2 \section{Exercise 2 - Task 1}
5 First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
6 \fbox{\parbox{{\textwidth}
9 user@host ~ % editcap -F libpcap team15_ex21.pcap ex21.pcap
12 Then we filtered out the large flows with more or equal than 400 packets.
14 % TODO include readflows.py-source
17 user@host ~ % ./readflows.py
18 {('113.15.85.25', '179.160.238.111'): (463, 0),
19 ('114.176.157.191', '221.72.61.209'): (541, 0),
20 ('134.134.122.170', '179.187.246.122'): (419, 0),
21 ('179.187.53.117', '129.49.173.82'): (472, 0),
22 ('211.2.138.61', '144.66.241.253'): (462, 151),
23 ('221.100.234.92', '161.194.49.146'): (547, 0),
24 ('8.73.98.88', '144.66.191.77'): (535, 0)}
27 (Format: {\tt (src, dst) : (srctodst, dsttosrc)})
29 We then split the pcap into different files for each stream using the following filter expressions into the files {\tt large\_flow\_\{1..7\}.pcap}:
31 (ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111)
32 (ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209)
33 (ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122)
34 (ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82)
35 (ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253)
36 (ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146)
37 (ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77)
40 We also did generate csv files for all pcap files.
42 Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}).
44 % TODO include gnuplot-source
49 % TODO include bitstobytes.py-source
52 user@host ~ % ./decimal_only.sh large_flow_2.csv > large_flow_2.dehexed.csv
53 user@host ~ % cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g'
54 user@host ~ % ./bitstobytes.py
58 \fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}
60 \section{Exercise 2 - Task 2}
63 pcap-ng format to pcap for scapy
64 editcap -F libpcap team15\_ex22.pcap ex22.pcap
66 filter out large flows (>200 packets and frame.len == 42)
69 % {('53.151.211.106', '217.115.203.44'): (213, 0)}
72 ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42
77 save bytes (ipid) from stream to file
80 try decoding with password from previous task
81 openssl enc -d -rc4 -nosalt -k nSa123 -in stream\_encrypted -out stream\_decrypted
85 tried reversing the bytes (lower byte first, upper byte next)
89 trying to decode the second-largest flow:
90 ip.addr == 96.55.191.225 and ip.addr == 217.115.203.44 and eth.len == 42
94 found out, that scapy removes the frame length from the packet, rewrote the script...
100 manually create csv files
102 for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh \$i > \${i\%.csv}.dehexed.csv ; done
104 ./autocorrelate.sh | grep -v "All values are identical" | sort -k2
106 -> ./parse\_stream\_data.py
109 Agent South was captured! Aborting operation. (Agent Scott)