Embed Size (px)
Citation preview
COEN 252: Computer Forensics
Router Investigation
Significance of Routers
Targets of attacks, esp. DoS. Stepping stones for attacks.
Routers store Passwords Routing tables Network block information.
Tools for investigation.
Characteristics of Routers Have little storage.
Most information comes from logs or is volatile.
Use Non-Volatile RAM (NVRAM) Saves configuration files
Use normal RAM Current routing tables Listening services Current Passwords
Forensics exam needs to get the volatile data!
Gather Volatile Router Data
Connect to console port. Need cable and laptop with
terminal emulation software. Gather Volatile Data
Record System Time Determine who is logged on
Gather Volatile Router Data Gather Volatile Data
Determine the uptime and other data on the router since last boot-up
Determine listening sockets Routers run a few services such as telnet that are
vulnerabilities. Determining listening sockets lists all current
services that might be vulnerable. For example, port 80 (http) is often used for
router administration, but port 80 is not normally protected by a firewall.
Gather Volatile Router Data
Gather Volatile Data Save the router configuration. Review the routing table.
This detects malicious static routes. Modified by attacker at the router. Modified with Routing Information Protocol
(RIP) spoofing.
Check the interface configuration
Gather Volatile Router Data
Gather Volatile Data View the ARP cache
Evidence for IP or MAC spoofing
Incidence Investigation
Direct Compromise Routing Table Manipulation Theft of Information Denial of Service
Incidence Investigation:Direct Compromise
Physical Security. Modem Access.
Investigate via listening services. Listening Services.
Provide potential attack points.
Incidence Investigation:Direct Compromise
Passwords Password cracking stealing from configuration files sniffing from net
snmp, telnet, HTTP, TFTP
Console Access Reboot to get access
Incidence Investigation:Direct Compromise Modem
Last user did not log off. TFTP
Used to store and reload configuration files. UDP, no security Attacker scans network for router and TFTP
server, then guesses configuration file name, and receives it via TFTP. This gives all passwords needed to access a router.
Alternatively, router uploads a changed configuration file to the TFTP server and waits for a network reload.
Incidence Investigation:Routing Table Manipulations Routers use a variety of protocols
to update their routing tables. RIP Open Shortest Path First Enhanced Interior Gateway Routing
Protocol (EIGRP) Interior Gateway Routing Protocol
(IGRP) Some have no authentication!
Incidence Investigation:Routing Table Manipulations
Review routing table with “show ip route”
For recovery: Remove static routing entries. Reboot router. Switch to authenticating router
updates. (Easier said than done.)
Incident InvestigationTheft of Information
Routers contain network topology and access control.
For recovery: change all passwords avoid password reuse
Incident InvestigationDoS
Destruction of router’s capability to function.
Resource consumption reduces functionality of router.
Bandwidth consumption overwhelms the network bandwidth.
Incident InvestigationDoS
Recovery: Elimination of listening services Upgrade of software Access restriction Authentication
Router Authentication
Routers use Access Control Lists (ACL) Restrict traffic based on packet attributes
Protocol Source / Destination IP address Port TCP flag ICMP message type Time of day
Routers as Monitors
Can log traffic based on ACL Logs stored at a remote site.
