NETWORK SECURITY FORENSIC

Description

Aircrack-ng
According to the official website, “Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security such as monitoring, attacking, testing and cracking.”

All tools that are part of the aircrack-ng suite can be run from the command line. This will help users and developers to script and develop tools by taking advantage of the ability to run these tools from the command line. Aircrack-ng suite of tools are primarily used by security professionals during security assessments. However, the same tools and techniques can also be used to investigate wireless networks. For instance, if we want to identify the rogue access points available within the range, we can use airmon-ng to identify details such as SSID, mac address, the channel it is running on.

Wireshark
Wireshark is an open-source tool available for capturing and analyzing traffic with support for applying filters using the graphical user interface. On the system, where Wireshark is running, one can choose the interface on which traffic needs to be captured. The filters available in Wireshark make it easy to perform both troubleshooting as well as investigations.

Wireshark is more of a traffic capturing and analysis tool than an offensive network security tool, and it can greatly help during network forensic investigations.

tcpdump
Tcpdump is a popular command line tool available for capturing and analyzing network traffic primarily on Unix based systems. Using tcpdump, we can capture the traffic and store the results in a file that is compatible with tools like Wireshark for further analysis. Tcpdump can either be used to do a quick packet capture for troubleshooting or for capturing traffic continuously in large volumes for future analysis.

It is worth noting that tcpdump can be used to capture both layer 2 and layer 3 data. The latter may cause disk space problems as the size of the resulting capture file can grow depending on the volume of the network traffic. In addition to the ability to capture large amounts of traffic, tcpdump also supports the use of filters to avoid capturing unnecessary traffic or to capture only the traffic we are interested in. One should be extra cautious with this feature, as applying filters can lead to missing potential evidence. So, it is recommended to capture as much traffic as possible and filter out the unnecessary traffic during analysis later.

Snort
Snort is an enterprise-grade open-source intrusion detection system. It can perform protocol analysis, content searching/matching and detection of various network security attacks such as buffer overflow, stealth port scanner, CGI attacks and OS fingerprinting attempts to name a few.

Snort’s ease of configuration, rules’ flexibility and raw packet analysis make it a powerful intrusion detection and prevention system. Snort is highly configurable, which allows the users to add custom plugins called preprocessors. In addition, it comes with a great set of output options.

At its core, Snort provides alerts based on rulesets provided to it. The Snort administrator needs to feed the rules as the default installation doesn’t come with any rules. However, the Snort website provides rulesets that can be fed into Snort. In addition to these rules, one can write custom alert rules. Snort can play a crucial role in network forensic investigations as it can contain a wide variety of logs depending on the rules configured.