Cisco router and switch forensics : investigating and analyzing malicious network activity /
副标题:无
作 者:Dale Liu, lead author and technical editor ; James Burton ... [et al.].
分类号:
ISBN:9781597494182
微信扫一扫,移动浏览光盘
简介
Cisco IOS (the software that runs the vast majority of Cisco routers and all Cisco network switches) is the dominant routing platform on the Internet and corporate networks. This widespread distribution, as well as its architectural deficiencies, makes it a valuable target for hackers looking to attack a corporate or private network infrastructure. Compromised devices can disrupt stability, introduce malicious modification, and endanger all communication on the network. For security of the network and investigation of attacks, in-depth analysis and diagnostics are critical, but no book currently covers forensic analysis of Cisco network devices in any detail.
Cisco Router and Switch Forensics is the first book devoted to criminal attacks, incident response, data collection, and legal testimony on the market leader in network devices, including routers, switches, and wireless access points.
Why is this focus on network devices necessary? Because criminals are targeting networks, and network devices require a fundamentally different approach than the process taken with traditional forensics. By hacking a router, an attacker can bypass a network's firewalls, issue a denial of service (DoS) attack to disable the network, monitor and record all outgoing and incoming traffic, or redirect that communication anywhere they like. But capturing this criminal activity cannot be accomplished with the tools and techniques of traditional forensics. While forensic analysis of computers or other traditional media typically involves immediate shut-down of the target machine, creation of a duplicate, and analysis of static data, this process rarely recovers live system data. So, when an investigation focuses on live network activity, this traditional approach obviously fails. Investigators must recover data as it is transferred via the router or switch, because it is destroyed when the network device is powered down. In this case, following the traditional approach outlined in books on general computer forensics techniques is not only insufficient, but also essentially harmful to an investigation.
Jargon buster: A network switch is a small hardware device that joins multiple computers together within one local area network (LAN). A router is a more sophisticated network device that joins multiple wired or wireless networks together.
* The only book devoted to forensic analysis of routers and switches, focusing on the operating system that runs the vast majority of network devices in the enterprise and on the Internet
* Outlines the fundamental differences between router forensics and traditional forensics, a critical distinction for responders in an investigation targeting network activity
* Details where network forensics fits within the entire process of an investigation, end to end, from incident response and data collection to preparing a report and legal testimony
目录
Front Cover 1
Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity 2
Copyright Page 3
Lead Author and Technical Editor 4
Contributing Authors 5
Contents 12
Introduction 28
About This Book 29
Defining a Secure Network 29
Network Architectures 29
Equipment Used forthe Examples in This Book 32
Routers 32
Switches 33
Firewalls 33
Syslog Server 33
Setting Up a Secure Network 33
Routers 33
Switches 34
Syslog 35
Wireless Access Points 36
The Incident 36
What Happened 36
Who Spotted It 36
First Responders 37
How to Respond 37
Preserving the Evidence 37
Relevant Laws 37
Whom to Call 38
Law Enforcement Issues 38
Summary 39
Solutions Fast Track 39
Frequently Asked Questions 41
Chapter 1: Digital Forensics and Analyzing Data 42
Introduction 43
The Evolution of Computer Forensics 43
The Phases of Digital Forensics 43
Collection 44
Preparation 46
Hardware Documentation Difficulties 48
Difficulties When Collecting Data from RAID Arrays, SANs, and NAS Devices 49
RAID 49
SANs 49
NAS Devices 50
Difficulties When Collecting Data from Virtual Machines 50
Difficulties When Conducting Memory Acquisition and Analysis 51
Examination 52
Utility of Hash Sets 52
Difficulties Associated with Examining a System with Full Disk Encryption 53
Trusted Platform Module (TPM) 53
Alternative Forensic Processes 54
Analysis 54
Analysis of a Single Computer 56
Metadata 56
Exchangeable Image File Format 57
Binary and Malware Analysis 57
Deleted Items 58
Data Carving 58
E-Mail Analysis 58
Analysis of an Enterprise Event 58
System Flow Charts 59
Timelines 59
Tools for Data Analysis 60
GREP 60
Spreadsheets 61
Databases 61
Snort 61
Security Event Management Systems 61
Reporting 62
Summary 63
Solutions Fast Track 63
Frequently Asked Questions 64
Endnotes 65
Chapter 2: Seizure of Digital Information 66
Introduction 67
Defining Digital Evidence 68
Digital Evidence Seizure Methodology 71
Seizure Methodology in Depth 73
Step 1: Digital Media Identification 74
Step 2: Minimizing the Crime Scene by Prioritizing the Physical Media 75
Step 3: Seizure of Storage Devices and Media 75
To Pull the Plug or Not to Pull the Plug, That Is the Question 76
Factors Limiting the Wholesale Seizure of Hardware 77
Size of Media 78
Disk Encryption 78
Privacy Concerns 79
Delays Related to Laboratory Analysis 80
The Concept of the First Responder 80
Other Options for Seizing Digital Evidence 81
Responding to a Victim of a Crime Where Digital Evidence Is Involved 82
Seizure Example 83
Determining the Presence and Location of Evidentiary Data Objects 85
Obtaining Information from a Running Computer 86
Imaging Information On-Scene 87
Imaging Finite Data Objects On-Scene 88
Use of Tools for Digital Evidence Collection 89
Common Threads within Digital Evidence Seizure 91
Determining the Most Appropriate Seizure Method 93
Summary 95
Solutions Fast Track 97
Frequently Asked Questions 99
Endnotes 100
Chapter 3: The Mindset of a Network Administrator 102
Introduction 103
Who Is a Network Administrator? 103
The God Complex 103
Job Security 104
If No One Else Knows How It Works, I Will Continue to Have a Job 105
Salaries 105
Social Engineering 106
Google Them 107
Social Networking Sites 108
No-Tech Hacking 108
Summary 110
Solutions Fast Track 110
Frequently Asked Questions 111
Chapter 4: Arrival on the Scene 112
Introduction 113
Preparing for the Scene 114
Preliminary Checklists 114
Procedures 115
Equipment 115
Software 116
Communicating with On-Scene Personnel 116
Preexisting Documentation 117
Policies and Procedures 117
Diagrams 119
Passwords 124
Access Control Lists 125
Securing the Scene:Protecting Equipment and Data 126
Evidence Tape and Bags 126
Safety 127
Network Isolation: Stopping the Attack 128
To Stop an AttackYou Must Be Able to Identify the Attack 128
Ascertain Whether Live Acquisition Is Necessary 129
Document, Document, Document 129
Maintaining or Restoring Business Continuity 129
Follow Agency Guidelines 130
Cooperating and Coordinating with Other Agencies 131
Coordinating with Outside Agencies 132
Internet Crime Reporting Resources 132
The Incident 134
Summary 135
Solutions Fast Track 135
Frequently Asked Questions 137
Chapter 5: Diagramming the Network Infrastructure 138
Introduction 139
Preexisting Documentation 139
None 139
Out-of-Date 141
Inaccurate 141
Accurate 143
Physical Layout 143
Patch Panels 144
Cabling 144
Hubs 145
Wireless Access Points 145
Switches 146
Routers 146
Servers 147
E-Mail 149
SQL and Oracle 150
UNIX, Linux, and Windows 151
Databases 152
DHCP 152
DNS 152
Firewalls 153
Workstations and Peripherals 153
Laptops 153
Desktops 154
Peripherals 154
Logical Layout 154
Subnets 154
Virtual Local Area Network (VLAN) 155
DMZ 156
Topology 156
Internal Access 159
Firewall Settings 159
Intrusion Detection System Settings 161
Syslog 161
Access Control Lists 161
External Access 163
Firewall Settings 163
IDS Settings 164
Syslog 165
Virtual Private Network Access 165
Access Control Lists 166
Remote Access 166
VNC 166
RDP 167
RADIUS 167
Telnet 167
SSH 167
The Incident 168
Summary 170
Solutions Fast Track 170
Frequently Asked Questions 172
Chapter 6: Cisco IOS Router Basics 176
Introduction 177
Connecting to the Router 177
HyperTerminal 178
The Console Port 179
The Auxiliary Port 185
Telnet 186
Web Interface 191
User Account Setup 194
Cisco Network Assistant 194
Router Modes 195
User Mode 0 196
Commands 196
User Modes 1 through 14 196
Commands 197
Privileged Mode 197
Commands 197
Global Configuration Mode 198
Routing Protocols 199
Interior and Exterior Gateway Protocols 200
Distance Vector Routing Protocols 201
RIP 202
EIGRP 204
BGP 205
Link State Routing Protocols 206
OSPF 206
Backup and Restoration of Routers 208
Configuration Files 208
Backing Up Configurations 208
TFTP 209
Restoring Configurations 210
Router Issues 212
Final Security Issues 213
ACLs 215
Boot Problems 220
Router Passwords 220
The Incident 221
Summary 230
Solutions Fast Track 230
Frequently Asked Questions 232
Chapter 7: Understanding the Methods and Mindset of the Attacker 234
Introduction 235
Information Gathering 235
Google Hacking 236
No-Tech Hacking 238
Social Networking Sites 240
Scanning and Probing 240
Nmap 241
Netcat 245
Nessus 247
Maltego 252
Other Scanning Tools 254
Exploiting Weaknesses 260
Metasploit 260
MSF Version 3 262
MSF Version 2 263
Milw0rm 265
Password Cracking 266
Maintaining Access 268
Backdoors 268
Rootkits 269
Tunneling 270
Covering Tracks 271
Anti-Forensics 271
The Incident 272
Summary 274
Solutions Fast Track 274
Frequently Asked Questions 276
Chapter 8: Collecting the Non-Volatile Data from a Router 278
Introduction 279
Before You Connect to the Cisco Router 279
Initial Steps 279
Interview the POC 280
Obtain the Router Password 280
Procedures 281
Background 282
Document Your Steps 282
Connecting to the Cisco Router 282
Serial Cable 282
USB Connection 283
HyperTerminal 283
Telnet 286
Web-Based Interface 286
Cisco Network Assistant 287
Router Non-Volatile Data Collection Procedures 289
Documentation 301
Network-Based Backup of Config Files 301
TFTP 301
Router Commands to Run on the Cisco Router 304
Analysis of Gathered Non-Volatile Router Data from a Cisco Router 311
Analyzing What Happened 312
Log Files 321
Building Your Case 323
The Incident 324
Summary 328
Solutions Fast Track 328
Frequently Asked Questions 330
Chapter 9: Collecting the Volatile Data from a Router 332
Introduction 333
Before You Connect to the Cisco Router 333
The Cisco Router 334
Router Functions, Architectures, and Components 334
Initial Steps 334
Make a Record 335
Interview the POC 335
Preinvestigation Tasks 335
Obtain the Router Password 338
Modes of Operation 339
Remote Evidence May Be All That Is Available if the Passwords Have Been Modified 340
Common Management Services 342
SNMP 342
HTTP 346
Live Capture Procedures 347
Background 351
Document Your Steps 352
Connecting to the Cisco Router 352
USB Connection 353
HyperTerminal 353
Telnet 354
Web-Based Interface 354
Cisco Network Assistant 355
Interactive Access 355
TTYs 356
Controlling VTYs and Ensuring VTY Availability 356
Volatile Data Collection Procedures 357
Documentation 357
Network-Based Backup of Config Files 357
TFTP 358
FTP 358
Configuration Files and States 358
Creating a Set of Access Scripts 359
Commands to Run on the Cisco Router 359
The Major Commands 359
The show audit Command 360
The show clock detail Command 362
The show version Command 362
The show access-lists Command 363
The show users Command 364
The show ip route Command 364
The show banners Command 364
The show arp and show ip arp Commands 365
The show ip sockets, show udp, and show tcp Commands 366
The show tech-support Command 366
The show stacks Command 367
The show logging Command 368
AAA Logging 369
SNMP Trap Logging 370
Console Logging 370
Buffer Logging 370
Syslog Logging 370
SNMP Logging 370
AAA Logging 370
ACL Violation Logging 370
Logging Summary 371
Advanced Data Collection 371
Core Analysis 372
Analyzing Volatile Data Gathered from a Cisco Router 372
Automated Router Forensics 372
RAT 373
How RAT Works 374
How to Install RAT 374
How to Run RAT 378
Command Syntax 383
CREED: The Cisco Router Evidence Extraction Disk 384
Analyzing What Happened 385
The Stages of a Forensic Engagement 385
Phase 1: Gain an Understanding of the System 385
Phase 2: System Design and Configuration Assessment-Planning 386
Phase 3: The Initial Steps 386
Phase 4: The Investigation 387
Phase 5: Report Preparation 387
The Incident 387
Summary 413
Solutions Fast Track 413
Frequently Asked Questions 415
Endnotes 416
Chapter 10: Cisco IOS Switch Basics 418
Introduction 419
Switch Basics 419
Switch Concepts 419
Advantages over Hubs 420
Switch Modes 421
Cut-Through 421
Store-and-Forward 422
Symmetric versus Asymmetric 423
Switch Terminology 423
CAM 423
MAC Flooding 424
Layer 2 Switches 425
Layer 3 Switches 425
Collision Domains 426
Microsegmentation 426
Broadcast Domains 428
Port Security 429
Connecting to the Switch 430
Switch LED Indicators 431
HyperTerminal 432
The Console Port 433
Telnet 436
Web Interface 438
Cisco Network Assistant 439
Switch Modes 443
User Mode 0 444
Commands 444
User Modes 1 through 14 444
Commands 444
Privileged Mode 445
Commands 445
Global Configuration Mode 446
User Account Setup 447
VLAN Database Configuration 447
Managing IOS 448
Backup and Restoration of Switches 449
Configuration Files 449
Backing Up Configurations 450
TFTP 451
Restoring Configurations 451
Switch Issues 452
Final Security Issues 453
Boot Problems 455
Switch Passwords 456
The Incident 457
Summary 460
Solutions Fast Track 460
Switch Basics 460
Switch Terminology 460
Connecting to the Switch 461
Switch Modes 461
Managing IOS 461
Backup and Restoration of Switches 461
Switch Issues 462
The Incident 462
Frequently Asked Questions 463
Chapter 11: Collecting the Non-Volatile and Volatile Data from a Switch 464
Introduction 465
Before You Connect to the Cisco Switch 465
Initial Steps 465
Interview the POC 465
Obtain the Switch Password 466
Procedures 467
Background 467
Document Your Steps 467
Connecting to the Cisco Switch 468
LED Lights 468
Serial Cable 468
HyperTerminal 469
Telnet 470
Web-Based Interface 471
Cisco Network Assistant 471
Volatile and Non-Volatile Data Collection Procedures 472
Documentation 472
Screenshots 473
HyperTerminal 473
Telnet 473
Web-Based Interface 473
Cisco Network Assistant 473
Network-Based Backup of Config Files 474
TFTP 474
FTP 474
Commands to Run on the Cisco Switch 475
Show Commands 475
Clock 475
Version 476
Running Config 477
Startup Config 477
MAC Table 478
Banners 478
Logging 479
Examining the VLAN Database 480
Examining Port Security 481
Analyzing Volatile and Non-Volatile Data Gathered from a Cisco Switch 481
Analyzing What Happened 481
Building Your Case 482
The Incident 482
Summary 488
Solutions Fast Track 488
Frequently Asked Questions 490
Chapter 12: Preparing Your Report 492
Introduction 493
Forms 493
Chain-of-Custody Form 493
Agency-Specific Forms 494
Evidence Forms 495
Serial Number 496
Evidence Number 496
Report Components 497
Agent Names 497
Case Number 497
Individuals Present 497
Time 497
Time Zone 497
Timeline of Recorded Events 497
Serial Number and Evidence Number 498
Documented Policies, Procedures, and Guidelines 498
Mistakes 498
Processing On-Screen Data 498
Trusted Binaries 498
Volatile Data 499
Non-Volatile Data 499
Trojanized Binaries 499
Shutdown Procedures 499
Pulling the Plug 499
Graceful Shutdowns 499
Drawings 499
Computers 500
Network Devices 500
Cabling 500
The Incident 500
Summary 501
Solutions Fast Track 501
Frequently Asked Questions 503
Chapter 13: Preparing to Testify 504
Introduction 505
Documentation 505
Reports 505
Acquiring Evidence 506
Authenticating Evidence 506
Analyzing Evidence 506
Forms 506
Chain of Custody 507
Affidavits 508
Notes 508
Checklists 508
Visual Tools 509
Computer Graphics 509
Video 509
Charts 510
Diagrams 511
Illustrations 511
Understanding the Daubert and Frye Standards 511
Daubert 512
Tested Theories 512
Peer-Reviewed and Publicized Theories 513
Error Rates 514
Frye 514
Scientific Evidence 514
Acceptance by the Scientific Community 515
Applicability to Procedures 515
Federal Rules 516
Article VII: Opinions and Expert Testimony 517
Preparation 517
Article VIII: Hearsay 518
Errors and Omissions 518
Published or Authoritative Works 519
Acknowledging Flaws and Alternative Theories 519
Words of Caution 519
Admissibility 520
The Incident 520
Summary 522
Solutions Fast Track 522
Frequently Asked Questions 525
Index 526
Appendix : Cisco Wireless Device Forensics 532
Introduction 533
How Wireless Technology Changes Network Security 533
Overview of 802.11 Standards 533
Shared Network Model 534
Protecting the Data Link and Physical Layers 534
Tracking and Attacking Anonymity 535
Attacks on Wireless Networks 535
Authentication 535
Physical Security 536
Designing for Security 536
Creating a Security Policy 536
Risk Assessment 536
The Big Three 537
Logging and Accounting 537
Hot Standby 537
Configuring Hot Standby 538
Implementing Firewalls for Additional Security 539
Public Secure Packet Forwarding 540
Filters 541
WLAN LAN Extension 802.1x/EAP 541
EAP 542
EAP Packet Format 542
EAP Request and Response 542
EAP Success and Failure 543
802.1x 543
EAP Types 544
EAP Message Digest 5 544
EAP Generic Token Cards 544
EAP TLS 544
Cisco EAP 545
LEAP Authentication Process 545
Implementing LEAP 546
Configuring ACS 547
Configuring Access Points 549
Configuring the Client 552
WLAN LAN Extension IPSec 556
Standards Used in IPSec 557
IKE 557
IKE Authentication 558
AH 558
ESP 559
Implementing IPSec over WLAN 559
VPN Device List in WLAN 561
Configuring the VPN Gateway 561
Configuring an Access Point 562
Configuring Filters Using the CLI in IOS 563
Configuring Filters Using a Web Browser in IOS 564
Configuring a VPN Client 565
WLAN Static WEP Keys 567
WEP 567
IV WEP Vulnerable 568
IV and RC4 Vulnerabilities 568
Mitigating WEP Vulnerability 569
TKIP 569
Message Integrity Check 569
Configure Static 128-bit WEP with TKIP 570
Using a Web Browser for Access Point Configuration 570
Configuring the Client 571
The Cisco Wireless and Wireless-Aware Vision 571
The Cisco Structured Wireless-Aware Network Product Line 572
APs 573
Aironet Bridges 573
Client Adapters 573
Cisco IOS 574
Wireless LAN Solution Engine 574
Wireless Security Suite 574
Access Control Server 574
Cisco Wireless LAN Switches and Routers 574
Cisco Wireless Antennas and Accessories 575
Ceiling Mount Omnidirectional Antenna 2.4 GHz (AIR-ANT1728) 577
Mast Mount Omnidirectional Antenna 2.4 GHz (AIR-ANT2506) 577
High-Gain Mast Mount Omnidirectional Antenna 2.4 GHz (AIR-ANT24120) 577
Pilar Mount Diversity Omnidirectional Antenna 2.4 GHz (AIR-ANT3213) 577
POS Diversity Dipole Omnidirectional Antenna 2.4 GHz (AIR-ANT3351) 578
Diversity Ceiling Mount Omnidirectional Patch Antenna 2.4 GHz (AIR-ANT5959) 578
Directional Wall Mount Patch Antenna 2.4 GHz (AIR-ANT3549, AIR-ANT1729) 578
Diversity Directional Wall Mount Patch Antenna 2.4 GHz (AIR-ANT2012) 579
Yagi Antenna 2.4 GHz (AIR-ANT1949) 579
Dish Antenna 2.4 GHz (AIR-ANT3338) 579
Cisco\u2019s 2.4 GHz Antennas Summary 579
5 GHz Antennas 581
Cisco Wireless IP Phone 581
Cisco IOS and WLANs 582
Upgrading from VxWorks to IOS 582
Using the Aironet Conversion Tool for Cisco IOS Software v2.0 583
Using the Browser and VxWorks 583
Using CiscoWorks WLSE for IOS Conversion 584
Cisco Aironet APs 584
Aironet 1200 AP 584
First-Time Basic Configuration 586
Aironet 1100 AP 588
Aironet 350 AP 589
Cisco Aironet WLAN Client Adapters 590
Cisco Aironet 350 Series Client Adapters 590
Cisco Aironet 5GHz Client Adapter 592
Cisco Aironet 802.11a/b/g Client Adapters 592
CiscoWorks Wireless LAN Solution Engine (WLSE) 2.x 593
Fault Monitoring 594
Device Management 596
Device Configuration and Firmware Upgrades 596
Configure Tab 596
Firmware Tab 598
Reports 598
Radio Manager 599
Summary 600
Solutions Fast Track 601
How Wireless Technology Changes Network Security 601
Designing for Security 601
WLAN LAN Extension 802.1x/EAP 601
WLAN LAN Extension IPSec 602
WLAN Static WEP Keys 602
The Cisco Wireless and Wireless-Aware Vision 602
The Cisco Structured Wireless-Aware Network Product Line 602
Cisco IOS and WLANs 603
Cisco Aironet APs 603
Cisco Aironet WLAN Client Adapters 603
CiscoWorks Wireless LAN Solution Engine (WLSE) 2.x 604
Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity 2
Copyright Page 3
Lead Author and Technical Editor 4
Contributing Authors 5
Contents 12
Introduction 28
About This Book 29
Defining a Secure Network 29
Network Architectures 29
Equipment Used forthe Examples in This Book 32
Routers 32
Switches 33
Firewalls 33
Syslog Server 33
Setting Up a Secure Network 33
Routers 33
Switches 34
Syslog 35
Wireless Access Points 36
The Incident 36
What Happened 36
Who Spotted It 36
First Responders 37
How to Respond 37
Preserving the Evidence 37
Relevant Laws 37
Whom to Call 38
Law Enforcement Issues 38
Summary 39
Solutions Fast Track 39
Frequently Asked Questions 41
Chapter 1: Digital Forensics and Analyzing Data 42
Introduction 43
The Evolution of Computer Forensics 43
The Phases of Digital Forensics 43
Collection 44
Preparation 46
Hardware Documentation Difficulties 48
Difficulties When Collecting Data from RAID Arrays, SANs, and NAS Devices 49
RAID 49
SANs 49
NAS Devices 50
Difficulties When Collecting Data from Virtual Machines 50
Difficulties When Conducting Memory Acquisition and Analysis 51
Examination 52
Utility of Hash Sets 52
Difficulties Associated with Examining a System with Full Disk Encryption 53
Trusted Platform Module (TPM) 53
Alternative Forensic Processes 54
Analysis 54
Analysis of a Single Computer 56
Metadata 56
Exchangeable Image File Format 57
Binary and Malware Analysis 57
Deleted Items 58
Data Carving 58
E-Mail Analysis 58
Analysis of an Enterprise Event 58
System Flow Charts 59
Timelines 59
Tools for Data Analysis 60
GREP 60
Spreadsheets 61
Databases 61
Snort 61
Security Event Management Systems 61
Reporting 62
Summary 63
Solutions Fast Track 63
Frequently Asked Questions 64
Endnotes 65
Chapter 2: Seizure of Digital Information 66
Introduction 67
Defining Digital Evidence 68
Digital Evidence Seizure Methodology 71
Seizure Methodology in Depth 73
Step 1: Digital Media Identification 74
Step 2: Minimizing the Crime Scene by Prioritizing the Physical Media 75
Step 3: Seizure of Storage Devices and Media 75
To Pull the Plug or Not to Pull the Plug, That Is the Question 76
Factors Limiting the Wholesale Seizure of Hardware 77
Size of Media 78
Disk Encryption 78
Privacy Concerns 79
Delays Related to Laboratory Analysis 80
The Concept of the First Responder 80
Other Options for Seizing Digital Evidence 81
Responding to a Victim of a Crime Where Digital Evidence Is Involved 82
Seizure Example 83
Determining the Presence and Location of Evidentiary Data Objects 85
Obtaining Information from a Running Computer 86
Imaging Information On-Scene 87
Imaging Finite Data Objects On-Scene 88
Use of Tools for Digital Evidence Collection 89
Common Threads within Digital Evidence Seizure 91
Determining the Most Appropriate Seizure Method 93
Summary 95
Solutions Fast Track 97
Frequently Asked Questions 99
Endnotes 100
Chapter 3: The Mindset of a Network Administrator 102
Introduction 103
Who Is a Network Administrator? 103
The God Complex 103
Job Security 104
If No One Else Knows How It Works, I Will Continue to Have a Job 105
Salaries 105
Social Engineering 106
Google Them 107
Social Networking Sites 108
No-Tech Hacking 108
Summary 110
Solutions Fast Track 110
Frequently Asked Questions 111
Chapter 4: Arrival on the Scene 112
Introduction 113
Preparing for the Scene 114
Preliminary Checklists 114
Procedures 115
Equipment 115
Software 116
Communicating with On-Scene Personnel 116
Preexisting Documentation 117
Policies and Procedures 117
Diagrams 119
Passwords 124
Access Control Lists 125
Securing the Scene:Protecting Equipment and Data 126
Evidence Tape and Bags 126
Safety 127
Network Isolation: Stopping the Attack 128
To Stop an AttackYou Must Be Able to Identify the Attack 128
Ascertain Whether Live Acquisition Is Necessary 129
Document, Document, Document 129
Maintaining or Restoring Business Continuity 129
Follow Agency Guidelines 130
Cooperating and Coordinating with Other Agencies 131
Coordinating with Outside Agencies 132
Internet Crime Reporting Resources 132
The Incident 134
Summary 135
Solutions Fast Track 135
Frequently Asked Questions 137
Chapter 5: Diagramming the Network Infrastructure 138
Introduction 139
Preexisting Documentation 139
None 139
Out-of-Date 141
Inaccurate 141
Accurate 143
Physical Layout 143
Patch Panels 144
Cabling 144
Hubs 145
Wireless Access Points 145
Switches 146
Routers 146
Servers 147
E-Mail 149
SQL and Oracle 150
UNIX, Linux, and Windows 151
Databases 152
DHCP 152
DNS 152
Firewalls 153
Workstations and Peripherals 153
Laptops 153
Desktops 154
Peripherals 154
Logical Layout 154
Subnets 154
Virtual Local Area Network (VLAN) 155
DMZ 156
Topology 156
Internal Access 159
Firewall Settings 159
Intrusion Detection System Settings 161
Syslog 161
Access Control Lists 161
External Access 163
Firewall Settings 163
IDS Settings 164
Syslog 165
Virtual Private Network Access 165
Access Control Lists 166
Remote Access 166
VNC 166
RDP 167
RADIUS 167
Telnet 167
SSH 167
The Incident 168
Summary 170
Solutions Fast Track 170
Frequently Asked Questions 172
Chapter 6: Cisco IOS Router Basics 176
Introduction 177
Connecting to the Router 177
HyperTerminal 178
The Console Port 179
The Auxiliary Port 185
Telnet 186
Web Interface 191
User Account Setup 194
Cisco Network Assistant 194
Router Modes 195
User Mode 0 196
Commands 196
User Modes 1 through 14 196
Commands 197
Privileged Mode 197
Commands 197
Global Configuration Mode 198
Routing Protocols 199
Interior and Exterior Gateway Protocols 200
Distance Vector Routing Protocols 201
RIP 202
EIGRP 204
BGP 205
Link State Routing Protocols 206
OSPF 206
Backup and Restoration of Routers 208
Configuration Files 208
Backing Up Configurations 208
TFTP 209
Restoring Configurations 210
Router Issues 212
Final Security Issues 213
ACLs 215
Boot Problems 220
Router Passwords 220
The Incident 221
Summary 230
Solutions Fast Track 230
Frequently Asked Questions 232
Chapter 7: Understanding the Methods and Mindset of the Attacker 234
Introduction 235
Information Gathering 235
Google Hacking 236
No-Tech Hacking 238
Social Networking Sites 240
Scanning and Probing 240
Nmap 241
Netcat 245
Nessus 247
Maltego 252
Other Scanning Tools 254
Exploiting Weaknesses 260
Metasploit 260
MSF Version 3 262
MSF Version 2 263
Milw0rm 265
Password Cracking 266
Maintaining Access 268
Backdoors 268
Rootkits 269
Tunneling 270
Covering Tracks 271
Anti-Forensics 271
The Incident 272
Summary 274
Solutions Fast Track 274
Frequently Asked Questions 276
Chapter 8: Collecting the Non-Volatile Data from a Router 278
Introduction 279
Before You Connect to the Cisco Router 279
Initial Steps 279
Interview the POC 280
Obtain the Router Password 280
Procedures 281
Background 282
Document Your Steps 282
Connecting to the Cisco Router 282
Serial Cable 282
USB Connection 283
HyperTerminal 283
Telnet 286
Web-Based Interface 286
Cisco Network Assistant 287
Router Non-Volatile Data Collection Procedures 289
Documentation 301
Network-Based Backup of Config Files 301
TFTP 301
Router Commands to Run on the Cisco Router 304
Analysis of Gathered Non-Volatile Router Data from a Cisco Router 311
Analyzing What Happened 312
Log Files 321
Building Your Case 323
The Incident 324
Summary 328
Solutions Fast Track 328
Frequently Asked Questions 330
Chapter 9: Collecting the Volatile Data from a Router 332
Introduction 333
Before You Connect to the Cisco Router 333
The Cisco Router 334
Router Functions, Architectures, and Components 334
Initial Steps 334
Make a Record 335
Interview the POC 335
Preinvestigation Tasks 335
Obtain the Router Password 338
Modes of Operation 339
Remote Evidence May Be All That Is Available if the Passwords Have Been Modified 340
Common Management Services 342
SNMP 342
HTTP 346
Live Capture Procedures 347
Background 351
Document Your Steps 352
Connecting to the Cisco Router 352
USB Connection 353
HyperTerminal 353
Telnet 354
Web-Based Interface 354
Cisco Network Assistant 355
Interactive Access 355
TTYs 356
Controlling VTYs and Ensuring VTY Availability 356
Volatile Data Collection Procedures 357
Documentation 357
Network-Based Backup of Config Files 357
TFTP 358
FTP 358
Configuration Files and States 358
Creating a Set of Access Scripts 359
Commands to Run on the Cisco Router 359
The Major Commands 359
The show audit Command 360
The show clock detail Command 362
The show version Command 362
The show access-lists Command 363
The show users Command 364
The show ip route Command 364
The show banners Command 364
The show arp and show ip arp Commands 365
The show ip sockets, show udp, and show tcp Commands 366
The show tech-support Command 366
The show stacks Command 367
The show logging Command 368
AAA Logging 369
SNMP Trap Logging 370
Console Logging 370
Buffer Logging 370
Syslog Logging 370
SNMP Logging 370
AAA Logging 370
ACL Violation Logging 370
Logging Summary 371
Advanced Data Collection 371
Core Analysis 372
Analyzing Volatile Data Gathered from a Cisco Router 372
Automated Router Forensics 372
RAT 373
How RAT Works 374
How to Install RAT 374
How to Run RAT 378
Command Syntax 383
CREED: The Cisco Router Evidence Extraction Disk 384
Analyzing What Happened 385
The Stages of a Forensic Engagement 385
Phase 1: Gain an Understanding of the System 385
Phase 2: System Design and Configuration Assessment-Planning 386
Phase 3: The Initial Steps 386
Phase 4: The Investigation 387
Phase 5: Report Preparation 387
The Incident 387
Summary 413
Solutions Fast Track 413
Frequently Asked Questions 415
Endnotes 416
Chapter 10: Cisco IOS Switch Basics 418
Introduction 419
Switch Basics 419
Switch Concepts 419
Advantages over Hubs 420
Switch Modes 421
Cut-Through 421
Store-and-Forward 422
Symmetric versus Asymmetric 423
Switch Terminology 423
CAM 423
MAC Flooding 424
Layer 2 Switches 425
Layer 3 Switches 425
Collision Domains 426
Microsegmentation 426
Broadcast Domains 428
Port Security 429
Connecting to the Switch 430
Switch LED Indicators 431
HyperTerminal 432
The Console Port 433
Telnet 436
Web Interface 438
Cisco Network Assistant 439
Switch Modes 443
User Mode 0 444
Commands 444
User Modes 1 through 14 444
Commands 444
Privileged Mode 445
Commands 445
Global Configuration Mode 446
User Account Setup 447
VLAN Database Configuration 447
Managing IOS 448
Backup and Restoration of Switches 449
Configuration Files 449
Backing Up Configurations 450
TFTP 451
Restoring Configurations 451
Switch Issues 452
Final Security Issues 453
Boot Problems 455
Switch Passwords 456
The Incident 457
Summary 460
Solutions Fast Track 460
Switch Basics 460
Switch Terminology 460
Connecting to the Switch 461
Switch Modes 461
Managing IOS 461
Backup and Restoration of Switches 461
Switch Issues 462
The Incident 462
Frequently Asked Questions 463
Chapter 11: Collecting the Non-Volatile and Volatile Data from a Switch 464
Introduction 465
Before You Connect to the Cisco Switch 465
Initial Steps 465
Interview the POC 465
Obtain the Switch Password 466
Procedures 467
Background 467
Document Your Steps 467
Connecting to the Cisco Switch 468
LED Lights 468
Serial Cable 468
HyperTerminal 469
Telnet 470
Web-Based Interface 471
Cisco Network Assistant 471
Volatile and Non-Volatile Data Collection Procedures 472
Documentation 472
Screenshots 473
HyperTerminal 473
Telnet 473
Web-Based Interface 473
Cisco Network Assistant 473
Network-Based Backup of Config Files 474
TFTP 474
FTP 474
Commands to Run on the Cisco Switch 475
Show Commands 475
Clock 475
Version 476
Running Config 477
Startup Config 477
MAC Table 478
Banners 478
Logging 479
Examining the VLAN Database 480
Examining Port Security 481
Analyzing Volatile and Non-Volatile Data Gathered from a Cisco Switch 481
Analyzing What Happened 481
Building Your Case 482
The Incident 482
Summary 488
Solutions Fast Track 488
Frequently Asked Questions 490
Chapter 12: Preparing Your Report 492
Introduction 493
Forms 493
Chain-of-Custody Form 493
Agency-Specific Forms 494
Evidence Forms 495
Serial Number 496
Evidence Number 496
Report Components 497
Agent Names 497
Case Number 497
Individuals Present 497
Time 497
Time Zone 497
Timeline of Recorded Events 497
Serial Number and Evidence Number 498
Documented Policies, Procedures, and Guidelines 498
Mistakes 498
Processing On-Screen Data 498
Trusted Binaries 498
Volatile Data 499
Non-Volatile Data 499
Trojanized Binaries 499
Shutdown Procedures 499
Pulling the Plug 499
Graceful Shutdowns 499
Drawings 499
Computers 500
Network Devices 500
Cabling 500
The Incident 500
Summary 501
Solutions Fast Track 501
Frequently Asked Questions 503
Chapter 13: Preparing to Testify 504
Introduction 505
Documentation 505
Reports 505
Acquiring Evidence 506
Authenticating Evidence 506
Analyzing Evidence 506
Forms 506
Chain of Custody 507
Affidavits 508
Notes 508
Checklists 508
Visual Tools 509
Computer Graphics 509
Video 509
Charts 510
Diagrams 511
Illustrations 511
Understanding the Daubert and Frye Standards 511
Daubert 512
Tested Theories 512
Peer-Reviewed and Publicized Theories 513
Error Rates 514
Frye 514
Scientific Evidence 514
Acceptance by the Scientific Community 515
Applicability to Procedures 515
Federal Rules 516
Article VII: Opinions and Expert Testimony 517
Preparation 517
Article VIII: Hearsay 518
Errors and Omissions 518
Published or Authoritative Works 519
Acknowledging Flaws and Alternative Theories 519
Words of Caution 519
Admissibility 520
The Incident 520
Summary 522
Solutions Fast Track 522
Frequently Asked Questions 525
Index 526
Appendix : Cisco Wireless Device Forensics 532
Introduction 533
How Wireless Technology Changes Network Security 533
Overview of 802.11 Standards 533
Shared Network Model 534
Protecting the Data Link and Physical Layers 534
Tracking and Attacking Anonymity 535
Attacks on Wireless Networks 535
Authentication 535
Physical Security 536
Designing for Security 536
Creating a Security Policy 536
Risk Assessment 536
The Big Three 537
Logging and Accounting 537
Hot Standby 537
Configuring Hot Standby 538
Implementing Firewalls for Additional Security 539
Public Secure Packet Forwarding 540
Filters 541
WLAN LAN Extension 802.1x/EAP 541
EAP 542
EAP Packet Format 542
EAP Request and Response 542
EAP Success and Failure 543
802.1x 543
EAP Types 544
EAP Message Digest 5 544
EAP Generic Token Cards 544
EAP TLS 544
Cisco EAP 545
LEAP Authentication Process 545
Implementing LEAP 546
Configuring ACS 547
Configuring Access Points 549
Configuring the Client 552
WLAN LAN Extension IPSec 556
Standards Used in IPSec 557
IKE 557
IKE Authentication 558
AH 558
ESP 559
Implementing IPSec over WLAN 559
VPN Device List in WLAN 561
Configuring the VPN Gateway 561
Configuring an Access Point 562
Configuring Filters Using the CLI in IOS 563
Configuring Filters Using a Web Browser in IOS 564
Configuring a VPN Client 565
WLAN Static WEP Keys 567
WEP 567
IV WEP Vulnerable 568
IV and RC4 Vulnerabilities 568
Mitigating WEP Vulnerability 569
TKIP 569
Message Integrity Check 569
Configure Static 128-bit WEP with TKIP 570
Using a Web Browser for Access Point Configuration 570
Configuring the Client 571
The Cisco Wireless and Wireless-Aware Vision 571
The Cisco Structured Wireless-Aware Network Product Line 572
APs 573
Aironet Bridges 573
Client Adapters 573
Cisco IOS 574
Wireless LAN Solution Engine 574
Wireless Security Suite 574
Access Control Server 574
Cisco Wireless LAN Switches and Routers 574
Cisco Wireless Antennas and Accessories 575
Ceiling Mount Omnidirectional Antenna 2.4 GHz (AIR-ANT1728) 577
Mast Mount Omnidirectional Antenna 2.4 GHz (AIR-ANT2506) 577
High-Gain Mast Mount Omnidirectional Antenna 2.4 GHz (AIR-ANT24120) 577
Pilar Mount Diversity Omnidirectional Antenna 2.4 GHz (AIR-ANT3213) 577
POS Diversity Dipole Omnidirectional Antenna 2.4 GHz (AIR-ANT3351) 578
Diversity Ceiling Mount Omnidirectional Patch Antenna 2.4 GHz (AIR-ANT5959) 578
Directional Wall Mount Patch Antenna 2.4 GHz (AIR-ANT3549, AIR-ANT1729) 578
Diversity Directional Wall Mount Patch Antenna 2.4 GHz (AIR-ANT2012) 579
Yagi Antenna 2.4 GHz (AIR-ANT1949) 579
Dish Antenna 2.4 GHz (AIR-ANT3338) 579
Cisco\u2019s 2.4 GHz Antennas Summary 579
5 GHz Antennas 581
Cisco Wireless IP Phone 581
Cisco IOS and WLANs 582
Upgrading from VxWorks to IOS 582
Using the Aironet Conversion Tool for Cisco IOS Software v2.0 583
Using the Browser and VxWorks 583
Using CiscoWorks WLSE for IOS Conversion 584
Cisco Aironet APs 584
Aironet 1200 AP 584
First-Time Basic Configuration 586
Aironet 1100 AP 588
Aironet 350 AP 589
Cisco Aironet WLAN Client Adapters 590
Cisco Aironet 350 Series Client Adapters 590
Cisco Aironet 5GHz Client Adapter 592
Cisco Aironet 802.11a/b/g Client Adapters 592
CiscoWorks Wireless LAN Solution Engine (WLSE) 2.x 593
Fault Monitoring 594
Device Management 596
Device Configuration and Firmware Upgrades 596
Configure Tab 596
Firmware Tab 598
Reports 598
Radio Manager 599
Summary 600
Solutions Fast Track 601
How Wireless Technology Changes Network Security 601
Designing for Security 601
WLAN LAN Extension 802.1x/EAP 601
WLAN LAN Extension IPSec 602
WLAN Static WEP Keys 602
The Cisco Wireless and Wireless-Aware Vision 602
The Cisco Structured Wireless-Aware Network Product Line 602
Cisco IOS and WLANs 603
Cisco Aironet APs 603
Cisco Aironet WLAN Client Adapters 603
CiscoWorks Wireless LAN Solution Engine (WLSE) 2.x 604
Cisco router and switch forensics : investigating and analyzing malicious network activity /
- 名称
- 类型
- 大小
光盘服务联系方式: 020-38250260 客服QQ:4006604884
云图客服:
用户发送的提问,这种方式就需要有位在线客服来回答用户的问题,这种 就属于对话式的,问题是这种提问是否需要用户登录才能提问
Video Player
×
Audio Player
×
pdf Player
×
