SlideShare une entreprise Scribd logo

File000139

Desmond Devendran
Desmond Devendran
Technologie
1  sur  48
Télécharger pour lire hors ligne
Module XXVI – Network Forensics and Investigating Logs
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Accused SF Network Hacker Facing Felony Charges Source: http://www.foxreno.com/
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Network Forensics • Network Attacks • Where to Look for Evidence • Investigating Logs • Handling Logs as Evidence • Log Injection Attacks This module will familiarize you with:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Network Forensics Investigating Logs Where to Look for Evidence Handling Logs as Evidence Network Attacks Log Injection Attacks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Forensics • Source of security incidents and network attacks • Path of the attack • Intrusion techniques used by attackers Network forensics can reveal: Network forensics can be defined as sniffing, recording, acquisition and analysis of the network traffic, and event logs in order to investigate a network security incident
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Intrusion Process Internet Laptop CORPORATE NETWORK Mainframe Server Computer Laptop Printer Server Server Firewall Router Firewall Server Hub Hub Router Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer ISP Router ISP Router ISP Router ISP Router ISP Router
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Vulnerabilities • These vulnerabilities occur due to the overextension of bandwidth and bottlenecks Internal network vulnerabilities: • These vulnerabilities occur due to the threats such as DoS/DDoS attacks and network data interception External network vulnerabilities:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Attacks IP Spoofing Router attacks Eavesdropping Denial-of-Service Man-in-the-Middle Attack Sniffer Attack Data Modification Attacks Enumeration Virus Trojan E-mail Infection Password Cracking Malware attacks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Where to Look for Evidence Log files from following devices and applications can be used as evidence for network security incidents: • Firewalls • Routers and switches • Intrusion Detection Systems • Intrusion Prevention Systems • Servers, desktops, and mainframes • Business applications • Databases • Anti-virus • VPNs
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Logs
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Postmortem and Real-Time Analysis Forensic examination of logs are divided into two categories : • Postmortem of logs are done for the investigation of something that has already happened Postmortem • Real-Time analysis are done for the ongoing process Real-Time Analysis Practically, IDS is the real-time analysis where as the forensic examination is postmortem
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Logs as Evidence • It is hard to refute one log entry if two separate devices record the same information • Firewall logs, IDS logs, and TCPDump can help to prove that an IP address hits a specific server at a specific time Use Multiple Logs as Evidence • When no log files exist, there is no way of knowing if the server got no hits (say it was offline for a day) or if the log file was actually deleted Avoid Missing Logs
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log File Authenticity Log files can be said to be authentic if it can be proven that they have not been modified since they were originally recorded Move the Logs - If a server has been compromised, you must consider that the log files also could have been compromised Move the logs to a master server and then move them offline to a tape, CD
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use Signatures, Encryption, and Checksums To ensure that the log file is not modified, encrypt the log by using some public- key encryption scheme File signature makes the log file more secure Use Fsum tool, MD5 to generate the hash code Store the signature and hashes with the log Store secure copy in a separate location
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Work with Copies Do not use original log files for analysis; always work on copies Ensure that the original logs are never touched to maintain the authenticity of the original log files If you use log files as court evidence, you must present original files in their original form
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ensure System’s Integrity Always maintain up-to-date on service packs and hotfixes that assures that the system’s file is valid Audit all changes to binary files in WINNT directory If an intruder modifies the system files that record log files then the usability of the log files as evidence is not valid
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Once a log file is created, it is important to prevent the file from being accessed and audit any authorized and unauthorized access If you properly secure and audit a log file using NTFS permissions, you will have documented evidence to establish its credibility
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody As you move log files from the server and later to an offline device, you should keep track of where the file goes This can be done either through technical or non-technical methods such as MD5 authentication
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Condensing Log File Log files can be sorted by using a syslog but the output of the syslog contains large log file It is difficult for the forensic team to look for the important log entry Log entries need to be filtered as per the requirement Tools that can be used: • Swatch • Logcheck
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Injection Attacks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack In this attack, the attacker injects plaintext into the log files The attacker tries to divert the attention of the investigator towards other person The log files application relates the user to the action performed The log file before attack:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack (cont’d) The attacker changes the log file source code by inserting [LINEBREAK] and changing the user name “Tester01” to say “Manager01” The log file after attack: Figure: New lines inserted by attackers
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack Countermeasure Remove all the new line characters such as carriage return (0x0D) and line feed (0x0A) characters The resulting log file would be as shown below: Figure: Removing new lines
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack In this attack, the attacker injects a single pipe character or multiple pipe characters into the log files Some systems contain log files which has several data columns; these log files contain single line of text file and data field separated by a pipe character The sample log file is as shown:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (cont’d) When the attacker injects single or multiple pipe characters the previous values are replaced and shifted from one column to the next Consider the example and if the value in the value field is replaced as “9.99 | WRITE” The values are shifted from one column to the next as shown: Figure: Replaced value field
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (cont’d) Shifting log columns causes inconsistency in a log file The attack damages the log file integrity It shows that the attack is performed on a pipe character Though the shifting of values is uncovered, it is difficult to find the defender
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Separator Injection Attack Sanitize the inputs by morphing incoming data to a different representation URL encoding and slash (“”) encoding techniques can be used to sanitize the inputs In URL encoding technique the pipe character is encoded to a percentage sign followed by the hexadecimal representation of its ASCII value The log file after implementing URL encoding is as shown: Figure: URL encoding
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack This attack uses combination of the New Lines and Separator injection The log maintains the action that was taken, by whom it was initiated, and when it occurred Consider a stock trading system that stores all trade information in a log file as shown: Figure: Log of all trade information
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (cont’d) The new line input injection may look like: • “AccountY[LINEBREAK] 21-05-2010 : 1002 : Trader1 has retracted sell order” The log output is as follows: Figure: New line input injection
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (cont’d) The attacker must know the date and time of the logging component The entries cannot be injected in a chronological order The time stamp should lie between the surrounding time stamps It is easy to find out region of uncertainty if limited number of lines are injected These scenarios create doubts in the legal case
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Timestamp Injection Attack Use sequence numbering, it is similar to time stamping and helps in overcoming the predictable entry creation problems The following figure illustrates that line 3 is out of sequence Figure: Example with sequence numbering
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack In word wrap abuse attack, unusual log entries are created by using white space padding The line may wrap and cause an attack similar to new line injection attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack (cont’d) Instead of new line removal technique, the attacker may use the following input: • “Tester01. __________________Failed to delete all files for Manager01.________Failed to move all files for Manager01.__________Failed to remove user Manager01 for Manager01.___Failed to logon for Tester01” The log file looks like: Figure: Word wrap abuse attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack The solution for this type of attack is entry splitting Log is split into multiple lines after a specific length Insert a marker to indicate that splitting has occurred This technique provides generalized protection forms of injection as they depend on long inputs being undetectable
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack (cont’d) The log file entry after splitting looks like: Here [CR] indicates that login software has inserted a carriage return The disadvantage of this method is integrity of entries may be compromised
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack In this attack, the attacker injects HTML tags into a log This will control the display of the subsequent entries Consider a HTML log file which is potentially not secure The browser under normal condition displays a list of all the invalid session identifiers along with a timestamp
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) The HTML log file looks like: Figure: HTML injection attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) Line7 in the example shows the potentially malicious Session ID which is under the attacker’s control The attacker can disable logging to perform other attacks changing the Session ID to: • “A345EFF345987435</tr></td> • </table><font color=white>” A new table will start closing the current row of the table with background color as font color Due to this, the session IDs will be logged in white font color which makes it difficult to identify them against the background color
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) The log file is changed to: Figure: Changed log file
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending HTML Injection Attack Token removal is the solution for this kind of attack Identify the inputs given by the attacker and remove the tokens so that they are not interpreted upon display Remove ‘<’ and ‘>’ characters wherever you find that a malicious input is given The secured log file is written as: Figure: Token removal
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack It is an attack on log viewing interface In this attack, terminal emulation is used to interpret character sequence as the special action directives to the terminal Terminal injection can be used on a FTP client log file on a Linux system As an example, a bash shell command is used as a backdoor by an attacker to display all the users’ passwords
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack (cont’d) Finally, FTP client leaves the log file with passwords If attacker knows that the administrator of the system inspects the log file via a cat command that displays its output in a terminal window, he can abuse its use of ANSI terminal sequences to clear the screen and make the log file appear empty The log file viewed by the attacker is:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Terminal Injection Attack These attacks can be defended using a raw viewer such as hex editor Using hex editor, the file contents can be viewed without any interpretation It provides an hexadecimal output which is difficult to identify as shown: Figure: Hex output of a terminal injection attack
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks The other forms of attacks that to be known before developing a logging system are: • Buffer overflows in log files may corrupt the records and damage the log file integrity Buffer Overflows: • These are mostly popular in Unix based logging systems and dangerous in unproven components Format Strings: • This is the threat caused to the user data stored in relational database SQL Injection:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks (Cont’d) • Attackers may use special characters to navigate unauthorized directories or drives to overwrite important files Directory Traversal: • XML stores the different types of information including log data; external and internal entity references and excessive recursion in XML may change the functionality of log writing and reading XML Attacks: • This attack causes overflow of entries, individual logs and storage can be filled to capacity, and log file infrastructure is appended with a ‘noise’ which makes it difficult to identify real entries Denial of Services:
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Log files can be sorted by using a syslog but the output of the syslog contains a large log file Log entries need to be filtered Postmortem of logs are done for the investigation of something which has already happened By combining logs from several devices, you strengthen the value of each Investigate the logs for different log injection attacks
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Recommandé

Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentationRam Bharosh Raut
 

Recommandé

Network forensics and investigating logs
Network forensics and investigating logsNetwork forensics and investigating logs
Network forensics and investigating logsanilinvns
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Sam Bowne
 
Cyber forensics
Cyber forensicsCyber forensics
Cyber forensicspranjal dutta
 
Network scanning
Network scanningNetwork scanning
Network scanningoceanofwebs
 
Network forensic
Network forensicNetwork forensic
Network forensicManjushree Mashal
 
Ransomware Attack.pptx
Ransomware Attack.pptxRansomware Attack.pptx
Ransomware Attack.pptxIkramSabir4
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
Vpn presentation
Vpn presentationVpn presentation
Vpn presentationRam Bharosh Raut
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
PHISHING DETECTION
PHISHING DETECTIONPHISHING DETECTION
PHISHING DETECTIONumme ayesha
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1Manu Mathew Cherian
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORKRishikese MR
 
Wifi Security
Wifi SecurityWifi Security
Wifi SecurityShital Kat
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPSSantosh Khadsare
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefencePrakashchand Suthar
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingAditya Vikram Singhania
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingNitheesh Adithyan
 
Network security ppt
Network security pptNetwork security ppt
Network security pptOECLIB Odisha Electronics Control Library
 
Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
File000138
File000138File000138
File000138Desmond Devendran
 

Contenu connexe

Tendances

Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network ForensicsSavvius, Inc
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentationprashant3535
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
PHISHING DETECTION
PHISHING DETECTIONPHISHING DETECTION
PHISHING DETECTIONumme ayesha
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGEr Vivek Rana
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesrahul kundu
 

Tendances (20)

Network Security
Network SecurityNetwork Security
Network Security
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Wired and Wireless Network Forensics
Wired and Wireless Network ForensicsWired and Wireless Network Forensics
Wired and Wireless Network Forensics
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Digital Crime & Forensics - Presentation
Digital Crime & Forensics - PresentationDigital Crime & Forensics - Presentation
Digital Crime & Forensics - Presentation
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
PHISHING DETECTION
PHISHING DETECTIONPHISHING DETECTION
PHISHING DETECTION
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensics
 
Software security
Software securitySoftware security
Software security
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
Cyber Forensics Module 1
Cyber Forensics Module 1Cyber Forensics Module 1
Cyber Forensics Module 1
 
TOR NETWORK
TOR NETWORKTOR NETWORK
TOR NETWORK
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
 

Similaire à File000139

Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotVi Tính Hoàng Nam
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomVi Tính Hoàng Nam
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudsparkfabrik
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfThangDang53
 
Ce hv6 module 66 security convergence
Ce hv6 module 66 security convergenceCe hv6 module 66 security convergence
Ce hv6 module 66 security convergenceVi Tính Hoàng Nam
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWallwebhostingguy
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11Waqas Ahmed Nawaz
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i SecurityPrecisely
 
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Shin'ichiro Matsuo
 

Similaire à File000139 (20)

Ceh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypotCeh v5 module 19 evading ids firewall and honeypot
Ceh v5 module 19 evading ids firewall and honeypot
 
File000138
File000138File000138
File000138
 
Ce hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atomCe hv6 module 52 hacking rss and atom
Ce hv6 module 52 hacking rss and atom
 
Firewall Analyzer - Middle East Workshop
Firewall Analyzer - Middle East WorkshopFirewall Analyzer - Middle East Workshop
Firewall Analyzer - Middle East Workshop
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
 
Network security
Network securityNetwork security
Network security
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
File000125
File000125File000125
File000125
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
Unit-4-LOS.pdf
Unit-4-LOS.pdfUnit-4-LOS.pdf
Unit-4-LOS.pdf
 
Deep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloudDeep dive nella supply chain della nostra infrastruttura cloud
Deep dive nella supply chain della nostra infrastruttura cloud
 
Ce hv6 module 63 botnets
Ce hv6 module 63 botnetsCe hv6 module 63 botnets
Ce hv6 module 63 botnets
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
ITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdfITN6_Instructor_Materials_Chapter11.pdf
ITN6_Instructor_Materials_Chapter11.pdf
 
Ce hv6 module 66 security convergence
Ce hv6 module 66 security convergenceCe hv6 module 66 security convergence
Ce hv6 module 66 security convergence
 
Unix Web servers and FireWall
Unix Web servers and FireWallUnix Web servers and FireWall
Unix Web servers and FireWall
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Best Practices in IBM i Security
Best Practices in IBM i SecurityBest Practices in IBM i Security
Best Practices in IBM i Security
 
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.
 

Plus de Desmond Devendran

Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guidesDesmond Devendran
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeDesmond Devendran
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentialsDesmond Devendran
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management Desmond Devendran
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDesmond Devendran
 

Plus de Desmond Devendran (20)

Siam key-facts
Siam key-factsSiam key-facts
Siam key-facts
 
Siam foundation-process-guides
Siam foundation-process-guidesSiam foundation-process-guides
Siam foundation-process-guides
 
Siam foundation-body-of-knowledge
Siam foundation-body-of-knowledgeSiam foundation-body-of-knowledge
Siam foundation-body-of-knowledge
 
Enterprise service-management-essentials
Enterprise service-management-essentialsEnterprise service-management-essentials
Enterprise service-management-essentials
 
Service Integration and Management
Service Integration and Management Service Integration and Management
Service Integration and Management
 
Diagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_enDiagram of iso_22301_implementation_process_en
Diagram of iso_22301_implementation_process_en
 
CHFI 1
CHFI 1CHFI 1
CHFI 1
 
File000176
File000176File000176
File000176
 
File000175
File000175File000175
File000175
 
File000174
File000174File000174
File000174
 
File000173
File000173File000173
File000173
 
File000172
File000172File000172
File000172
 
File000171
File000171File000171
File000171
 
File000170
File000170File000170
File000170
 
File000169
File000169File000169
File000169
 
File000168
File000168File000168
File000168
 
File000167
File000167File000167
File000167
 
File000166
File000166File000166
File000166
 
File000165
File000165File000165
File000165
 
File000164
File000164File000164
File000164
 

Dernier

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Dernier (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

File000139

  • 1. Module XXVI – Network Forensics and Investigating Logs
  • 2. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited News: Accused SF Network Hacker Facing Felony Charges Source: http://www.foxreno.com/
  • 3. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Objective • Network Forensics • Network Attacks • Where to Look for Evidence • Investigating Logs • Handling Logs as Evidence • Log Injection Attacks This module will familiarize you with:
  • 4. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Module Flow Network Forensics Investigating Logs Where to Look for Evidence Handling Logs as Evidence Network Attacks Log Injection Attacks
  • 5. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Forensics • Source of security incidents and network attacks • Path of the attack • Intrusion techniques used by attackers Network forensics can reveal: Network forensics can be defined as sniffing, recording, acquisition and analysis of the network traffic, and event logs in order to investigate a network security incident
  • 6. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited The Intrusion Process Internet Laptop CORPORATE NETWORK Mainframe Server Computer Laptop Printer Server Server Firewall Router Firewall Server Hub Hub Router Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer Intermediate "Owned" Computer ISP Router ISP Router ISP Router ISP Router ISP Router
  • 7. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Vulnerabilities • These vulnerabilities occur due to the overextension of bandwidth and bottlenecks Internal network vulnerabilities: • These vulnerabilities occur due to the threats such as DoS/DDoS attacks and network data interception External network vulnerabilities:
  • 8. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Attacks IP Spoofing Router attacks Eavesdropping Denial-of-Service Man-in-the-Middle Attack Sniffer Attack Data Modification Attacks Enumeration Virus Trojan E-mail Infection Password Cracking Malware attacks
  • 9. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Where to Look for Evidence Log files from following devices and applications can be used as evidence for network security incidents: • Firewalls • Routers and switches • Intrusion Detection Systems • Intrusion Prevention Systems • Servers, desktops, and mainframes • Business applications • Databases • Anti-virus • VPNs
  • 10. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Investigating Logs
  • 11. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Postmortem and Real-Time Analysis Forensic examination of logs are divided into two categories : • Postmortem of logs are done for the investigation of something that has already happened Postmortem • Real-Time analysis are done for the ongoing process Real-Time Analysis Practically, IDS is the real-time analysis where as the forensic examination is postmortem
  • 12. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Handling Logs as Evidence • It is hard to refute one log entry if two separate devices record the same information • Firewall logs, IDS logs, and TCPDump can help to prove that an IP address hits a specific server at a specific time Use Multiple Logs as Evidence • When no log files exist, there is no way of knowing if the server got no hits (say it was offline for a day) or if the log file was actually deleted Avoid Missing Logs
  • 13. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log File Authenticity Log files can be said to be authentic if it can be proven that they have not been modified since they were originally recorded Move the Logs - If a server has been compromised, you must consider that the log files also could have been compromised Move the logs to a master server and then move them offline to a tape, CD
  • 14. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Use Signatures, Encryption, and Checksums To ensure that the log file is not modified, encrypt the log by using some public- key encryption scheme File signature makes the log file more secure Use Fsum tool, MD5 to generate the hash code Store the signature and hashes with the log Store secure copy in a separate location
  • 15. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Work with Copies Do not use original log files for analysis; always work on copies Ensure that the original logs are never touched to maintain the authenticity of the original log files If you use log files as court evidence, you must present original files in their original form
  • 16. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Ensure System’s Integrity Always maintain up-to-date on service packs and hotfixes that assures that the system’s file is valid Audit all changes to binary files in WINNT directory If an intruder modifies the system files that record log files then the usability of the log files as evidence is not valid
  • 17. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Access Control Once a log file is created, it is important to prevent the file from being accessed and audit any authorized and unauthorized access If you properly secure and audit a log file using NTFS permissions, you will have documented evidence to establish its credibility
  • 18. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Chain of Custody As you move log files from the server and later to an offline device, you should keep track of where the file goes This can be done either through technical or non-technical methods such as MD5 authentication
  • 19. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Condensing Log File Log files can be sorted by using a syslog but the output of the syslog contains large log file It is difficult for the forensic team to look for the important log entry Log entries need to be filtered as per the requirement Tools that can be used: • Swatch • Logcheck
  • 20. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Log Injection Attacks
  • 21. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack In this attack, the attacker injects plaintext into the log files The attacker tries to divert the attention of the investigator towards other person The log files application relates the user to the action performed The log file before attack:
  • 22. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack (cont’d) The attacker changes the log file source code by inserting [LINEBREAK] and changing the user name “Tester01” to say “Manager01” The log file after attack: Figure: New lines inserted by attackers
  • 23. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited New Line Injection Attack Countermeasure Remove all the new line characters such as carriage return (0x0D) and line feed (0x0A) characters The resulting log file would be as shown below: Figure: Removing new lines
  • 24. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack In this attack, the attacker injects a single pipe character or multiple pipe characters into the log files Some systems contain log files which has several data columns; these log files contain single line of text file and data field separated by a pipe character The sample log file is as shown:
  • 25. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (cont’d) When the attacker injects single or multiple pipe characters the previous values are replaced and shifted from one column to the next Consider the example and if the value in the value field is replaced as “9.99 | WRITE” The values are shifted from one column to the next as shown: Figure: Replaced value field
  • 26. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Separator Injection Attack (cont’d) Shifting log columns causes inconsistency in a log file The attack damages the log file integrity It shows that the attack is performed on a pipe character Though the shifting of values is uncovered, it is difficult to find the defender
  • 27. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Separator Injection Attack Sanitize the inputs by morphing incoming data to a different representation URL encoding and slash (“”) encoding techniques can be used to sanitize the inputs In URL encoding technique the pipe character is encoded to a percentage sign followed by the hexadecimal representation of its ASCII value The log file after implementing URL encoding is as shown: Figure: URL encoding
  • 28. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack This attack uses combination of the New Lines and Separator injection The log maintains the action that was taken, by whom it was initiated, and when it occurred Consider a stock trading system that stores all trade information in a log file as shown: Figure: Log of all trade information
  • 29. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (cont’d) The new line input injection may look like: • “AccountY[LINEBREAK] 21-05-2010 : 1002 : Trader1 has retracted sell order” The log output is as follows: Figure: New line input injection
  • 30. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Timestamp Injection Attack (cont’d) The attacker must know the date and time of the logging component The entries cannot be injected in a chronological order The time stamp should lie between the surrounding time stamps It is easy to find out region of uncertainty if limited number of lines are injected These scenarios create doubts in the legal case
  • 31. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Timestamp Injection Attack Use sequence numbering, it is similar to time stamping and helps in overcoming the predictable entry creation problems The following figure illustrates that line 3 is out of sequence Figure: Example with sequence numbering
  • 32. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack In word wrap abuse attack, unusual log entries are created by using white space padding The line may wrap and cause an attack similar to new line injection attack
  • 33. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Word Wrap Abuse Attack (cont’d) Instead of new line removal technique, the attacker may use the following input: • “Tester01. __________________Failed to delete all files for Manager01.________Failed to move all files for Manager01.__________Failed to remove user Manager01 for Manager01.___Failed to logon for Tester01” The log file looks like: Figure: Word wrap abuse attack
  • 34. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack The solution for this type of attack is entry splitting Log is split into multiple lines after a specific length Insert a marker to indicate that splitting has occurred This technique provides generalized protection forms of injection as they depend on long inputs being undetectable
  • 35. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Word Wrap Abuse Attack (cont’d) The log file entry after splitting looks like: Here [CR] indicates that login software has inserted a carriage return The disadvantage of this method is integrity of entries may be compromised
  • 36. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack In this attack, the attacker injects HTML tags into a log This will control the display of the subsequent entries Consider a HTML log file which is potentially not secure The browser under normal condition displays a list of all the invalid session identifiers along with a timestamp
  • 37. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) The HTML log file looks like: Figure: HTML injection attack
  • 38. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) Line7 in the example shows the potentially malicious Session ID which is under the attacker’s control The attacker can disable logging to perform other attacks changing the Session ID to: • “A345EFF345987435</tr></td> • </table><font color=white>” A new table will start closing the current row of the table with background color as font color Due to this, the session IDs will be logged in white font color which makes it difficult to identify them against the background color
  • 39. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited HTML Injection Attack (cont’d) The log file is changed to: Figure: Changed log file
  • 40. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending HTML Injection Attack Token removal is the solution for this kind of attack Identify the inputs given by the attacker and remove the tokens so that they are not interpreted upon display Remove ‘<’ and ‘>’ characters wherever you find that a malicious input is given The secured log file is written as: Figure: Token removal
  • 41. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack It is an attack on log viewing interface In this attack, terminal emulation is used to interpret character sequence as the special action directives to the terminal Terminal injection can be used on a FTP client log file on a Linux system As an example, a bash shell command is used as a backdoor by an attacker to display all the users’ passwords
  • 42. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Terminal Injection Attack (cont’d) Finally, FTP client leaves the log file with passwords If attacker knows that the administrator of the system inspects the log file via a cat command that displays its output in a terminal window, he can abuse its use of ANSI terminal sequences to clear the screen and make the log file appear empty The log file viewed by the attacker is:
  • 43. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Defending Terminal Injection Attack These attacks can be defended using a raw viewer such as hex editor Using hex editor, the file contents can be viewed without any interpretation It provides an hexadecimal output which is difficult to identify as shown: Figure: Hex output of a terminal injection attack
  • 44. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks The other forms of attacks that to be known before developing a logging system are: • Buffer overflows in log files may corrupt the records and damage the log file integrity Buffer Overflows: • These are mostly popular in Unix based logging systems and dangerous in unproven components Format Strings: • This is the threat caused to the user data stored in relational database SQL Injection:
  • 45. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Other Kinds of Log File Attacks (Cont’d) • Attackers may use special characters to navigate unauthorized directories or drives to overwrite important files Directory Traversal: • XML stores the different types of information including log data; external and internal entity references and excessive recursion in XML may change the functionality of log writing and reading XML Attacks: • This attack causes overflow of entries, individual logs and storage can be filled to capacity, and log file infrastructure is appended with a ‘noise’ which makes it difficult to identify real entries Denial of Services:
  • 46. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Summary Log files can be sorted by using a syslog but the output of the syslog contains a large log file Log entries need to be filtered Postmortem of logs are done for the investigation of something which has already happened By combining logs from several devices, you strengthen the value of each Investigate the logs for different log injection attacks
  • 47. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
  • 48. EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited