1 % tunet und eduroam down...
7 What is the IP address of the suspicious notebook?
11 The IP address of the suspicious notebook (our own IP address) is {\tt 192.168.67.37}.
17 What is the IP address of the machine presumably leaking information?
21 The remote IP address is {\tt 192.168.67.83}.
27 Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer).
28 Do also specify the keyworks and operators required.
32 The necessary wireshark filter expression is {\tt ip.addr == 192.168.67.83}.
39 Which features are not viable to mask a covert channel and could be removed from the analysis?
40 List the rejected features and provide short but meaningful reasons for rejection.
45 \item {\tt No.} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet)
46 \item {\tt Source IP} (fixed value: {\tt 192.168.67.83})
47 \item {\tt Destination IP} (fixed value: {\tt 192.168.67.37})
48 \item {\tt Protocol} (fixed value: {\tt UDP})
49 \item {\tt Length} (fixed value: {\tt 82})
50 \item {\tt TTL} (fixed value: {\tt 64})
51 \item {\tt Dest port} (fixed value: {\tt 118})
52 \item {\tt Flags} (none set)
53 \item {\tt Frag offset} (fixed value: {\tt 0})
56 Fixed values have been rejected as it is not possible to hide information within.
62 From the remaining features, which ones are not viable to mask a covert channel and could be removed from the analysis?
63 List the newly rejected features and provide short but meaningful reasons for rejection.
67 % TODO continue writing here.
69 repeating transfers, transfers seem separable over time via the udp.srcport attribute
71 filtered traffic via wireshark again by source port 52899
72 ip.addr == 192.168.67.83 and udp.srcport == 52899
76 reimported to rapidminer
79 dscp + timing changes.
81 the DSCP value grows until 10962
83 then it's fixed on DSCP 10962
92 some bits are broken, as the timing and my decodes is more a hack.
94 a hack is a hack is a hack ... :)
99 rescan... new ip: 192.168.67.26
103 ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24
105 10min\_localnet.{pcap,csv}
107 look at it via rapidminer (filter away gateway (.1) and self (.26) as sources)
108 image:stream\_localnet.pdf
110 image:stream\_localnet\_ports.pdf
111 dest ports are always first 80/udp, then 443/udp, then 465/tcp, then 464/udp
112 always from first .83, then .82, then .81, then .84
114 filtered for one complete transaction
115 udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842
116 10min\_transaction.{pcap,csv}
118 %%%%%%%%%%%%%%%%%%%%%
120 %filtered away nfs and ssh
121 %!(tcp.port == 666 || tcp.port == 2049)
124 %look at it via rapidminer
127 %((ip.addr eq 192.168.67.81 or ip.addr eq 192.168.67.82 or ip.addr eq 192.168.67.83) and ip.addr eq 192.168.67.37)
130 %look at it again via rapidminer
131 %image:stream\_better.pdf
133 %dest ports are always first 80/udp, then 443/udp, then 465/tcp
135 %filtered for one complete transaction
136 %tcp.port == 56533 or udp.port == 50293 or udp.port == 56040
139 %look at it again via rapidminer
140 %image:stream\_cool.pdf
142 %%%%%%%%%%%%%%%%%%%%%%%
146 No. -> generated while monitoring
148 TTL (64), Frag offset (0)
151 does not look like timing, packets arrive in almost equal distances (10ms sequence)
157 0x0018: ACK,PSH (600x)
160 Expected distribution of values
163 not a high variance detected:
165 \item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix
166 \item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix
167 \item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix
168 \imte UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464
171 Length also does not vary very much:
173 \item Length 60 for Source Port 56040/udp
174 \item Length 60 for Source Port 52093/udp
175 \item Length 70 for ACK,PSH (600x), 74 for SYN (1x), 66 for ACK (1x) and 66 for FIN (1x) for Source Port 56533/tcp
176 \item Length 66 for ACK, 74 for SYN,ACK for Source Port 465/tcp
177 \item %TODO fix for sport 464
181 %TODO DSCP @tcp-connection is weird (incoming)
182 -> map in rapidminer ipid vs dscp
183 -> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char
186 Unknown, because we do have two shorter transmissions before a longer transmission from different source ips
188 Later the IP address turned out to be 192.168.67.84.
191 Not yet. We do not know if the three transmissions are connected to each other.
193 Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system)
195 Turned out that the 6 bits from the DSCP field just needed to be concatenated and then split into 8 bit chunks again.
199 ./exercise2/parse\_stream\_data.py
200 "Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on the progress. (This message was sent by agent Scott)Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on t"
204 We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely.