When discussing wireless networks, it’s important to have a fundamental knowledge of networking. We will start by learning the TCP/IP Networking and OSI Reference Model. There are 7 layers to the OSI model. Each is described as follows: The TCP/IP model corresponds to layers in the OSI model.
- Application layer (layer 7) —This layer enables communications with the host software, including the operating system. The application layer is the interface between host software and the network protocol stack. The sub-protocols of this layer support specific applications or types of data.
- Presentation layer (layer 6) —This layer translates the data received from the host software into a format acceptable to the network. This layer also performs this task in reverse for data going from the network to the host software.
- Session layer (layer 5) —This layer manages the communication channel, known as a session, between the endpoints of the network communication. A single transport layer connection between two systems can support multiple, simultaneous sessions.
- Transport layer (layer 4) —This layer formats and handles data transportation. The transportation is independent of and transparent to the application.
- Network layer (layer 3) —This layer handles logical addressing (IP addresses) and routing traffic.
- Data link layer (layer 2) —This layer manages physical addressing (MAC addresses) and supports the network topology, such as Ethernet.
- Physical layer (layer 1) —This layer converts data into transmitted bits over the physical network medium.
Information that is sent across a network is divided into chunks, called packets. Packets exist in the OSI model at Layer 3 and are typically formatted according to the Internet Protocol—though you may come across many other protocols and their unique formats. Packets are divided into two parts:
The header —Contains the address information (to and from as well as any special handling instructions)
The payload —Contains the content
The Ethernet header has the source and destination MAC address.
- The IP header contains the source IP address, the destination IP address, and the protocol number of the protocol in the IP packet’s payload. These are critical pieces of information.
- The TCP header contains the source port, destination port, a sequence number, and several other fields. The sequence number is very important to network traffic; for example, knowing this is packet 4 of 10 is important. The TCP header also has synchronization bits that are used to establish and terminate communications between both communicating parties.
- It is also possible that certain types of traffic will have a User Datagram Protocol (UDP) header instead of a TCP header. A UDP header still has a source and destination port number, but it lacks a sequence number and synchronization bits.
The TCP three-way handshake used by TCP establishes a session between two systems. The first system sends a packet with the SYN flag set. The second system responds with a packet that has the SYN and ACK flags set. The first system responds with a packet with the ACK flag set. The two systems have now started a session.
Because a TCP connection is two-way, it needs to be “torn down” in both directions. The TCP connection termination process uses four packets. The first system sends a TCP packet with the ACK and FIN flags set requesting termination. The second system sends an ACK response. The second system then sends a packet with ACK and FIN flags set. The first system returns an ACK response.
Sometimes a host may need to terminate a connection quickly, due to a port being unreachable or a timeout, for example. Can send a Reset (RST) packet. Initial SYN packet should never have FINor RST associated with it. Indicates an attack/malicious attempt to get by your firewall.
A Christmas Tree scan sends a TCP packet to the target with the URG, PUSH and FIN flags set. This is called a Christmas tree scan because of the alternating bits turned on and off in the flags bytes.
The null scan turns off all flags, creating a lack of TCP flags in the packet. This would never happen with real communications. It can result in an error packet being sent.
When you are examining TCP/IP packet headers, it’s important to know that you need to look at the ports, IP address, and big flags. You may also find useful information in the MAC address in the lower-layer part of the information transfer unit. This is an addition to searching the actual data in the packets.
The payload is the body or information content of a packet. This is the actual content that the packet is delivering to the destination. If a packet is fixed length, the payload may be padded with blank information or a specific pattern to make it the right size.
The TCP (OSI model Layer 4) and IP (OSI model Layer 3) portions of a unit of information transfer contain only a header and payload. However, if the Layer 2 portion of a unit of information transfer is analyzed, then in addition to a header and payload, there is also a part at the end called the trailer.
A port is a number that identifies a channel in which communication can occur. Just as your television may have one cable coming into it, but many channels you can view, your computer may have one cable coming into it, but many network ports you can communicate on. There are 65,635 possible ports, divided into three distinct types, and some are used more often than others. There are certain ports a forensic analyst should know on sight. Knowing what port a packet was destined for (or coming from) will tell you what protocol it was using, which can be invaluable information.
Type of Port Port Number
Well-Known Ports- 0 to 1023
Registered Ports- 1024 to 49151
Dynamic Ports- 49152 to 65535
Consider the information you gather from these ports. Assume you capture traffic going to and from a database server on port 21. This means someone is using FTP to upload or download files with that server. But you query the network administrator and find he or she doesn’t use FTP on his or her database server. This is likely a sign of an intruder or, at the very least, of an insider who is not adhering to system policy.
Frequent attempts to connect to a Web server on port 23 (Telnet) is evidence of a well-known old hacker trick, which is to attempt to telnet into a Web server and grab the server’s banner or banners. This allows the hacker to determine the exact operating system and Web server running unless the system administrator has modified the banner to avoid this hacker trick.
A DoS attack can be targeted at a given server, but usually, the increased traffic affects the rest of the target network. In a DoS attack, the attacker uses one of three approaches. The attacker can damage the target machine’s ability to operate, overflow the target machine with too many open connections at the same time, or use up the bandwidth to the target machine. In a DoS attack, the attacker usually floods the network with malicious packets, preventing legitimate network traffic from passing. The following sections discuss specific types of DoS attacks.
In a ping of death attack, an attacker sends an ICMP echo packet of a larger size than the target machine can accept. At one time, this form of attack caused many operating systems to lock or crash until vendors released patches to deal with ping of death attacks. Firewalls can be configured to block incoming ICMP packets completely or to block ICMP packets that are malformed or of an improper length, which is typically 84 bytes, including the IP header.
Related to the ping of death is the ping flood. The ping flood simply sends a tremendous number of ICMP packets to the target, hoping to overwhelm it. This attack is ineffective against modern servers. It is just not possible to overwhelm a server, or even most workstations, with enough pings to render the target unresponsive. But when executed by a large number of coordinated source computers against a single target computer, this attack can be very effective. This second variety of ping flood falls into the category called a distributed denial of service (DDoS) attack.
A teardrop attack is a denial-of-service (DoS) attack that involves sending fragmented packets to a target machine. Since the machine receiving such packets cannot reassemble them due to a bug in TCP/IP fragmentation reassembly, the packets overlap one another, crashing the target network device. This generally happens on older operating systems such as Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63.
One of the fields in an IP header is the “fragment offset” field, indicating the starting position, or offset, of the data contained in a fragmented packet relative to the data in the original packet. If the sum of the offset and size of one fragmented packet differs from that of the next fragmented packet, the packets overlap. When this happens, a server vulnerable to teardrop attacks is unable to reassemble the packets – resulting in a denial-of-service condition.
Forensic network analysis uses the tools and techniques of the network trade. Network monitoring helps get the “big picture” perspective, an insight into how networks and systems behave. Network analysis takes a deeper look at the traces between systems, networks, and intruders.
When investigating a network attack, there may be evidence on each device in the path from the attacking system to the victim. Devices such as routers, virtual private networks (VPNs), firewalls, and intrusion detection systems (IDSs), generate logs that may reveal valuable forensic evidence. You can often determine the source, nature, and time of an attack by analyzing log files of the compromised system. Log files can show how an attacker entered a network. They can also help find the source of illicit activities. For example, log files from servers and Windows security event logs on domain controllers can attribute activities to a specific user account.
Investigators can use log files in court if the files meet certain requirements. To use log files in court, the logs must be created reasonably concurrent with the event. The log files must not be tampered with, and the logs must be kept as a regular business practice. This means that logs instituted after an incident has begun do not qualify as a customary business practice. This is one of the reasons security professionals recommend routinely logging events in an organization. For example, an organization can configure an IDS to capture network traffic whenever a specific condition occurs, such as whenever an alert is generated.