Fixed and "fixed" latex-build-errors :/

[pub/jan/netsec2.git] / report / content / exercise2.tex

\section{Exercise 2 - Task 1}
\subsection{Rep:2.a}

First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
% TODO: fixme!
%\fbox{\parbox{{\textwidth}
%}}
\begin{lstlisting}
$ editcap -F libpcap team15_ex21.pcap ex21.pcap
\end{lstlisting}

Then we filtered out the large flows with more or equal than 400 packets.

% TODO include readflows.py-source

\begin{lstlisting}
$ ./readflows.py
{('113.15.85.25', '179.160.238.111'): (463, 0),
 ('114.176.157.191', '221.72.61.209'): (541, 0),
 ('134.134.122.170', '179.187.246.122'): (419, 0),
 ('179.187.53.117', '129.49.173.82'): (472, 0),
 ('211.2.138.61', '144.66.241.253'): (462, 151),
 ('221.100.234.92', '161.194.49.146'): (547, 0),
 ('8.73.98.88', '144.66.191.77'): (535, 0)}
\end{lstlisting}

(Format: {\tt (src, dst) : (srctodst, dsttosrc)})

We then split the pcap into different files for each stream using the following filter expressions into separate files:
\begin{lstlisting}
(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111)
(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209)
(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122)
(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82)
(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253)
(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146)
(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77)
\end{lstlisting}

We also did generate csv files for all pcap files.

Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}).

% TODO include gnuplot-source

% TODO include image
large\_flow\_2.png

% TODO include bitstobytes.py-source

\begin{lstlisting}
$ awk -F, '{print $8}' large_flow_2.csv | sed -e 's/5950/0/' -e 's/5960/1/' -e 's/"//g'
$ ./bitstobytes.py
\end{lstlisting}

\subsection{Rep:2.b}
%\fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}

\section{Exercise 2 - Task 2}
\subsection{Rep:2.c}

Then we converted the file {\tt team15\_ex22.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.

\begin{lstlisting}
$ editcap -F libpcap team15_ex22.pcap ex22.pcap
\end{lstlisting}

Then we filtered out the large flows with more than 200 packets and a frame length of 42 as mentioned in the solution from task 1.

% TODO \begin{didntwork}
./task2/readflows.py
% {('53.151.211.106', '217.115.203.44'): (213, 0)}

filter into file
ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42

generate graph:
large\_flow.png

save bytes (ipid) from stream to file
./decode\_ipid.py

try decoding with password from previous task
openssl enc -d -rc4 -nosalt -k nSa123 -in stream\_encrypted -out stream\_decrypted

-> didn't work

tried reversing the bytes (lower byte first, upper byte next)

-> didn't work

trying to decode the second-largest flow:
ip.addr == 96.55.191.225 and ip.addr == 217.115.203.44 and eth.len == 42

-> didn't work
% TODO \end{didntwork}

Finally we found out, that scapy removes the frame length when parsing packets with the {\tt PcapReader}.

This does not happen with the {\tt PcapRawReader}, so we rewrote the script a bit.

% TODO continue writing here

filter into files

./readflows.py

manually create csv files

for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh \$i > \${i\%.csv}.dehexed.csv ; done

./autocorrelate.sh | grep -v "All values are identical" | sort -k2

-> ./parse\_stream\_data.py

\subsection{Rep:2.c}
Agent South was captured! Aborting operation. (Agent Scott)