1 % tunet und eduroam down...
3 \section{Exercise 1 - Task 1}
5 \fbox{\parbox{\textwidth}{
6 What is the IP address of the suspicious notebook?
9 The IP address of the suspicious notebook (our own IP address) is \emph{\textbf{192.168.67.37}}.
13 \fbox{\parbox{\textwidth}{
14 What is the IP address of the machine presumably leaking information?
17 The remote IP address is \emph{\textbf{192.168.67.83}}.
21 \fbox{\parbox{\textwidth}{
22 Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer).\\
23 Do also specify the keyworks and operators required.
26 The necessary wireshark filter expression is \emph{\textbf{ip.addr == 192.168.67.83}}.
31 \fbox{\parbox{\textwidth}{
32 Which features are not viable to mask a covert channel and could be removed from the analysis?\\
33 List the rejected features and provide short but meaningful reasons for rejection.
37 \item \emph{\textbf{No.}} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet)
38 \item \emph{\textbf{Source IP}} (fixed value: \emph{\textbf{192.168.67.83}})
39 \item \emph{\textbf{Destination IP}} (fixed value: \emph{\textbf{192.168.67.37}})
40 \item \emph{\textbf{Protocol}} (fixed value: \emph{\textbf{UDP}})
41 \item \emph{\textbf{Length}} (fixed value: \emph{\textbf{82}})
42 \item \emph{\textbf{TTL}} (fixed value: \emph{\textbf{64}})
43 \item \emph{\textbf{Dest port}} (fixed value: \emph{\textbf{118}})
44 \item \emph{\textbf{Flags}} (none set)
45 \item \emph{\textbf{Frag offset}} (fixed value: \emph{\textbf{0}})
48 Fixed values have been rejected as it is not possible to hide information within.
52 \fbox{\parbox{\textwidth}{
53 From the remaining features, which ones are not viable to mask a covert channel and could be removed from the analysis?\\
54 List the newly rejected features and provide short but meaningful reasons for rejection.
57 We can determine that the source port changes only between transmissions. The transmissions seem to be identical.\\
59 Therefore we can assume that the \emph{\textbf{source port}} can be ignored in further analysis.
61 We filter the transmission by applying the following filter in wireshark: \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}} export the selection to a new pcap file and reload in wireshark to reset the packet numbers and export the pcap to csv.
65 \fbox{\parbox{\textwidth}{
66 Do you think that you have found the covert channel?\\
67 Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behavior of the suspicious feature is isolated and clearly visible.
70 At first we wrote a decoder that made a diff between the current and the last csv line looking at DSCP.\\
71 Combined with the hint 8 bit asci we tried to extract full or partial bytes. The results did not made any sense.\\
73 Later we tried to look at the timing diffs and realised that most packets had a delay of either 0.04-0.06 or 0.14-0.16 ms.\\
74 So we tried to multiply the time-diff by 10 and cast the result to int. This resulted in a nice one bit/packet list which we quickly converted to 8 bit ascii.
78 \fbox{\parbox{\textwidth}{
79 Write in the report the formula of the deployed filter and the steps carried out to prepare the required file.
82 \emph{\textbf{Dest port == 118}}
86 \fbox{\parbox{\textwidth}{
87 Write in the report the decoded message. Explain clearly how you carried out the decoding task (step by step in a numbered list).
90 The message is \emph{\textbf{Starting transmission from Ministry of Cyber {\ucr}ffairs. (Agent Scott)Star{\ucr}i{\ucr}}}\\
103 def somedecode(filename):
104 with open(filename, 'rb') as csvfile:
105 spamreader = csv.reader(csvfile, delimiter=',', quotechar='"')
111 for row in spamreader:
119 va = str(int((float(row[1])-float(last[1]))*10))
120 if va not in ["0","1"]:
128 print " "+binascii.unhexlify('%x' % n),
133 if __name__ == "__main__":
134 def signal_handler(signal, frame):
135 print('SIG received. exitting!')
137 signal.signal(signal.SIGINT, signal_handler)
139 somedecode("dump_selected_udp_single_src_port_dehexed.csv")
145 \fbox{\parbox{\textwidth}{
146 Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise.
149 Some characters are broken, as the some packets seem to have expirienced unexpected delays and therefore were wrongly classified. All in all the Message is still understandable.
152 \section{Exercise 1 - Task 2}
154 \fbox{\parbox{\textwidth}{
155 Give a detailed (but brief) explanation of the steps you carried out to filter irrelevant data (either Wireshark or Rapidminer). Do also specify the keywords and operators required.
162 % TODO continue writing here.
166 rescan... new ip: 192.168.67.26
170 ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24
172 10min\_localnet.{pcap,csv}
174 look at it via rapidminer (filter away gateway (.1) and self (.26) as sources)
175 image:stream\_localnet.pdf
177 image:stream\_localnet\_ports.pdf
178 dest ports are always first 80/udp, then 443/udp, then 465/tcp, then 464/udp
179 always from first .83, then .82, then .81, then .84
181 filtered for one complete transaction
182 udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842
183 10min\_transaction.{pcap,csv}
185 %%%%%%%%%%%%%%%%%%%%%
187 %filtered away nfs and ssh
188 %!(tcp.port == 666 || tcp.port == 2049)
191 %look at it via rapidminer
194 %((ip.addr eq 192.168.67.81 or ip.addr eq 192.168.67.82 or ip.addr eq 192.168.67.83) and ip.addr eq 192.168.67.37)
197 %look at it again via rapidminer
198 %image:stream\_better.pdf
200 %dest ports are always first 80/udp, then 443/udp, then 465/tcp
202 %filtered for one complete transaction
203 %tcp.port == 56533 or udp.port == 50293 or udp.port == 56040
206 %look at it again via rapidminer
207 %image:stream\_cool.pdf
209 %%%%%%%%%%%%%%%%%%%%%%%
213 \fbox{\parbox{\textwidth}{
214 Which features are not viable to mask a covert channel and could be removed from the analysis? List the
215 rejected features and provide short but meaningfureasons for rejection.
219 No. -> generated while monitoring
221 TTL (64), Frag offset (0)
224 does not look like timing, packets arrive in almost equal distances (10ms sequence)
230 0x0018: ACK,PSH (600x)
233 Expected distribution of values
237 \fbox{\parbox{\textwidth}{
238 From the remaining features, which ones are not viable to mask a covert channel and could be removed
239 from the analysis? List the newly rejected features and provide short but meaningful reasons for rejection.
242 not a high variance detected:
244 \item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix
245 \item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix
246 \item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix
247 \item UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464
250 Length also does not vary very much:
252 \item Length 60 for Source Port 56040/udp
253 \item Length 60 for Source Port 52093/udp
254 \item Length 70 for ACK,PSH (600x), 74 for SYN (1x), 66 for ACK (1x) and 66 for FIN (1x) for Source Port 56533/tcp
255 \item Length 66 for ACK, 74 for SYN,ACK for Source Port 465/tcp
256 \item %TODO fix for sport 464
260 %TODO DSCP @tcp-connection is weird (incoming)
261 -> map in rapidminer ipid vs dscp
262 -> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char
266 \fbox{\parbox{\textwidth}{
267 What is the IP address of the machine presumably leaking information?
270 Unknown, because we do have two shorter transmissions before a longer transmission from different source ips
272 Later the IP address turned out to be 192.168.67.84.
276 \fbox{\parbox{\textwidth}{
277 Do you think that you have found the covert channel?\\
278 Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behavior of the suspicious feature is isolated and clearly visible.
281 Not yet. We do not know if the three transmissions are connected to each other.
283 Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system)
285 Turned out that the 6 bits from the DSCP field just needed to be concatenated and then split into 8 bit chunks again.
289 \fbox{\parbox{\textwidth}{
290 Write in the report the decoded message. Explain clearly how you carried out the decoding task (step by step in a numbered list).
293 ./exercise2/parse\_stream\_data.py
294 "Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on the progress. (This message was sent by agent Scott)Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on t"
298 \fbox{\parbox{\textwidth}{
299 Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise.
302 We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely.