what systems were affected. This is basically used to collect evidence so that the criminal will be convicted. Network Forensics is able to obtain different kinds of evidence that is useful in identifying the culprit

Ethical Hacking — Wpscan Tool

Wpscan Tool

Wpscan Tool is a tool used to scan WordPress websites. Wpscan is used in Kali Linux andIt scans for possible vulnerabilities such as outdated WordPress versions and vulnerable themes and plugins and etc.

Before using wpscan for scanning WordPress websites in Kali Linux, it is vital to ensure that wpscan is up to date. To ensure this simply type

wpscan update

This will update the wpscan tool to its latest version thus ensuring you can use all its features.

There are different types of enumeration filters for wpscan. These are:

u (for usernames)

p (for plugins)

vp for vulnerable plugins

t (for themes)

vt (for vulnerable themes)

at (for all themes)

tt (for timthumbs) Timthumbs are major security risk so it would be wise to ensure the website does not have to

ap (for all plugins)

To find all the users in a certain website simply type the command wpscan –url yourwebsiteurl -e u.This enumerates all the users. If you wish to discover the password then it is possible through brute force method. The command is wpscan –url yourwebsiteurl -wordlist password.txt.This will find a possible password match for the user if there are any in the wordlist.

Ethical Hacking — Sherlock Tool

Sherlock Tool

Sherlock is a useful and powerful tool which identifies usernames across many social networks such as Instagram or DevianArt. There is a possibility of users adding links to their other social media accounts on platforms such as Instagram. This enables hackers to obtain more information regarding the user. Furthermore, images obtained from these social media platforms could be used in reverse image search. This would lead hackers to discovering other profiles that uses the same image.

This can be useful for gathering information, it can be used to perform sophisticated engineering attacks against a target.

Requirements Python 3.6 or higher

Installation

1. Launch terminal in Kali Linux

2. The first step in installing sherlock is to clone the repository. The command is git clone https://github.com/sherlock-project/sherlock.git

3. Type the ls command to view content of the directory , the sherlock tool is now present in the directory.

4. Change the directory to sherlock

5. Install the requirements after ensuring python3 and python3-pip are installed



Usage In order to find out all the possible commands that can be used in sherlock, simply type

python3 sherlock –help

In order to search for one user only type the command:

python3 sherlock.py username

Change the username to the username you wish to search for. It is also possible to search for multiple users at the same time. The tool will first search for the first username and when it is done, it will move on the next.

Now Sherlock can locate all the social media accounts of the username give