sample course ware

8/9/2019 Sample Course Ware

1/31


2/31

Copyright 2013

Cyberoam Technologies Pvt. Ltd.

901, Silicon Tower

Off C.G.Road

Ahmedabad 380 006

India (Cyberoam).

All rights reserved.

No part of this training material may be reproduced in any form by any means (including but not

limited to photocopying or storing it in any medium by electronic means and whether or not

transiently or incidentally to some other use of this training material) without permission in

writing from Cyberoam. Requests for permission to make copies of any part of this training

material should be mail to:

Cyberoam Technologies Private Limited, 901, Silicon Tower, Off C. G. Road, Ahmedabad 380

006, India

Warning: The doing of an unauthorized act in relation to a copyright work may result in both acivil claim for damages and criminal prosecution.

Cyberoam, Cyberoam NetGenie, Cyberoam Central Console are Trademarks of Cyberoam.

This training material may have referred few trademarks for the purpose of indentifying certain

products and/or services. All those trademarks are owned by their respective owners.

This training material is designed to provide accurate and authoritative information in regard to

the subject matter.

While Cyberoam has taken all due care and diligence at the time of editing and publishing training

material, Cyberoam does not hold any responsibility for any mistake that may have inadvertentlycontained within training material. Cyberoam shall not be liable for any direct, consequential, or

incidental damages arising out of the use of the training material.


3/31


4/31

Networking Basics

A networkis a data communication system that allows users and devices to communicate with each other. Anetwork that contains computers as a part of devices is known as a Computer Network. When a message issent across from one point to another point, we say that communicationhas taken place.

A message is a term used for the information and a single unit of communication transmitted over a network. Amessage can be anything like an email (Electronic Mail), a file, an image, or any piece of information. A PC orany other machine which is capable of processing information is known as a network node.

In a communication process minimum 2 PCs or devices are involved. The device which initiates thecommunication is known as a senderand the device which receives the message is a receiver. Sender andReceiver are connected to each other via a medium or media which is generally in the form of wires (nowadays,wireless).

Types of Media

Signals generated by the sender and receiver during the transmission process require a medium through whichthey should travel to their destination. The transmission media is divided into two broad categories.

1. Guided

2. Unguided

The overall categorization of the transmission media is shown by the above figure, however the detaildescription of each is given below.

Guided Media

Guided Media are those types of media that provide a conduit from one point to another on the network. Theseinclude the twisted pair cable, Co-axial cable and the Fiber Optic cable.

Twisted Pair Cable

This cable comes in two forms

1. UTP (Unshielded Twisted Pair)

2. STP (Shielded Twisted Pair)


5/31

UTP Cable

UTP is the most commonly used cable today. The UTP consists of two cables wound on each other andjacketing a copper wire, each with its own colored plastic insulation.

There are seven major categories of this type of cable. The category number of the cable tells us how manynumbers of pairs of wires are contained in the cable.

3. Category 1

This type of cable contains a single pair of wires. This is the basic twisted pair cable generally used in telephone

systems. This type of cable cannot be used to carry computer signals and hence are not suitable for computer computer communication.

4. Category 2

This type of cable contains 2 pairs of wires (total 4 wires). It is suitable for voice and data communication up to 4Mbps only.

5. Category 3

This type of cable has 3 pairs of wires (total 6 wires). It is suitable for data transmission up to 10 Mbps. It is nowa standard cable for most of the telephone systems.

6. Category 4

This type of cable has 4 pairs of wires (total 8 wires). It is suitable for data transmission up to 16 Mbps and canbe used for low speed computercomputer communication as well as voice communication.

7. Category 5

This type of cable is suitable for data transmission up to 100 Mb per second. This cable is mostly used forLANs.

8. Category 5e

This cable is similar to a category 5 cable but can support up to (1024 Mb 1 gigabit per second) transmissionspeed.

9. Category 6

This cable is the fastest copper cable. The speed of this cable is 10Gbps and it is said to be made out of the


6/31

best copper material.

Cable Pin outs

There are two basic pin outs used in the cabling the Ethernet cables. The cables are connected to the computerusing a RJ45connector which is a standard defined by the TIA (Telecommunication Industry Association)

10. Straight Cable

11. Cross-Over Cable

In a straight cable, the pins on the sender match the pins on the receiver. For Example, suppose pin no 1 isused for sending data and pin no 5 is used for receiving, then it is obvious that if communication is taking placefrom one computer to another computer without any interconnecting devices, then, the sending pins on thesender side should be bound to receiving pins on the receiving side, giving rise to a cross over cable. At theinitial level, we can remember that if no switching devices are used, a cross over cable is used for computer tocomputer communication (peer to peer) and a straight cable is used for communication between computer andother devices like switches, hubs, and more.

The Straight and Cross-over terminologies apply to cables Category 5 and 6 cables only. Each cable consists offour basic colors (Blue, Brown, Orange, and Green) with their corresponding white colored wires known asWhite-Blue, White-Brown, White-Orange and White-Green.

The pin numbers on the connector can be understood from the diagram below.

The cabling method according to the TIA standard can be understood from the below tables.

Straight Through cable

RJ45 Pin # (End 1) Wire Color Wire Diagram RJ45 Pin # (End 2) Wire Color Wire Diagram

1 White/Green 1 White/Green

2 Green 2 Green

3 White/Orange 3 White/Orange

4 Blue 4 Blue

5 White/Blue 5 White/Blue

6 Orange 6 Orange

7 White/Brown 7 White/Brown

8 Brown 8 Brown

Cross Over cable Table


1 White/Green 1 White/Orange


7/31


2 Green 2 Orange

3 White/Orange 3 White/Green

4 Blue 4 Blue

5 White/Blue 5 White/Blue

6 Orange 6 Green

7 White/Brown 7 White/Brown

8 Brown 8 Brown

STP Cable

A shielded twisted pair cable has a protective shield (covering) within which the two ends of the wire run theentire length. A STP cable can be thought of as a UTP but with a jacketing. A shielded twisted pair has a metalfoil or a braided-mesh covering the insulated wires. The major application of the STP cable is the electricindustry. This cable is mostly used for powering up electrical devices. However, many ISPs also use this typeof cable to terminate the broadband link at customer premises.

Co Axial Cable

A co-axial cable consists of a center wire which is surrounded by an insulation which in turn is surrounded by abraided wire and a shield above the braided wire. This type of cable is primarily used for cable television. This

cable can also be used computer networks where high amount of data transfer is required, as this cable has ahigh frequency.


8/31

Fiber Optic Cable

A fiber optic cable works on the principle of reflection of light. We know that light travels at a very fast speed.Hence, communication can also be done in the form of light waves using the fiber optic cable. The structure ofthis cable includes a sheath of glass covered by an outer glass. The light travels through the core of the wire byreflecting over the surfaces of the glass and hence reaches the destination. Fiber cables are used in computercommunication. Many other devices like audio players also use the fiber cables known as SPDIF (Sony PhilipsDigital Interface).

Unguided Media

The unguided media is usually the wireless medium and it can be in the form of radio waves and micro waves.The wireless media can broadly be classified into following categories

Wi-Fi

Wi-Fi is a wireless technology which allows user to send and receive data using radio waves. Wi-Fi can alsoprovide intra-network and the Internet. The products complying to Wi-Fi define Wi-Fi as a Wireless Local AreaNetwork (WLAN), To check if any device provides a Wi-Fi standard, we can check for the Wi-Fi logo on thedevice. Wi-Fi is an abbreviated term actually used for WLAN.


9/31

3G

3G or 3rdGeneration mobile telecommunication is standard for mobile phones and mobile telecommunicationgiving services like wireless telephone, mobile internet, and Mobile TV.

4G

4G or 4thGeneration mobile telecommunication is a successor of the 3G technology. A 4G system provides veryhigh speed internet access wirelessly.

Wi-max

Wi-Max (World Interoperability for Microwave Access) is a standard in wireless communication which resultsinto very high speed of data transfer, wirelessly. It is a part of the 4G (4 thGeneration) wireless technology.

Modes of TransmissionThere are three types of strategies used for data transmission between two communicating machines

12. Simplex

13. Half Duplex

14. Full Duplex

In simplextype of communication, the data transfer is done in one way only. A data can travel from point A topoint B only but the reverse does not apply true. Example of a simplex type of communication is a door-bell. Adoor-bell only informs the housemates that there is someone at the door, however, the housemates cannotinform anything to the visitor.

In Half Duplex mode, the line between the two points is set up in such a fashion that it allows data to be

transferred in both the directions, but only one at a time. While one node is busy sending the data, the othercannot send and vice-versa. Example of half-duplex type of communication can be considered as a hangingbridge where only one person can pass at a time. People can move in both the directions, but at any time,people moving in one direction are only allowed. Another example can be of a single way road with trafficcontrollers at each end.


10/31

For more information refer

Cyberoam Academy Courseware


11/31


12/31

Overview

The network security fundamental is a new concept because prior to the familiarization with the computers, theywere not networked. The early day networks were mostly LANs. When first deployed, they were secure becausethey were physically isolated and did not have connection to other networks. Gradually, as WANs developed andwith the increase of Internet usage, LAN security became a big question. In todays time it is essential for everyoneto secure their network as there are very few networks do not have an Internet connection.

What is Network Security?Network Security is a methodology which consists of policies defined by a network administrator to monitor andprevent unauthorized access of the network. Unauthorized access also includes misuse, modification, and serviceof the network. This methodology includes the authorization to access data in the network which is controlled bythe network administrator. More detailed description of each component and terminology used in network securitywill be discussed in this module.

Why is Network Security important?

When we talk about the importance of the network security, it becomes essential to talk about the usage of thenetwork and the type of users. It is essential that while we use the internet we have to be sure that the devicethrough which we are connecting the Internet is in a usable condition for the later stages. It is known that when weare connected to the internet, we are also connected to several thousands of networks with millions of users. Sonetwork security becomes a vital component in the configuration of the network environment. We shall see the

types of securities henceforth.

Identifying Risks in the Network

Network risk is a broader term and can be divided into many smaller terms which are discussed in the topics tofollow. However, a network risk is any circumstance which can affect the network of an organization. We havclassified risks into three main categories; Threats, Vulnerabilities, and Attacks.

Threats

A threat is any such incident which can harm the security of a computer network. Threats are categorized intointernal and external threats.

Internal Threat

Till now we have only known that the threats to a network is from the Internet, and other outside world, but a studyreveals that the actual threat to an organization is more internal than external. Internal threat hence can beconsidered as most serious type of threat. Insiders (the people who are associated and work in the network)whether them being an employee or a network administrator, have complete knowledge of whats going inside andaccess the resources inside the network. An insider does not need to crack a password, or any other tool to get thedata. They can easily and efficiently manage from within the network. Most of the network security defenses arenot able to deal against the threats from inside.


13/31

External Threat

External threats are the threats which come from outside the network usually through the internet. An externathreat relies on technical means to achieve its goals. The network security defense mechanisms fight most againsthe external threats. Firewalls, Intrusion Prevention System (IPS), and other such terms can help to reduce thethreats to an organization. We shall see all these terms in detail in the later modules. External threats can also bethe creation of god like Storms, Floods, Earthquakes, and fires. However, external threat can be a physical threalike burglar as well.

VulnerabilityVulnerability is defined as an organizations own weakness. Vulnerability is a loop hole in the network which couldhave been prevented but due to some lacks, it could not be prevented and becomes a threat to a networkVulnerability is a combination of three major elements; a flaw in the system, an attacker can access the flaw, andattacker having a capability to exploit the flaw. A security risk can be classified as vulnerability. A vulnerabilitywhich is still working in many instances with implemented attacks is known as a exploitable vulnerabilityVulnerability can also be in the form of a security bug, which is fixed in a small duration of time after theexploitation. However, a security bug is a very small form of vulnerability. These types of security bugs aregenerally fixed by software patches and upgrades.

Confidentiality Attacks

A confidentiality attack talks about a person stealing or trying to steal an organizations confidential data. A

confidentiality attack is not necessary only physical but can be logical also. An attacker may try to copy sensitivefiles onto a USB Memory without the information of the owner, or even without leaving a trace. It is difficult to tracany unauthorized copying or leakage of data without auditing and monitoring the data at all times. Confidentialitattacks are classified into two groups; physical and logical.

Logical Attacks

Packet Sniffing

Packet sniffing is a technique used to intercept and log the traffic passing over a network. It is also known as a


14/31

packet analyzer. A sniffer is basically a computer program or a piece of hardware that will capture each packeflowing in the network and check its contents. There are various such free and paid softwares available on theInternet. These attacks are discussed in the later module of Ethical Hacking.

Port scanning

Port scanning is a technique which scans a system for the ports open to communicate. As we have already seen inthe previous module that each protocol and service uses a different port on the system to communicate. Thereforein any system, there are many numbers of ports that are always open. These ports can be scanned by attacker, tobreach the confidentiality of an organization.

Social Engineering

Social Engineering is when an attacker uses the social skills like relationships or other social media to manipulateor gather sensitive organization information. Bribing an employee, sending emails or links to a person within theorganization to collect organization data is also coined as social engineering.

The above given attacks are just the start ing; more has been discus sed on all the tools and techni ques in

the ETHICAL HACKING module.

Physical Attacks

Dumpster diving

Dumpster diving is a technique in which an attacker can search for information, or try picturing a information fromwaste disposed by the company. In this technique an attacker can look for information like phone number, chartsmemos, or any other organization material using which a valuable source of information can be built.

Wiretapping

Wiretapping is a physical confidentiality attack in which an attacker monitors the wires (telephones, Internet, etcwithout the knowledge of the organization. In this case the attacker has his wiring attached to the wiring of thecompany, and as a third person, attacker simply taps the communication.

Network Security Objectives

From the earlier discussion we have seen how a network can be attacked. The only secured computer in a networis the one which is not connected to the network, is still inside the box and is thrown deep down in the ocean, bu

we know that such computer will have no meaning and no use. Our objective is to use the computers in thenetwork and at the same time, secure them as well. Below given are some of the objectives of network security.

Assumptions

Before developing a security solution for a network, it is necessary to assume many fundamentals. To name a fewwe need to think about the future expansion of the network, change in future operating systems, change in othesoftwares, change in internet connections, or change in physical location of an organization, etc. Like any softwaredevelopment application, a Life Cycle has to be calculated. A network engineer must be able to answer any


15/31

physical and logical changes that can be done in a network.

Requirements

The basic security principles have a few requirements like confidentiality, Integrity and availability. We will discussthe above requirements as goals of a network security environment at the end of this module.

Security PrinciplesNetwork security can be in form of software or a hardware which guards us by not letting the objectionable trafficflow from an unknown network to our network. The network security can be shown by a security pyramid.

Prevention

Prevention is the foundation of the security pyramid. To provide security it is vital to execute measures for avertingthe network threat. In budding network security methods, organizations take precautionary measures overecognition and reaction. It is easy, and more money-making to prevent a security breach than to detect orespond. A company always wants that their preventative measures are strong enough to put off likely criminals(inside, and outside the network).

Detection

Once preventative processes are implemented, actions need to be introduced to detect potential problems osecurity breaches, in the event precautionary measures fail. It is important that problems be perceivedimmediately, the sooner a trouble is identified the easier it is to rectify and crackdown.

Response

Businesses need to develop a sketch which will classify the response to a protection breach. The plan shouldidentify who is responsible for what actions and their responses and levels of intensification. A response is ananswer that will be specified when a breach has been committed in the network.

Implementing Network Security

From all the above discussion, a network security solution has to be implemented in two broader categoriesphysical and logical.


16/31

Physical Network Security

Before trying to secure a network environment with a good security solution, it is necessary to secure the networkusing good physical and technical controls. To name a few, an intruder detection system (doesnt let an outsider toenter an organization), security guards, locks, safes, racks, UPS (Uninterrupted Power Supply), Fire supporsystems, and Air-flow systems, etc. are some of the examples.

Logical Network Security

Logical network security is the actual security that is provided either as a piece of hardware of software installed inan organizations network. The trending logical security started with the development of firewalls which isdiscussed in the sections below.

Evolution of FirewallsWhen network security first started to be implemented, it was as a firewall solution. This solution restricted the flowof packets. A firewall does not have a fixed meaning. However, it can be understood as partially hardware andsomewhat software which is used to block any objectionable traffic on a network. By the meaning of the word wecan understand that a firewall is a barrier inside a building, designed to limit the spread of fire.


17/31

For more information refer Cyberoam

Academy Courseware


18/31


19/31

Terminologies

Before we can actually move on to what is ethical hacking and penetration testing it is essential for us tounderstand a few basic concepts about hacking like

Why information security is important?

In the modern era with digitization making the world a small place, it is very essential to safeguard sensitiveinformation like credit card numbers, social security numbers, private details of a person, etc. In the case of anorganization there are major examples like private data of a customer, organizations own private data like designfiles, code files, marketing secrets, etc.

Not only does it show that it is vital for an organization to protect the information, but also to take precautionarysteps and be prepared for the worst case to happen. Hence what is required here is that the organization beprepared for any type of attack by a hacker. It is rightly said that to prevent a theft, think like a thief. Hence, toprevent a network from being hacked, think like a hacker and act like a hacker. In other words, an Ethical hacker isrequired to find the flaws in this system and provide security.

What are the elements of security?

We have already seen the elements of security in module 2. The elements of security are confidentialityauthenticity, integrity and availability.

Before knowing what is hacking, it is mandatory to know the following terminologies

Threat

Any event that has the potential to compromise security is a threat. Threat can be any event or action.

Vulnerability

A loophole or bug in the system is known as its vulnerability. Vulnerabilities can be classified into two majocategories, hardware vulnerability and software vulnerability. The other categories of vulnerability are based on itsseriousness or severity. i.e. Low, Medium, High, Critical, etc.

Attack

Attack is an abstract term relating to the intention of an individual to either explore an already known vulnerability o

generate an attack to find a new vulnerability.

Exploit

Exploit is the defined way in which using a vulnerability, the security can be compromised. Exploit can be a piecof code (normally known as a tool). A common example can be given for all the terminologies above A personstarts thinking about compromising an organizations security (Threat). The same person tries to break through anorganizations infrastructure (Attack). He finds a way (Vulnerability) in which attack can be done (Exploit).

Phases of hacking

Because it requires an ethical to know what a malicious hacker will do, we now see what an actual hacker will doAn actual hackers activity can be divided into 5 phases, please note, these phases are described in detail in thenext section (What is Ethical Hacking?). The five phases are:-

1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Clearing Tracks


20/31

Classes of Hackers

There are four basic types of hackers or classes of hackers namely, Black Hats, Grey Hats, White Hats andSuicide Hackers.

Black hats are the bad guys also known as crackers. They generally use destructive activities to take down thetarget, with a reason or without a reason. Black hats have extraordinary computing skills.

White hats are the individuals who have good hacker skills and use them to defend against the black hats. Thesepeople are also known as security analysts and ethical hackers.

Grey hats are the individuals who at times work as black hats and sometimes as white hats.

Suicide hackers are those type of hackers whose aim is to compromise critical processes and do not care even ifthey were jailed for lifetime.

Hence, from the above we now know that ethical hackers are the white hat community. Therefore to define anethical hacker, we can say that an ethical hacker is a person who uses their hacking skills to defend against theblack hats.

Cyber laws

As a learner who wants to be an ethical hacker, it is essential to know the Cyber laws prevailing in each countryTo be specific, every country has their own law for hackers. Hackers are dealt with severely in each country. If anyhacker is found to be doing an activity that can endanger life of an individual, they can even be given a lifesentence. A few acts and laws are stated below for reference

SPY Act

U.S. Federal Law

Given below is the list of US Federal Laws for Cyber Crimes. More of the laws can be found on the judicial websiteof your country.

Posse Comitatus Act of 1879

Antitrust Laws and Section 5 of the Federal Trade Commission Act

National Institute of Standards and Technology Act

Federal Power Act

Communications Act of 1934

National Security Act of 1947

US Information and Educational Exchange Act of 1948 (Smith-Mundt Act)

State Department Basic Authorities Act of 1956Freedom of Information Act (FOIA)

Omnibus Crime Control and Safe Streets Act of 1968

Racketeer Influenced and Corrupt Organizations Act (RICO)

Federal Advisory Committee Act (FACA)

Privacy Act of 1974

Counterfeit Access Device and Computer Fraud and Abuse Act of 1984

Electronic Communications Privacy Act of 1986 (ECPA)

Department of Defense Appropriations Act, 1987

High Performance Computing Act of 1991

Communications Assistance for Law Enforcement Act of 1994 (CALEA)

Communications Decency Act of 1996

Clinger-Cohen Act (Information Technology Management Reform Act) of 1996

Identity Theft and Assumption Deterrence Act of 1998

Homeland Security Act of 2002 (HSA)

Federal Information Security Management Act of 2002 (FISMA)

Terrorism Risk Insurance Act of 2002

Cyber Security Research and Development Act, 2002

E-Government Act of 2002


21/31

Identity Theft Penalty Enhancement Act

Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA)

U.K Cyber Laws

European Law

Japans Cyber Law

Australias Cybercrime Act

Indias Information Technology Act

Germanys Cyber Law

Singapores Cyber Law

Belgium Law

Brazilian Law

Canadian Laws

France Law

Italian Law

What is ethical hacking?

To understand Ethical Hacking, we must first understand what is hacking and how it can be ethical. Hacking isthe terminology used for an activity in which a person (hacker) gains unauthorized access to a resource which he

should not be using. Unlawful hacking is the process when the hacker not only gains unauthorized access, but alsomodifies the content of the information in such a way that it can harm the organization. Ethical means doing a deedby abiding the principles. Hacking is no way ethical, but ethical hacking involves the hacker to use the hackingtechniques to find any vulnerability in an organizations network.

Purpose of ethical Hacking

As from the above we now know that an ethical hacker is a computer and network expert who attacks theresources on behalf of its owners, seeking exploits that a malicious hacker could exploit. The primary purpose operform ethical hacking is to test a security system. Ethical hackers use the same methods as the malicioushackers, but report problems instead of taking advantage of them.

Phases of Ethical hacking

Ethical hacking can be broadly divided into five major phases

1. Reconnaissance

Reconnaissance is the phase in which information is gathered about the victim to be attacked. Reconnaissance isa very broad term which also includes creating a foot print of the network. More about reconnaissance andFootprinting can be understood from Footprinting in the later part of this module. In Reconnaissance gathering thedetails with the use of computers and without the use of computers is covered. In our case, we shall seeReconnaissance and Footprinting in which a computer is used to gather information about the victim.

2. Scanning

Scanning involves the task to examine the information gathered from the reconnaissance.

3. Gaining Access

This is the phase in which the hacker gains access to the vulnerability discovered.

4. Maintaining Access

Once an access is gained, the hacker wants to keep the access for future use to launch other attacks.

5. Covering Tracks

Once a hacker has been able to gain and maintain access, it becomes important for the hacker to cover the attacby adding a patch, or adding another layer of security.

The major phases of ethical hacking discussed above, are discussed in detail in the later part of thismodule.


22/31

Being ethical

As we have discussed about hacking and ethical hacking, we now know that an ethical hacker is the good guyalso known as White Hat. A malicious hacker is known as a Black Hat. There are some hackers who sometimesare ethical, and sometimes malicious, these are categorized as Grey hats. When we talk about being ethical, weare talking of the white hats.

Perform penetration test

Penetration Testing is the first job that can be done by an ethical hacker, the main function in this type of a test is tocarry out an entire test on the network and check for any loop holes. If loopholes exist, the ethical hacker shalreport it to the owner of the network. In this module we shall see more of ethical hacking, penetration testing in thelater part of this module.

Footprinting

Footprinting is a pre-attack phase which starts just after information is collected without the use of computer. Wealready know that during the reconnaissance phase, the hacker tries to collect as much information as possibleabout the target. Footprinting involves the hacker making a blueprint of the security profile defined by theorganization. It is also said that the hacker spends 90% of the time collecting the information about the target and10% to launch to the attack. Listed below are the areas which the hacker seeks during the Footprinting phase.

The hacker tries to collect the following information about the target, irrespective of whether the target is on the

Internet, or Intranet.1. Domain name

2. Network Blocks

3. IP Addresses of systems that are reachable

4. Open ports

5. Running services (TCP & UDP)

6. ACLs

7. Enumerating System Users, and Groups (getting SNMP info.)

8. And more

The major steps involved in Footprinting are described in the paragraphs to follow

Gathering target information

For an attack to take place, it is important that all the information about the target is gathered. It is rightly said thamore time is spent over collecting the information about target than in launching the attack on the victim. Thmethodology adapted here includes

In this process the hacker starts from the scratch, collecting all the information like companys URL, getting anarchive of the company website, getting more company information from search engines like Google, doing apeople search over switchboard, yahoo, Google, etc., getting the company maps from Google earth, etc. The latesand proven technique to gather target information is also by scrolling job sites.

Getting the initial target information

Locating network range

Finding active machines in the network

Discovering open ports

Detecting operating systems Mapping the network

Using Google and other search engines

Google is by far the most used search engine in the world today. Google can be used to find information about anindividual or organization. Searching on Google is comparatively easy. Google and some other popular websitescan be used to get the email address, Phone number, and other details on any victim.


23/31

From the screen above, we can see that Google can be used for advanced searching. It allows the user to searchthe content matching all the words (1), exact phrases (2), any of the words (3), and many more. Moreover, Googlealso allows to search by the type of file. The most common file types that can be searched are Word documents(doc), Shockwave Flash object (swf), Adobe PDF file (pdf), Excel spreadsheet (xls), and a few more.

DNS records

In the context of a web site attack, the DNS records of the website can be searched to get the names of theregistrant of the website. The DNS records also give the phone number and other contact details of the person inwhose name a particular website is registered. In most cases, the registrant of a website is always theadministrator, or the owner/CEO of the organization.

Social engineering

Social engineering is the best way to gain information about any person. Social engineering involves gatheringinformation about target through socialization. Like for example, the attacker can send emails to a victim fofriendship, or if in a case the attacker already knows the victim, they can directly approach the victim by offeringsome gifts and try to get the organization vital data. Social engineering is covered again at the end of this module.

Tools

In this section, we will see the some of tools used in gathering information.

WHOIS

WHOIS also pronounced as who is, is a well known tool to find the owner information from any domain nameLookup in WHOIS is free and can be used any person over the globe. There are several websites which offer theWHOIS service likewww.whois.com,www.whois.net,and many more. A sample from whois.com is shown below.
http://www.whois.com/http://www.whois.com/http://www.whois.com/http://www.whois.net/http://www.whois.net/http://www.whois.net/http://www.whois.net/http://www.whois.com/


24/31

For more information refer



25/31


26/31

Introduction

Network Forensics can be treated as a separate branch of computer science which deals with investigation ocomputer security breach. Not only is forensics defined at the level of computer security breach but can also bdefined in data breach or a policy breach. A data breach is when data of an individual or an organization is copied otransmitted in any form without the permission of the foresaid. A policy breach is when an individual attempts tobreach a policy like for example, browsing restricted website, resource, etc.

Companies like Cyberoam have been constantly researching these facts and have an free (open source) reportin

software known as Cyberoam iView. iView is free to use, distribute and does not require licensing. However whenthe vendor like Cyberoam makes a UTM device, it also makes sure that the reporting solution iView is available onthe appliance itself.

In the topics to follow we will discuss the network forensics with help of 2 different case studies.

What is Forensics?

Network Forensics is monitoring, analyzing and recreating a scene for the purpose of information gathering, legaevidence or an intrusion. Network forensics has two uses.

1. To implement security, which consists of monitoring the network and logging all the activity like for example theCyberoam appliance and its open source on-appliance reporting solution iView.

2. Relating to law enforcement, which consists of investigating/recreating a network crime scene.

Generally, when the first use mentioned is well implemented, the second use can be easily achieved. For aexample, iView offers compliance based reporting for compliances like CIPA, HIPA, etc. therefore in a case obreach the compliance reports can be sought to get evidences. We shall look into law enforcement and how iViewcan be used for network forensics in the case study which follows at the end of this module.

Types of Forensics

Forensics is a mammoth term, hence to break it down in order to simplify, we can list the types of forensics. Thisection will help us understand the types of forensics.

Network

Network forensics is when forensic activity is done on the network, meaning no individual computers are referred foinformation. Network forensics include each activity over the network like

Email forensic

Chat forensic

Protocol forensic

Application forensic (Applications which require Internet Connectivity)

Computer

Computer forensics is when an individual computer is used to recreate an event, or finding out the activity done froman individual computer. We are aware that any and all forensic activity requires Internet, any forensic activity to becarried out cannot be done on a computer which is not connected to the Internet merely because the computer wil

have its own data there will be no signs of breach, data leakage, or violation of laws.

A computer when connected to the Internet is susceptible to network forensics. Therefore we can explicitly state thanetwork forensics does most of the part of computer forensics as well and hence, network forensic is the major areato look at. For an example, if a threatening email is sent by a person X to person Y, we would not refer to Person Xcomputer. The only information that probably can be sought from Person Ys computer is the email headers. All otheinformation can be obtained by Network forensics.


27/31

Why forensics?

The answer to this question is keeping an eye on the activities done by each user in order to keep the processes oan organization working smoothly and be able to respond to any incident. The forensic investigation and forensireporting is required for the following

Responding to a network incident

Supporting a crime investigation

Forensics in Action

Monitoring user activity

In the context of network security, it becomes essential for an organization to monitor each activity in the network. Foforensics to happen, it is required that logging and reporting solution be in place. There are many networktransactions that need to be captured and recorded like

Authentication events

Email activity

Messenger/Internet application activity

Internal Web Server(s) activity

Web Traffic (HTTP/HTTPS)

Other Protocol Traffic like FTP, etc.

The above points discuss about an organization where there are no restrictions on any user to browse Interneresources, however we are aware that in most of the organizations, restrictions do apply. In that case also, acapturing and recording solution is required.

According to a GartnerSurvery,for most of the organizations social media should be blocked. The primary reasobehind this is loss of productivity. To add more, an organizations own personal information can be leaked andfloating on social media. For an example, as of current date the popular social networking site Facebook is bannein several countries including Republic of China, Iran, Uzbekistan, Pakistan, Syria, and Bangladesh. Additional tothis, many bandwidth hungry applications like online music, games, videos, etc. are also banned by organizations.

However, users try bypassing the corporate network with help of a proxy server. Cyberoam application firewall canidentify these types of bypassing activities and log them for the network administrator to look upon.

Hence, to conclude, not only the organizations having unrestricted Internet access need to capture and record thenetwork data, but the organizations with strict Internet policies also need it.

Identifying source of data leak

It has majorly been reported by organizations that their valuable data is leaked because of availability. The motive odata being available to its employees often leads to data leakage. Data leakage source involves two majocontributors.

Person/Individual/computer from where the data is leaked

Media through which the data is leaked

When we talk about a person or an individual leaking the data, it is very difficult to trace down an individual involvedin data leakage. Primary reason for the difficulty in tracing is because of the organizations dynamism. To name a few

Dynamic IP address schema

Roaming tendency of a user

Bringing own devices like USB drives, Mobiles, etc. in organization network

Using own network, example 3G.
http://profit.ndtv.com/news/corporates/article-gartner-report-30-of-large-organisations-will-block-social-media-by-2014-299125http://profit.ndtv.com/news/corporates/article-gartner-report-30-of-large-organisations-will-block-social-media-by-2014-299125http://profit.ndtv.com/news/corporates/article-gartner-report-30-of-large-organisations-will-block-social-media-by-2014-299125http://profit.ndtv.com/news/corporates/article-gartner-report-30-of-large-organisations-will-block-social-media-by-2014-299125


28/31

An individual who wants to leak the data can do the leak in several possible ways like for example

Email

Chat (Messenger)

Web Upload FTP servers

Cloud Storage Drives

USB Sticks

Mobile device memory

Since our scope is limited to network forensics, we shall enhance more on network forensics only, however for thinformation, in cases like USB sticks and mobile device memory, computer forensics comes in handy. We shall alsosee a sample incident on data leakage in the case study to follow.

Capturing and Recording Data

For a network forensic solution it is essential from the previous explanation to capture and record all the data abouWhats going on? in the network. An efficient forensic solution should be able to capture the following data

Authentication data along with username in place of IP addresses

Email transaction data; each small data from an email transaction like sender, receiver, number of bytes, datand time of email, subject line, etc.

Website visit data; each website visited by a user data like website URL, sub domain, category of website, datupload/download to/from the website, total bytes transferred, etc.

Messenger data like message sender, receiver, file name, file type, etc.

Not only should the capturing solution be wise enough to record the above data, but it should also consideparameters like storage space and security of captured data. Storage space management techniques have to b

employed so that a proper storage space is allotted to the capturing software. Also, it should be make sure that athe data is being captured, like in case of an organization with multiple branches, it has to be ensured that all brancoffice data is collected and sent to head office. Another point to be noted here is the safety of data, principles like 4eye authentication must be in place so that the captured data is seen only by authorized personnel.

Discovering data

Discovering data is primarily related to filtering the captured data, however, it is also related to discovering live datlike live connections, packet capture, traffic discovery and real time traffic logs.

A forensic solution must be able to filter data on many criterias listed in the sub topics below

Email

Filtering criteria should include sender name, sender email, sender IP address, receiver name, receiver emailreceiving mail server IP address, subject line, body text search, etc.

Chat (Messenger)

Filtering should include username, message search, file name search, file type search, file MIME header search, etc

Web Upload

Filtering criteria should include username, website name, URL search, category search, etc.

Analyzing data

Once the capturing, recording and discovering of data is done, there should be a mechanism where the forensi


29/31

solution puts the data in proper place, meaning in a sensible format which can be easily understood by theinvestigator. The required analysis is different in different forensic situation, however to shorten it down, ainvestigators five questions should be answered by the forensic solution, namely, How? Where? What? When? &Why?.

Managing the data

When a forensic solution has loads to data to manage, it should be ensured that proper data management facilities

are available. To list a few, the solution must be able to define the range of dates, asking the administrator tmaintain data between a range, purge data between a range, etc. Also, it is the task of the solution to maintainproper place and availability on a physical hard disk where the data will be stored. Henceforth we will learn theforensic solution like iVIew which is available on the appliance like Cyberoam and also as an open-source reportingsolution.

Understanding Data Recording

Reporting solution like iView offers a single view of the entire network activity. This allows organizations not just toview information across hundreds of users, applications and protocols; it also helps them correlate the informationgiving them a comprehensive view of network activity.

With iView, organizations receive logs and reports related to intrusions, attacks, spam and blocked attempts, bothinternal and external, enabling them to take rapid action throughout their network anywhere in the world.

Firewall Captures

The UTM captures are represented on the Log viewer page on the appliance. Log Viewer page allows to view thlogs for modules like IPS, Web Filter, Anti Spam, Anti Virus and Firewall. This page gives consolidated informatioabout all the events that have occurred.

Web filter


30/31

Application Filter

Anti Virus


31/31

For more information Refer


sample course ware

Documents