Difference between pages "SSL forensics" and "TCP timestamps"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (added Category:Network Forensics)
 
(New page: '''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below). Th...)
 
Line 1: Line 1:
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
+
'''TCP timestamps''' are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below).
  
== Overview ==
+
These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see [[TrueCrypt]]), linking spoofed [[IP]] and [[MAC]] addresses together, linking [[IP]] addresses with Ad-Hoc wireless APs, etc.
  
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
+
== Supported Operating Systems ==
  
Generally, many TLS realizations require only server to be authenticated using signed certificate.
+
* BSD/OS
 +
* [[FreeBSD]], but not the default configuration in versions 3 to 4.3
 +
* HP-UX, recent versions
 +
* IRIX
 +
* [[Linux]], kernel 2.1 and later
 +
* NetApp NetCache
 +
* Solaris 2.6 and later
 +
* [[Windows]] 2000, 2003, XP and Vista
  
== Data decryption ==
+
== Limitations ==
  
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
+
Some operating systems do not send TCP timestamps unless incoming TCP SYN packets will have this option enabled.
  
Some commercial [[network forensics]] systems can perform such an attack:
+
== Method ==
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
+
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
+
  
As well as some open-source tools:
+
* Find all TCP packets with timestamp option (in [[Wireshark]] use following display filter: ''tcp.options.time_stamp'');
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
+
* Calculate target's clock frequency (e.g. 100 Hz or 1000 Hz) by analyzing two (or more) TCP timestamps in a certain period of time;
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
+
* Use this frequency to calculate uptime.
  
== Other information ==
+
Following tools can automate this process:
 
+
* [[Nmap]] (only active scan)
The TLS protocol also leaks some significant information:
+
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
+
* Hostname being accessed ("server_name" extension);
+
* Original data size.
+
 
+
== [[The Onion Router]] ==
+
 
+
[[Tor]] tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional ''man-in-the-middle'' attack. [[Tor]] also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.
+
  
 
== Links ==
 
== Links ==
 
+
* [http://rfc.net/rfc1323.html RFC 1323]
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
+
* http://uptime.netcraft.com/
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]
+
 
+
[[Category:Network Forensics]]
+

Revision as of 12:58, 20 July 2008

TCP timestamps are used to provide protection against wrapped sequence numbers. It is possible to calculate system uptime (and boot time) by analyzing TCP timestamps (see below).

These calculated uptimes (and boot times) can help in detecting hidden network-enabled operating systems (see TrueCrypt), linking spoofed IP and MAC addresses together, linking IP addresses with Ad-Hoc wireless APs, etc.

Contents

Supported Operating Systems

  • BSD/OS
  • FreeBSD, but not the default configuration in versions 3 to 4.3
  • HP-UX, recent versions
  • IRIX
  • Linux, kernel 2.1 and later
  • NetApp NetCache
  • Solaris 2.6 and later
  • Windows 2000, 2003, XP and Vista

Limitations

Some operating systems do not send TCP timestamps unless incoming TCP SYN packets will have this option enabled.

Method

  • Find all TCP packets with timestamp option (in Wireshark use following display filter: tcp.options.time_stamp);
  • Calculate target's clock frequency (e.g. 100 Hz or 1000 Hz) by analyzing two (or more) TCP timestamps in a certain period of time;
  • Use this frequency to calculate uptime.

Following tools can automate this process:

  • Nmap (only active scan)

Links