First published January 2009
by Erik Hjelmvik
To avoid an emergency shutdown of a nuclear plant on which you might be performing your network security assessment, it is recommended that the analysis be based on passively captured network traffic from the system under investigation.
To passively capture traffic with focus on security is often referred to as “Network Security Monitoring” or “Packet Sniffing”; the less suitable term “Passive Scanning” is also used at times. Performing passive network analysis can be very useful also for non-critical IT systems such as normal business IT systems. One such example is when BlackBox internal penetration testing is performed since it is useful to enumerate hosts, services and protocols while remaining stealthy. Often during an internal penetration test, part of the test is to determine when the organization detects the ethical hacker on the network. The use of passive network analysis can therefore be helpful in the early phase of penetration testing so as to avoid detection as it reduces the need for an active portscan.The network security tool that I will be relying on in this article is called NetworkMiner (sourceforge.net/projects/networkminer). It is an open source network forensic analysis tool (NFAT) that I developed.
Network traffic is best captured by connecting a packet sniffer to a network tap or monitor port of a switch located at a central point of a network or preferably at the perimeter between two different networks. Ideally, one should ensure that the machine which performs the monitoring cannot emit network traffic to the network being monitored. The packet sniffer can, for example, be a machine running tcpdump or Wireshark, which stores the captured traffic to a pcap file which can be processed later. There are also more comprehensive network monitoring solutions available such as Sguil, but that is beyond the scope of this article. You can, of course, use Network- Miner to perform live sniffing of network traffic, but the recommended practice is to capture traffic to a pcap file with a purpose built sniffer and to subsequently perform offline analysis with a network forensic analysis tool. The pcap file can also be used as evidence if any illicit traffic is captured.
Note: Click images to view full size
I have used the publicly available pcap file “Scan of the Month 27” (sotm27), from The Honeynet Project (tinyurl.com/66jbz2), in order to demonstrate the strength of Network- Miner in host discovery. When loading the sotm27 capture file into NetworkMiner, it generates an impressive list of 169 hosts together with the host names and the operating systems of the detected hosts. By expanding the nodes in the host list, details such as server banners, open ports and domain names can be displayed. Most of this information is easily retrieved directly from the captured network packets since protocols such as DNS, SMB and HTTP are implemented in NetworkMiner. Other information, such as operating systems, are determined by performing matching of specific fields from protocols such as TCP, IP and DHCP against databases from applications such as Ettercap, p0f and Satori.
A good approach for high security networks is to block all incoming and outgoing traffic except for the specific sessions (client-serverport combinations) which are expected and allowed to cross the network boundary. To create good and tight firewall rules, a network administrator needs to know which sessions are actually taking place across a network boundary. Luckily for the administrator, NetworkMiner provides a list of all incoming and outgoing sessions for each host, so monitoring the traffic between the two network segments is a good first step in creating better firewall rules.
Investigating potential rogue hosts
While looking at captured network traffic from a known network with NetworkMiner, new unknown hosts might show up as well as evidence indicating that a host has been compromised. Such hosts might be rogue hosts and should be handled with care. Common procedures might be to locate the rogue host in order to shut it down or remove it from the network, but it is often useful to monitor all the traffic to and from the host for awhile in order to get a better understanding of what is going on. The captured traffic can also provide forensic evidence that might be of value later on. An attacker might also be able to erase all log files and traces on the compromised host but would not be able to delete the captured traffic from your network monitoring system.
The network-based evidence might be the only evidence available for forensic analysis if you are dealing with a skilled attacker. If you do not have the possibility to monitor a host!s traffic from the network, then another more primitive option is to actually log into the machine and perform the packet capturing locally. NetworkMiner supports this feature since it can be run directly from a USB thumbdrive and does not require installation. Monitoring hosts locally is, however, more suitable for troubleshooting and network discovery than it is for monitoring a compromised machine since you normally do not want to alter anything on the host being investigated.
Nowadays, a large amount of traffic is being sent through wireless networks, so be sure to monitor your airspace for rogue hosts and rogue access points that use IEEE 802.11 WiFi. Tools such as Kismet can be used to detect hosts and access points using WiFi, but unfortunately Kismet does not provide much information about the detected hosts. By loading Kismet capture files into NetworkMiner, or by performing live WiFi sniffing with Network- Miner using an AirPcap device, you will be able to get the most out of your wireless monitoring.
Reassembling transferred files
NetworkMiner is also useful for reassembling and extracting files from captured network traffic. Examples of protocols from which NetworkMiner can perform file reassembly are HTTP, FTP and SMB. By loading the pcap files from The Honeynet Project!s “Scan of the Month 28” (sotm28) (tinyurl.com/5quoav) into NetworkMiner you will be able to examine not only what the attacker did, but also the contents of the files he downloaded to the compromised machine. By selecting the “files” tab and right clicking a file you get a context menu which allows you to open the file or the parent folder. By looking at NetworkMiner!s files tab after loading the pcap files from sotm28, one will see that after gaining control of the machine, the attacker started out by using ftp in order to download wget to the compromised machine. The attacker was then able to use wget to download other applications such as psyBNC, which often is used as a backdoor into a compromised machine or to allow someone to remotely control the machine as a part of a botnet. The file reassembly functionality in NetworkMiner also allows you to view any webpage which has been retrieved across the monitored network. Therefore, by rightclicking an html file you will be able to open an offline version of that particular web page. Apart from the normal file transfer protocols, NetworkMiner is one of the few applications that also support reassembly of files transferred with the TFTP protocol. TFTP is a lightweight file transfer protocol that is often used by bootloaders of embedded systems in order to retrieve executable firmware images (such as a kernel and a file system) from a remote server. The TFTP protocol might be used by an attacker to replace the firmware of your printers, routers, switches, WiFi access points and even firewalls with a special purpose built firmware. This firmware might, for example, be designed to monitor your network traffic and report data such as captured user credentials to the attacker. This implies that you should not fully trust your firewalls unless you have the ability to see which traffic is entering and leaving your firewall.
By monitoring the network traffic to and from the embedded systems on your network, you actually have the possibility to see if they are acting as expected; you would, for example, not expect your printers to post files to an external FTP server, would you?
If you monitor the traffic that leaves your network you will be able to see what information is being exposed to external non-trusted parties. NetworkMiner also has a keyword search functionality that allows you to search all traffic (regardless of protocol) for keywords such as “confidential”.
Data leakage and data seepage
Another use of NetworkMiner is in evaluating how much data, regarding you and your computer, is being disclosed to the network without your knowledge. By connecting your laptop to an unknown network or unencrypted WiFi access point you make this data available to any malicious lurker who might be sniffing that particular network. Not only might the lurker be able to read your emails and see your passwords, he may also be able to identify your previous IP address and to see which file servers you have network shares on. This type of information is called “Data Seepage” and can be used by an attacker to gain useful information in order to, for example, plan an attack. By launching NetworkMiner locally on your own machine, you will be able to see what information your computer is leaking to potentially malicious network-lurkers who might be performing Man-in-the-Middle or WiFi sniffing. After using NetworkMiner, you will soon learn that connecting your computer into an unknown network (wired or wireless) cannot be considered “safe sex”; so be sure to use protection if you wish to connect your Ethernet cable to a non-trusted RJ45 socket.
Erik Hjelmvik is an independent network security researcher and open source developer. He also works as a software development consultant, specialising in embedded systems. In the past, Erik served as an R&D engineer at one of Europe!s largest electric utility companies, where he worked with IT security for SCADA and process control systems.