update exercise{1,2}.tex

[pub/jan/netsec2.git] / exercise1.tex

% tunet und eduroam down...

\section{Rep:1.a}

\noindent\fbox{%
\parbox{\textwidth}{%
        What is the IP address of the suspicious notebook?
}%
}

The IP address of the suspicious notebook (our own IP address) is {\tt 192.168.67.37}.

\section{Rep:1.b}

\noindent\fbox{%
\parbox{\textwidth}{%
        What is the IP address of the machine presumably leaking information?
}%
}

The remote IP address is {\tt 192.168.67.83}.

\section{Rep:1.c}

\noindent\fbox{%
\parbox{\textwidth}{%
        Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer).
        Do also specify the keyworks and operators required.
}%
}

The necessary wireshark filter expression is {\tt ip.addr == 192.168.67.83}.
% TODO more verbose?

\section{Rep:1.d}

\noindent\fbox{%
\parbox{\textwidth}{%
        Which features are not viable to mask a covert channel and could be removed from the analysis?
        List the rejected features and provide short but meaningful reasons for rejection.
}%
}

\begin{itemize}
        \item {\tt No.} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet)
        \item {\tt Source IP} (fixed value: {\tt 192.168.67.83})
        \item {\tt Destination IP} (fixed value: {\tt 192.168.67.37})
        \item {\tt Protocol} (fixed value: {\tt UDP})
        \item {\tt Length} (fixed value: {\tt 82})
        \item {\tt TTL} (fixed value: {\tt 64})
        \item {\tt Dest port} (fixed value: {\tt 118})
        \item {\tt Flags} (none set)
        \item {\tt Frag offset} (fixed value: {\tt 0})
\end{itemize}

Fixed values have been rejected as it is not possible to hide information within.

\section{Rep:1.e}

\noindent\fbox{%
\parbox{\textwidth}{%
        From the remaining features, which ones are not viable to mask a covert channel and could be removed from the analysis?
        List the newly rejected features and provide short but meaningful reasons for rejection.
}%
}

% TODO continue writing here.

repeating transfers, transfers seem separable over time via the udp.srcport attribute

filtered traffic via wireshark again by source port 52899
ip.addr == 192.168.67.83 and udp.srcport == 52899

reexported to csv

reimported to rapidminer

\section{Rep:1.f}
dscp + timing changes.

the DSCP value grows until 10962
grows until time 6.55
then it's fixed on DSCP 10962

\section{Rep:1.g}
Dest port == 118

\section{Rep:1.h}
siehe bladecode.py

\section{Rep:1.i}
some bits are broken, as the timing and my decodes is more a hack.

a hack is a hack is a hack ... :)



\section{Rep:1.j}
rescan... new ip: 192.168.67.26
10min.{pcap,csv}

filtered localnet
ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24

10min\_localnet.{pcap,csv}

look at it via rapidminer (filter away gateway (.1) and self (.26) as sources)
image:stream\_localnet.pdf

image:stream\_localnet\_ports.pdf
dest ports are always first 80/udp, then 443/udp, then 465/tcp, then 464/udp
always from first .83, then .82, then .81, then .84

filtered for one complete transaction
udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842
10min\_transaction.{pcap,csv}

%%%%%%%%%%%%%%%%%%%%%

%filtered away nfs and ssh
%!(tcp.port == 666 || tcp.port == 2049)
%asdf.{pcap,csv}

%look at it via rapidminer
%image:stream2.pdf

%((ip.addr eq 192.168.67.81 or ip.addr eq 192.168.67.82 or ip.addr eq 192.168.67.83) and ip.addr eq 192.168.67.37)
%better.{pcap,csv}

%look at it again via rapidminer
%image:stream\_better.pdf

%dest ports are always first 80/udp, then 443/udp, then 465/tcp

%filtered for one complete transaction
%tcp.port == 56533 or udp.port == 50293 or udp.port == 56040
%cool.{pcap,csv}

%look at it again via rapidminer
%image:stream\_cool.pdf

%%%%%%%%%%%%%%%%%%%%%%%

\section{Rep:1.k}
Unusable features:
No. -> generated while monitoring
fixed values:
TTL (64), Frag offset (0)

Time:
does not look like timing, packets arrive in almost equal distances (10ms sequence)

Flags:
0x0002: SYN (1x)
0x0012: SYN,ACK (1x)
0x0010: ACK (602x)
0x0018: ACK,PSH (600x)
0x0011: ACK,FIN (2x)

Expected distribution of values

\section{Rep:1.l}
not a high variance detected:
\begin{itemize}
\item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix
\item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix
\item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix
\imte UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464
\end{itemize}

Length also does not vary very much:
\begin{itemize}
\item Length 60 for Source Port 56040/udp
\item Length 60 for Source Port 52093/udp
\item Length 70 for ACK,PSH (600x), 74 for SYN (1x), 66 for ACK (1x) and 66 for FIN (1x) for Source Port 56533/tcp
\item Length 66 for ACK, 74 for SYN,ACK for Source Port 465/tcp
\item %TODO fix for sport 464
\end{itemize}

%TODO IPID is weird
%TODO DSCP @tcp-connection is weird (incoming)
-> map in rapidminer ipid vs dscp
-> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char

\section{Rep:1.m}
Unknown, because we do have two shorter transmissions before a longer transmission from different source ips

Later the IP address turned out to be 192.168.67.84.

\section{Rep:1.n}
Not yet. We do not know if the three transmissions are connected to each other.

Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system)

Turned out that the 6 bits from the DSCP field just needed to be concatenated and then split into 8 bit chunks again.

\section{Rep:1.o}

./exercise2/parse\_stream\_data.py
"Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on the progress. (This message was sent by agent Scott)Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on t"

\section{Rep:1.p}

We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely.