Network security tools (and their role in forensic investigations)
The effectiveness of network forensics is closely related to the network security tools used in an organization. We have covered common enterprise security solutions such as firewalls, intrusion detection/prevention systems, web proxies in a separate article.
This article provides an overview of specific tools (available for free) used by security professionals that can play an important role in forensic investigations.
Learn Network Forensics
Aircrack-ng
According to the official website, “Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security such as monitoring, attacking, testing and cracking.”
All tools that are part of the aircrack-ng suite can be run from the command line. This will help users and developers to script and develop tools by taking advantage of the ability to run these tools from the command line. Aircrack-ng suite of tools are primarily used by security professionals during security assessments. However, the same tools and techniques can also be used to investigate wireless networks. For instance, if we want to identify the rogue access points available within the range, we can use airmon-ng to identify details such as SSID, mac address, the channel it is running on.
Wireshark
Wireshark is an open-source tool available for capturing and analyzing traffic with support for applying filters using the graphical user interface. On the system, where Wireshark is running, one can choose the interface on which traffic needs to be captured. The filters available in Wireshark make it easy to perform both troubleshooting as well as investigations.
Wireshark is more of a traffic capturing and analysis tool than an offensive network security tool, and it can greatly help during network forensic investigations.
tcpdump
Tcpdump is a popular command line tool available for capturing and analyzing network traffic primarily on Unix based systems. Using tcpdump, we can capture the traffic and store the results in a file that is compatible with tools like Wireshark for further analysis. Tcpdump can either be used to do a quick packet capture for troubleshooting or for capturing traffic continuously in large volumes for future analysis.
It is worth noting that tcpdump can be used to capture both layer 2 and layer 3 data. The latter may cause disk space problems as the size of the resulting capture file can grow depending on the volume of the network traffic. In addition to the ability to capture large amounts of traffic, tcpdump also supports the use of filters to avoid capturing unnecessary traffic or to capture only the traffic we are interested in. One should be extra cautious with this feature, as applying filters can lead to missing potential evidence. So, it is recommended to capture as much traffic as possible and filter out the unnecessary traffic during analysis later.
Snort
Snort is an enterprise-grade open-source intrusion detection system. It can perform protocol analysis, content searching/matching and detection of various network security attacks such as buffer overflow, stealth port scanner, CGI attacks and OS fingerprinting attempts to name a few.
Snort’s ease of configuration, rules’ flexibility and raw packet analysis make it a powerful intrusion detection and prevention system. Snort is highly configurable, which allows the users to add custom plugins called preprocessors. In addition, it comes with a great set of output options.
At its core, Snort provides alerts based on rulesets provided to it. The Snort administrator needs to feed the rules as the default installation doesn't come with any rules. However, the Snort website provides rulesets that can be fed into Snort. In addition to these rules, one can write custom alert rules. Snort can play a crucial role in network forensic investigations as it can contain a wide variety of logs depending on the rules configured.
Learn Network Forensics
Offensive security tools
There are several offensive network security tools commonly used by security professionals. NMAP, Metasploit, OWASP ZAP are some of the most commonly used freely available tools. While these tools may not be directly helpful for forensic investigators, organizations often see attacks initiated by script kiddies, in which case having knowledge of these tools can help deriving some quick conclusions.
For example, there was an SQL injection alert on a banking application and the application’s access logs were provided for forensic investigation. While investigating these access logs, it was observed that there are several GET parameters with SQL injection payloads. Some of them are specific to a commercial web vulnerability scanner. After further analysis, it was confirmed that there was no attack on the application and it was only a scan triggered by someone in a hope that he may find a vulnerability in the web application.
For this reason, it is good to know some of the popular offensive security tools at a minimum.
Nmap
Nmap is probably the most commonly used tool, especially during network security assessments. Nmap is often used to identify open ports, but it can also be used to perform vulnerability assessment to certain extent using the support for NSE scripts.
In most cases, nmap is noisy, especially when scans are performed in large volumes. When malicious actors perform scans against a target network, they try to take stealth approaches.
Metasploit
Metasploit is an exploitation framework often used in penetration testing. It comes with several different modules and it consists of many popular exploits that can be used to exploit vulnerabilities in operating systems, web applications and other services accessible over the network. While Metasploit is an exploitation tool at its core, it contains modules such as auxiliaries to aid in tasks such as port scanning.
In addition to the network-level attacks that can be performed using Metasploit, malicious payloads for local attacks can also be generated.
OWASP ZAP
OWASP ZAP is a web vulnerability scanner. It is probably the most popular freely available vulnerability scanner for web applications. As mentioned in an earlier example, offensive security tools may not directly help in investigations, but knowledge of these tools can help deriving some conclusions when these tools are used by malicious actors.
ZAP or any other automated web vulnerability scanner when used against web applications will leave some traces on the target. More sophisticated targeted attacks performed by skilled attackers may not be done by using these tools, but having knowledge of these tools is always an advantage.
Kali Linux
Kali Linux is a distribution built specifically for security professionals. It comes with several tools that can be used both for offensive and defensive purposes. It also comes with several tools under the forensics section of the tool menu.
The majority of offensive tools mentioned earlier in the list come preinstalled with Kali Linux.
Learn Network Forensics
Sources
Network Forensics, Ric Messier
Internet Forensics: Using Digital Evidence to Solve Computer Crime, Robert Jones
Network Forensics: Tracking Hackers through Cyberspace, Sherri Davidoff