[ Pobierz całość w formacie PDF ]
.TCTthem to be used independently of one another.Foris available for a number of UNIX platforms, includingexample, in a typical scenario a service provider mightthe Berkeley Software Distribution (BSD) family anduse RADIUS for authentication purposes while usingSolaris, and for Linux platforms.TACACS for authorization and accounting.For More InformationSee Also: Authentication, Authorization, and AccountVisit www.porcupine.org/forensics for more information.ing (AAA), Remote Authentication Dial-In User Service(RADIUS) See Also: computer forensicsTFN threatStands for Tribal Flood Network, a type of distributed Also called an attack, any method used to try to breachdenial of service (DDoS) attack developed by Mixter. the security of a network or system.See: Tribal Flood Network (TFN) See: attackThe Coroner s Toolkit (TCT) ticketA package of tools for forensic analysis of compro- In Kerberos authentication, a data structure used to pro-mised UNIX systems.vide access to resources.Overview OverviewComputer forensics is the process of analyzing compro- A ticket is a set of identification data for a security prin-mised systems to obtain evidence for prosecuting crim- cipal (user or application) issued by a ticket-grantinginal activity.In general, computer forensics involves the service (TGS), a Kerberos service running on a key dis-application of both computer technology and legal tribution center (KDC).Tickets contain informationexpertise and can be a complex and difficult task when about the identity of the principal and are used forsystems have been rendered unbootable and data stolen authenticating the principal within a Kerberos realm oror destroyed.One tool that can help with identifying the domain.exploits of intruders is The Coroner s Toolkit (TCT), aThere are two types of Kerberos tickets:set of free UNIX tools that takes a snapshot of a dam-aged system to allow forensic analysis to extract as Ï% Ticket-granting ticket (TGT): Issued to a user bymuch useful information as possible that might indicate the authentication service (AS), another KerberosTthe course of the attack.TCT includes several programs service running on the KDC in their local realm,for forensic analysis, including the following: after the user submits his or her logon credentials tothe network.Once a user has a TGT, the user canÏ% Grave-robber: Used to capture system informationpresent the TGT to the TGS to request a servicefor forensic analysisticket.Ï% Ils and Mactime: Used to display access patternsÏ% Service ticket: Issued to a user by the TGS infor filesresponse to the user submitting his or her TGT.341TKIP TracerouteOnce the user has a service ticket, the user canTKIPpresent this to a network service in order to authen-Stands for Temporal Key Integrity Protocol, theticate with the service and establish a session.replacement for Wired Equivalent Privacy (WEP) in theImplementation 802.11i specification for wireless network security.The structure of a service ticket follows a standard pat-See: Temporal Key Integrity Protocol (TKIP)tern and includes the following fields:Ï% Message type: Tickets are used in several kinds ofTlistKerberos messages.A tool for displaying running processes on machinesrunning on Microsoft Windows NT or later versions ofÏ% Protocol version number: This is 5 for Kerberosthe operating system.v5 protocol.OverviewÏ% Sname and Realm: The name and Kerberos realmTlist is a Resource Kit tool that displays a task tree ofof the party to which the ticket is being presented;running processes on local or remote computers.Tlistfor example, a network service running on a server.can search for processes specified using regular expres-Ï% Flags: A series of options used for specifying howsions and can match the processes against task names orthe ticket might be used by different parties.the names displayed in window titles.Tlist also can dis-play the active services for each process and return theÏ% Key: The session key given to the holder of theprocess id (PID) for each process.One common use forticket for encrypting communication when authen-Tlist by security professionals is to look for rogue pro-ticating with other parties.cesses on a system that might indicate the system hasÏ% Cname and Crealm: The name and realm of thebeen compromised with a Trojan.holder of the ticket (a security principal).NotesÏ% Transited: The names of any realms that must beAnother tool called Pulist provides the same functional-crossed in order for the ticket holder to present it toity as Tlist together with information concerning thethe target party.owner of the task or process.Ï% Time stamps: Values describing when the ticketSee Also: Pulist, Trojanwas issued and when it expires.Ï% Caddr: An optional set of addresses from whichTLSthe ticket must be presented to be accepted as validStands for Transport Layer Security, an Internet stan-by the target party.dard version of Secure Sockets Layer (SSL), Netscape sÏ% Authorization data: Information limiting theprotocol for secure communications over the Internet.rights of the ticket holder (varies with applicationSee: Transport Layer Security (TLS)being used)
[ Pobierz całość w formacie PDF ]