exercise2.tex

[pub/jan/netsec2.git] / report / exercise2.tex

\section{Exercise 2 - Task 1}
\subsection{Rep:2.a}

First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
\fbox{\parbox{{\textwidth}
}}
\begin{lstlisting}
user@host ~ % editcap -F libpcap team15_ex21.pcap ex21.pcap
\end{lstlisting}

Then we filtered out the large flows with more or equal than 400 packets.

% TODO include readflows.py-source

\begin{lstlisting}
user@host ~ % ./readflows.py
{('113.15.85.25', '179.160.238.111'): (463, 0),
 ('114.176.157.191', '221.72.61.209'): (541, 0),
 ('134.134.122.170', '179.187.246.122'): (419, 0),
 ('179.187.53.117', '129.49.173.82'): (472, 0),
 ('211.2.138.61', '144.66.241.253'): (462, 151),
 ('221.100.234.92', '161.194.49.146'): (547, 0),
 ('8.73.98.88', '144.66.191.77'): (535, 0)}
\end{lstlisting}

(Format: {\tt (src, dst) : (srctodst, dsttosrc)})

We then split the pcap into different files for each stream using the following filter expressions into the files {\tt large\_flow\_\{1..7\}.pcap}:
\begin{lstlisting}
(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111)
(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209)
(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122)
(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82)
(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253)
(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146)
(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77)
\end{lstlisting}

We also did generate csv files for all pcap files.

Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}).

% TODO include gnuplot-source

% TODO include image
large\_flow\_2.png

% TODO include bitstobytes.py-source

\begin{lstlisting}
user@host ~ % ./decimal_only.sh large_flow_2.csv > large_flow_2.dehexed.csv
user@host ~ % cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g'
user@host ~ % ./bitstobytes.py
\end{lstlisting}

\subsection{Rep:2.b}
\fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}

\section{Exercise 2 - Task 2}
\subsection{Rep:2.c}

pcap-ng format to pcap for scapy
editcap -F libpcap team15\_ex22.pcap ex22.pcap

filter out large flows (>200 packets and frame.len == 42)

./task2/readflows.py
% {('53.151.211.106', '217.115.203.44'): (213, 0)}

filter into file
ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42

generate graph:
large\_flow.png

save bytes (ipid) from stream to file
./decode\_ipid.py

try decoding with password from previous task
openssl enc -d -rc4 -nosalt -k nSa123 -in stream\_encrypted -out stream\_decrypted

-> didn't work

tried reversing the bytes (lower byte first, upper byte next)

-> didn't work

trying to decode the second-largest flow:
ip.addr == 96.55.191.225 and ip.addr == 217.115.203.44 and eth.len == 42

-> didn't work

found out, that scapy removes the frame length from the packet, rewrote the script...

filter into files

./readflows.py

manually create csv files

for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh \$i > \${i\%.csv}.dehexed.csv ; done

./autocorrelate.sh | grep -v "All values are identical" | sort -k2

-> ./parse\_stream\_data.py

\subsection{Rep:2.c}
Agent South was captured! Aborting operation. (Agent Scott)