Difference between pages "Tools:Network Forensics" and "Proxy server"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
m
 
Line 1: Line 1:
=Network Forensics Packages and Appliances=
+
{{expand}}
; [[Burst]]
+
: http://www.burstmedia.com/release/advertisers/geo_faq.htm
+
: Expensive IP geo-location service.
+
  
; [[chkrootkit]]
+
'''Proxy server''' is a server which services the requests of its clients by forwarding requests to other servers.
: http://www.chkrootkit.org
+
  
; [[cryptcat]]
+
== Overview ==
: http://farm9.org/Cryptcat/
+
  
; [[Enterasys Dragon]]
+
Proxy servers are widely used by organizations and individuals for different purposes:
: http://www.enterasys.com/products/advanced-security-apps/index.aspx
+
: Instrusion Detection System, includes session reconstruction.
+
  
; [[MaxMind]]
+
* Internet sharing (like [[NAT]]);
: http://www.maxmind.com
+
* Traffic compression;
: [[IP geolocation]] services and data provider for offline geotagging. Free GeoLite country database. Programmable APIs.
+
* Accelerating service requests by retrieving content from cache;
 +
* and many others.
  
; [[netcat]]
+
Proxy servers are commonly used by individuals who wish to violate network policies.
: http://netcat.sourceforge.net/
+
* In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
 +
* Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).  
  
; [[netflow]]/[[flowtools]]
+
=== HTTP proxies ===
: http://www.cisco.com/warp/public/732/Tech/nmp/netflow/index.shtml
+
: http://www.splintered.net/sw/flow-tools/
+
: http://silktools.sourceforge.net/
+
: http://www.vmware.com/vmtn/appliances/directory/293 Netflow Appliance (VMWare)
+
  
; NetIntercept
+
''These proxy servers are using HTTP.''
: http://www.sandstorm.net/products/netintercept
+
: NetIntercept captures whole packets and reassembles up to 999,999 TCP connections at once, reconstructing files that were sent over your network and creating a database of its findings. It recognizes over 100 types of network protocols and file types, including web traffic, multimedia, email, and IM.
+
  
; [[NetworkMiner]]
+
Example request (direct; with relative URI):
: http://networkminer.wiki.sourceforge.net/NetworkMiner
+
<pre>
: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows. NetworkMiner can be used as a passive network sniffer/packet capturing tool or to parse PCAP files for off-line analysis.
+
GET / HTTP/1.1
 +
Host: cryptome.org
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
Accept-Encoding: gzip,deflate
 +
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 +
Keep-Alive: 300
 +
Connection: keep-alive
 +
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
 +
If-None-Match: "e01922-62e9-45937059ec2de"
 +
Cache-Control: max-age=0
 +
</pre>
 +
Example request (using proxy; with absolute URI):
 +
<pre>
 +
GET http://cryptome.org/ HTTP/1.1
 +
Host: cryptome.org
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
Accept-Encoding: gzip,deflate
 +
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
 +
Keep-Alive: 300
 +
Proxy-Connection: keep-alive
 +
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
 +
If-None-Match: "e01922-62e9-45937059ec2de"
 +
Cache-Control: max-age=0
 +
</pre>
 +
''Note:'' this HTTP request was intercepted on the way to proxy server.
  
; [[rkhunter]]
+
According to RFC 2068 (section 5.1.2):
: http://rkhunter.sourceforge.net/
+
<pre>
 +
The absoluteURI form is required when the request is being made to a proxy.
 +
</pre>
 +
''Note:'' proxy server will convert absolute URI to relative URI.
  
; [[ngrep]]
+
=== HTTPS proxies ===
: http://ngrep.sourceforge.net/
+
  
; [[nslookup]]
+
''The same as above, but using HTTPS (HTTP over SSL/TLS).''
: http://en.wikipedia.org/wiki/Nslookup
+
: Name Server Lookup command line tool used to find IP address from domain name.
+
  
; [[Sguil]]
+
Sometimes HTTP proxies that support CONNECT method are called ''"HTTPS proxies"''. These HTTP proxies can tunnel almost every TCP-based protocol.
: http://sguil.sourceforge.net/
+
  
; [[Snort]]
+
Example request:
: http://www.snort.org/
+
<pre>
 +
CONNECT home.netscape.com:443 HTTP/1.0
 +
User-agent: Mozilla/1.1N
 +
</pre>
  
; [[ssldump]]
+
=== SOCKS proxies ===
: http://ssldump.sourceforge.net/
+
  
; [[tcpdump]]
+
SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.
: http://www.tcpdump.org
+
  
; [[tcpextract]]
+
=== Web proxies (CGI proxies) ===
: http://tcpxtract.sourceforge.net/
+
  
; [[tcpflow]]
+
These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.
: http://www.circlemud.org/~jelson/software/tcpflow/
+
  
; [[truewitness]]
+
Example GET request from [http://anonymouse.ws/ Anonymouse] (to HTTP server):
: http://www.nature-soft.com/forensic.html
+
<pre>
: Linux/open-source. Based in India.
+
GET / HTTP/1.0
 +
Host: [scrubbed]:8080
 +
User-Agent: http://Anonymouse.org/ (Unix)
 +
Connection: keep-alive
 +
</pre>
  
; [[etherpeek]]
+
Example GET request from [http://www.hidemyass.com/ HideMyAss.com]:
: http://www.wildpackets.com/products/etherpeek/overview
+
<pre>
 +
GET / HTTP/1.0
 +
Host: [scrubbed]:8080
 +
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
 +
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 +
</pre>
  
; [[Whois]]
+
== Proxy detection ==
: http://en.wikipedia.org/wiki/WHOIS Web service and command line tool to look up registry information for internet domain.
+
: http://www.arin.net/registration/agreements/bulkwhois.pdf Bulk WHOIS data request from ARIN
+
  
; [[IP Regional Registries]]
+
=== Server-side ===
: http://www.arin.net/community/rirs.html
+
: http://www.arin.net/index.shtml American Registry for Internet Numbers (ARIN)
+
: http://www.afrinic.net/ African Network Information Center (AfriNIC)
+
: http://www.apnic.net/ Asia Pacific Network Information Centre (APNIC)
+
: http://www.lacnic.net/en/ Latin American and Caribbean IP Address Regional Registry (LACNIC)
+
: http://www.ripe.net/ RIPE Network Coordination Centre (RIPE NCC)
+
  
; [[Wireshark/Ethereal]]
+
* Additional HTTP headers
: http://www.wireshark.org/
+
* [[OS fingerprinting]] and User-Agent
: Open Source protocol analyzer previously known as ethereal.
+
  
; [[Xplico]]
+
[[Category:Anti-Forensics]]
: http://www.xplico.org/
+
[[Category:Network Forensics]]
: Open Source Network Forensic Analysis Tool (NFAT). Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...]
+
 
+
=Command-line tools=
+
 
+
[[arp]] - view the contents of your ARP cache
+
 
+
[[ifconfig]] - view your mac and IP address
+
 
+
[[ping]] - send packets to probe remote machines
+
 
+
[[tcpdump]] - capture packets
+
 
+
[[snoop]] - captures packets from the network and displays their contents ([[Solaris]])
+
 
+
[[nemesis]] - create arbitrary packets
+
 
+
[[tcpreplay]] - replay captured packets
+
 
+
[[traceroute]] - view a network path
+
 
+
[[gnetcast]] - GNU rewrite of netcat
+
 
+
[[packit]] - packet generator
+
 
+
[[nmap]] - utility for network exploration and security auditing
+
 
+
==ARP and Ethernet MAC Tools==
+
 
+
[[arping]] - transmit ARP traffic
+
 
+
[[arpdig]] - probe LAN for MAC addresses
+
 
+
[[arpwatch]] - watch ARP changes
+
 
+
[[arp-sk]] - perform denial of service attacks
+
 
+
[[macof]] - CAM table attacks
+
 
+
[[ettercap]] - performs various low-level Ethernet network attacks
+
 
+
==CISCO Discovery Protocol Tools==
+
[[cdpd]] - transmit and receive CDP announcements; provides forgery capabilities
+
 
+
==ICMP Layer Tests and Attacks==
+
[[icmp-reset]]
+
 
+
[[icmp-quench]]
+
 
+
[[icmp-mtu]]
+
 
+
[[ish]] - ICMP shell (like SSH, but uses ICMP)
+
 
+
[[isnprober]]
+
 
+
==IP Layer Tests==
+
[[iperf]] - IP multicast test
+
 
+
[[fragtest]] - IP fragment reassembly test
+
 
+
==UDP Layer Tests==
+
 
+
[[udpcast]] - includes UDP-receiver and UDP-sender
+
 
+
==TCP Layer==
+
 
+
[[lft]] http://pwhois.org/lft - TCP tracing
+
 
+
[[etrace]] http://www.bindshell.net/tools/etrace
+
 
+
[[firewalk]] http://www.packetfactory.net
+

Revision as of 16:10, 16 October 2008

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Proxy server is a server which services the requests of its clients by forwarding requests to other servers.

Contents

Overview

Proxy servers are widely used by organizations and individuals for different purposes:

  • Internet sharing (like NAT);
  • Traffic compression;
  • Accelerating service requests by retrieving content from cache;
  • and many others.

Proxy servers are commonly used by individuals who wish to violate network policies.

  • In China, proxy servers are commonly used by individuals to get around national connectivity policies. (User A can't reach website Z, but A can reach proxy server P which can reach website Z).
  • Criminals frequently use proxy servers to hide the origin of their connections (User A connects to website Z through proxy server P; the packets appear to come from P, and not A).

HTTP proxies

These proxy servers are using HTTP.

Example request (direct; with relative URI):

GET / HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Example request (using proxy; with absolute URI):

GET http://cryptome.org/ HTTP/1.1
Host: cryptome.org
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-Modified-Since: Tue, 14 Oct 2008 13:59:19 GMT
If-None-Match: "e01922-62e9-45937059ec2de"
Cache-Control: max-age=0

Note: this HTTP request was intercepted on the way to proxy server.

According to RFC 2068 (section 5.1.2):

The absoluteURI form is required when the request is being made to a proxy.

Note: proxy server will convert absolute URI to relative URI.

HTTPS proxies

The same as above, but using HTTPS (HTTP over SSL/TLS).

Sometimes HTTP proxies that support CONNECT method are called "HTTPS proxies". These HTTP proxies can tunnel almost every TCP-based protocol.

Example request:

CONNECT home.netscape.com:443 HTTP/1.0
User-agent: Mozilla/1.1N 

SOCKS proxies

SOCKS is an Internet protocol that allows client-server applications to transparently use the services of a network firewall.

Web proxies (CGI proxies)

These are web sites that allow a user to access a site through them. They generally use PHP or CGI to implement the proxy functionality.

Example GET request from Anonymouse (to HTTP server):

GET / HTTP/1.0
Host: [scrubbed]:8080
User-Agent: http://Anonymouse.org/ (Unix)
Connection: keep-alive

Example GET request from HideMyAss.com:

GET / HTTP/1.0
Host: [scrubbed]:8080
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en; rv:1.9.0.3) Gecko/20080528 Epiphany/2.22 Firefox/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Proxy detection

Server-side