2 \section{Exercise 2 - Task 1}
5 First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
6 \fbox{\parbox{{\textwidth}
9 $ editcap -F libpcap team15_ex21.pcap ex21.pcap
12 Then we filtered out the large flows with more or equal than 400 packets.
14 % TODO include readflows.py-source
18 {('113.15.85.25', '179.160.238.111'): (463, 0),
19 ('114.176.157.191', '221.72.61.209'): (541, 0),
20 ('134.134.122.170', '179.187.246.122'): (419, 0),
21 ('179.187.53.117', '129.49.173.82'): (472, 0),
22 ('211.2.138.61', '144.66.241.253'): (462, 151),
23 ('221.100.234.92', '161.194.49.146'): (547, 0),
24 ('8.73.98.88', '144.66.191.77'): (535, 0)}
27 (Format: {\tt (src, dst) : (srctodst, dsttosrc)})
29 We then split the pcap into different files for each stream using the following filter expressions into separate files:
31 (ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111)
32 (ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209)
33 (ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122)
34 (ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82)
35 (ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253)
36 (ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146)
37 (ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77)
40 We also did generate csv files for all pcap files.
42 Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}).
44 % TODO include gnuplot-source
49 % TODO include bitstobytes.py-source
52 $ awk -F, '{print $8}' large_flow_2.csv | sed -e 's/5950/0/' -e 's/5960/1/' -e 's/"//g'
57 \fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}
59 \section{Exercise 2 - Task 2}
62 Then we converted the file {\tt team15\_ex22.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
65 $ editcap -F libpcap team15_ex22.pcap ex22.pcap
68 Then we filtered out the large flows with more than 200 packets and a frame length of 42 as mentioned in the solution from task 1.
70 % TODO \begin{didntwork}
72 % {('53.151.211.106', '217.115.203.44'): (213, 0)}
75 ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42
80 save bytes (ipid) from stream to file
83 try decoding with password from previous task
84 openssl enc -d -rc4 -nosalt -k nSa123 -in stream\_encrypted -out stream\_decrypted
88 tried reversing the bytes (lower byte first, upper byte next)
92 trying to decode the second-largest flow:
93 ip.addr == 96.55.191.225 and ip.addr == 217.115.203.44 and eth.len == 42
96 % TODO \end{didntwork}
98 Finally we found out, that scapy removes the frame length when parsing packets with the {\tt PcapReader}.
100 This does not happen with the {\tt PcapRawReader}, so we rewrote the script a bit.
102 % TODO continue writing here
108 manually create csv files
110 for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh \$i > \${i\%.csv}.dehexed.csv ; done
112 ./autocorrelate.sh | grep -v "All values are identical" | sort -k2
114 -> ./parse\_stream\_data.py
117 Agent South was captured! Aborting operation. (Agent Scott)