Digital forensics 362

Northeastern Illinois University Department of Computer Science CS-362 DIGITAL FORENSICS LAB 14: NETWORK FORENSICS Instructor: Manar Mohaisen Email: [email protected] Lab Requirements 1. One or Two Linux VMs Content Part I: Traffic Analysis using Wireshark ________________________________________________ 1 Part II: NetworkMiner Packet Viewer __________________________________________________ 3 Part III: Packet Visualization and Analysis using PcapXray ________________________________ 4 Part IV: Network Forensics Tools______________________________________________________ 6 Part I: Traffic Analysis using Wireshark STEP 1: Wireshark is one of the most popular tools used for network troubleshooting and packet analysis. It comes preinstalled o Kali Linux. To start Wireshark, type wireshark in a terminal. The following window will appear. Select the NAT interface, eth1 in the case below, to capture the internet traffic. Northeastern Illinois University Department of Computer Science STEP 2: I selected any in the above screen, but you can select any of the interfaces to analyze. Click on one of the listed packets to display its content – header fields and payload, if any. STEP 3: The three fields Source, Destination, and Protocol are important for subsequent analyses. To save the packet capture, do the following: o Click on the red square to stop the capture. o From the File menu, click on Save As. There are several file types to select from. STEP 4: Wireshark uses filters to analyze a specific type of traffic. You can type the filter in the “Apply a display filter” field shown in the above screenshot. Examples of filters: o o o o o o udp.port==53: Select UDP packets with port 53 (dns requests) tcp.port==80 || tcp.port==443: Select TCP packets with port 80 or 443 tcp.port in {80, 443, 8080}: The TCP port is either 80, 443 or 8080 frame.len > 150: List all packets with frame length larger than 150 bytes ip.src eq 172.16.145.1: The IP address of the source machine is equal to 172.16.145.1 ip.dst eq 172.16.145.130: The Ip address of the destination machine is equal to 172.16.45.130 o ip.addr == 172.16.145.0/24: Range of IP addresses o http.request.method == “GET”: The HTTP request method is GET o frame contains http: The payload contains the word http Northeastern Illinois University Department of Computer Science Part II: NetworkMiner Packet Viewer STEP 5: The captured packets by Wireshark might be hard to visualize. Network Miner is an easy-to-use package viewer that categorizes the .pcap files’ data into hosts, files, images, messages, sessions, and some others. STEP 6: Install NetworkMiner and change the permission to certain files as follows. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 kali@kali [~/work/data] wget www.netresec.com/?download=NetworkMiner -O nm.zip # Decompress the downloaded file. The folder is unzipped in the folder # NetworkMiner_2-7-3 kali@kali [~/work/data] unzip nm.zip # Verify the content of the kali@kali [~/work/data] cd NetworkMiner_2-7-3 kali@kali [~/work/data/NetworkMiner_2-7-3] ls AssembledFiles ChangeLog Fingerprints NetworkMiner.exe NetworkWrapper.dll SharedUtils.dll Captures CleartextTools Images networkminericon.ico PacketParser.dll # Change permissions for the contained files/folders # go: Group and Others # +w: Add writing permissions # +x: Add execution permission # -R: recursive (including contained files and directories) kali@kali [~/work/data/NetworkMiner_2-7-3] sudo chmod +x NetworkMiner.exe kali@kali [~/work/data/NetworkMiner_2-7-3] sudo chmod -R go+w AssembledFiles/ kali@kali [~/work/data/NetworkMiner_2-7-3] sudo chmod -R go+w Captures/ # To be able to run a .exe file on Linux, the mono framework is needed. kali@kali [~/work/data/NetworkMiner_2-7-3] sudo apt-get install mono-complete # Run NetworkMiner as follows. The following screen appears. I have already # opened a .pcap file. kali@kali [~/work/data/NetworkMiner_2-7-3] mono NetworkMiner.exe Northeastern Illinois University Department of Computer Science STEP 7: You can use Wireshark to create a .pcap file or download any of the following to explore the power and functionality of NetworkMiner. o http://wiki.xplico.org/lib/exe/fetch.php?media=pcap:xplico.org_sample_capture_protocols_supp orted_in_0.6.3.pcap.bz2 o http://downloads.digitalcorpora.org/corpora/scenarios/2008-nitroba/nitroba.pcap Part III: Packet Visualization and Analysis using PcapXray STEP 8: Run the following commands to install PcapXray. 1 2 3 4 5 6 7 8 9 10 11 12 13 kali@kali [~/work/data] git clone https://github.com/Srinivas11789/PcapXray.git # Install Python 3 (if not already installed) kali@kali [~/work/data] sudo apt-get install python3-pip kali@kali [~/work/data] sudo apt-get install python3-tk kali@kali [~/work/data] sudo apt-get install graphviz kali@kali [~/work/data] sudo apt-get install python3-pil python3-pil.imagetk # Move the PcapXray directory kali@kali [~/work/data] sudo PcapXray # Start PcapXray kali@kali [~/work/data/PcapXray] python3 Source/main.py Northeastern Illinois University Department of Computer Science STEP 9: The following GUI appears. Enter pcap file path, which could be a pcap file you have generated using Wireshark or downloaded from other resources. Once the path is selected, click on ‘Analyze.’ Once the analysis is done, click “Visualize” to visualize the traffic. You can select a specific protocol/category from the “Traffic” menu. The following snapshot shows the HTTP traffic. Other options, including DNS and HTTPS, are also available. STEP 10: Click on “InteractiveMagic!” to obtain a traffic graph in the default browser. You can track each packet and the endpoint nodes. Northeastern Illinois University Department of Computer Science Part IV: Network Forensics Tools STEP 11: ngrep is a grep-like tool to analyze interface traffic of pcap files. Some available options are as follows. -i case insensitive search -q be quiet -v invert the match (only display packets that don’t match the search) -x dump packet content in hexadecimal -I dump a pcap file -O output results as a pcap file -num matches a specific number of packets and quit bpf Berkeley packet filters (powerful tool to filter specific packets) 1 2 3 4 5 6 7 8 9 10 11 kali@kali [~/work/data] sudo apt install ngrep # Displayed all captured packets by all interfaces kali@kali [~/work] sudo ngrep Displayed output … # Displayed all packets that contain ‘HTTPS’ # add the -t flag to display the time stamp of the dumped packet kali@kali [~/work] sudo ngrep -q ‘HTTPS’ Displayed output … Northeastern Illinois University Department of Computer Science 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # The file nitroba.pcap was downloaded in a previous step # The command displays the packets that contains the word “password” kali@kali [~/work] sudo ngrep -I nitroba.pcap -q password Displayed output … # The command stores the packets that contains the word “password” in the # output.pcap file kali@kali [~/work] sudo ngrep -I nitroba.pcap -q password -O output.pcap # Dump packets from all interfaces with the destination port equal to 53 kali@kali [~/work] sudo ngrep -d any port 53 # Dump packets from interface eth0 with the destination port equal to 53 kali@kali [~/work] sudo ngrep -d eith0 port 53 STEP 12: tcpflow is used to capture data as part of TCP connections. Tcpflow captures two flows (one per direction). Some available options are as follows. -B force binary output -b capture no more than max_bytes bytes per flow -c console print without storing any captured data -C console print without the packet source and destination details being printed -i capture traffic for a particular interface -r read from a pcap file 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 kali@kali [~/work/data] sudo apt install tcpflow # capture all tcp traffic on all interfaces # captured packets are stored in separate files kali@kali [~/work] sudo tcpflow reportfilename: ./report.xml tcpflow: listening on eth0 tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2) tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2) tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2) tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2) tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2) # list the captured flows kali@kali [~/work] ls 010.000.002.015.35834-104.016.123.175.00443 010.000.002.015.35846-104.016.123.175.00443 010.000.002.015.35852-104.016.123.175.00443 010.000.002.015.41940-104.026.010.245.00443 Northeastern Illinois University Department of Computer Science 20 21 22 23 24 25 26 27 28 010.000.002.015.59886-104.026.011.245.00443 104.016.123.175.00443-010.000.002.015.35834 104.016.123.175.00443-010.000.002.015.35846 104.016.123.175.00443-010.000.002.015.35852 104.026.010.245.00443-010.000.002.015.41940 … # extract ssh traffic from a file kali@kali [~/work] sudo tcpflow -r sample_capture.pcap port 22 STEP 12: nmap (network mapper) is a powerful tool used for security auditing and network discovery. The following table summarizes the command options. Name Command TCP SYN scan (half/stealth connection) TCP connect scan (full connection) FIN stealth scan Xmas Tree stealth scan Null scan Ping scan Version scan UDP scan ACK scan OS fingerprinting Aggressive scan -sS Requires privileged access Y -sT N Y -sF -sX -sN -sP -sV -sU -sA -O -A Y Y Y N N Y Y Y Y Y N N N Y Identifies TCP ports Y

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.