]> git.somenet.org - pub/jan/netsec2.git/blob - report/content/exercise2.tex
SomeNet / public repos / pub / jan / netsec2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Ex2-1 report done.
[pub/jan/netsec2.git] / report / content / exercise2.tex
1
2 \section{Exercise 2 - Task 1}
3 \subsection{Rep:2.a}
4 In order to use scapy we need to convert out pcap-ng dump to pcap.
5 \begin{verbatim}
6 $ editcap -F libpcap team15_ex21.pcapng team15_ex21.pcap
7 \end{verbatim}
8
9 We are only interested in flows with more (or equal) than 400 packets, each exported as a separate pcap file.
10
11 \begin{verbatim}
12 $ ./somefilter.py | sh
13 \end{verbatim}
14
15 ./somefilter.py
16 \begin{redframe}\begin{scriptsize}\begin{verbatim}
17 #!/usr/bin/env python
18
19 from scapy.all import *
20
21 def somefilter(pcapfile):
22     flows = dict()
23     for p in PcapReader(pcapfile):
24         if IP in p:
25             src = p[IP].src
26             dst = p[IP].dst
27
28             if (src,dst) in flows:
29                 flows[(src,dst)] +=1
30             else:
31                 flows[(src,dst)] = 1
32
33     for flow,cnt in flows.items():
34         if cnt >= 400:
35             print 'tshark -r '+pcapfile+' -w "flow_'+flow[0]+'_'+flow[1]+'.pcap" -F pcap ' \
36                    + '\'ip.src == '+flow[0]+' and ip.dst == '+flow[1]+'\''
37
38 if __name__ == "__main__":
39     somefilter("team15_ex21.pcap")
40 \end{verbatim}\end{scriptsize}\end{redframe}
41
42 With Wireshark we poked around and exported the flows to csv to further investigate.
43
44 While poking around we came across an unexpected value of srcport.
45 \begin{verbatim}
46 $ ./srcfeat_power.py --input flow_114.176.157.191_221.72.61.209.csv --feature srcport
47 # 114.176.157.191,541,2,1.5469339647025981
48 \end{verbatim}
49 There seemed to be 2 different srcports, occuring nearly equally often.
50 We looked into it with Rapidminer and found a suspiciously alternating srcport jumping between \emph{\textbf{5950}} and \emph{\textbf{5960}}.
51
52 \includegraphics[width=0.6\columnwidth,keepaspectratio]{content/e21_flow_114_176_157_191_221_72_61_209_srcport.png}
53
54 \subsection{Rep:2.b}
55 The message is \emph{\textbf{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}}
56
57 \begin{redframe}\begin{scriptsize}\begin{verbatim}
58 #!/usr/bin/env python
59
60 import csv
61 import binascii
62
63 def somedecode(filename):
64   with open(filename, 'rb') as csvfile:
65     spamreader = csv.reader(csvfile, delimiter=',', quotechar='"')
66     header = None
67     bits = ""
68
69     for row in spamreader:
70       if header is None:
71         header = row
72         continue
73
74       if row[2] == '114.176.157.191' and row[10] == '5950':
75         bits += "0"
76       if row[2] == '114.176.157.191' and row[10] == '5960':
77         bits += "1"
78
79     bits = bits[:-(len(bits)%8)]
80     print binascii.unhexlify('%x' % int(bits, 2))
81
82 if __name__ == "__main__":
83     somedecode("flow_114.176.157.191_221.72.61.209.csv")
84 \end{verbatim}\end{scriptsize}\end{redframe}
85
86
87 \section{Exercise 2 - Task 2}
88 \subsection{Rep:2.c}
89
90 Then we converted the file {\tt team15\_ex22.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}.
91
92 \begin{lstlisting}
93 $ editcap -F libpcap team15_ex22.pcap ex22.pcap
94 \end{lstlisting}
95
96 Then we filtered out the large flows with more than 200 packets and a frame length of 42 as mentioned in the solution from task 1.
97
98 % TODO \begin{didntwork}
99 ./task2/readflows.py
100 % {('53.151.211.106', '217.115.203.44'): (213, 0)}
101
102 filter into file
103 ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42
104
105 generate graph:
106 large\_flow.png
107
108 save bytes (ipid) from stream to file
109 ./decode\_ipid.py
110
111 try decoding with password from previous task
112 openssl enc -d -rc4 -nosalt -k nSa123 -in stream\_encrypted -out stream\_decrypted
113
114 -> didn't work
115
116 tried reversing the bytes (lower byte first, upper byte next)
117
118 -> didn't work
119
120 trying to decode the second-largest flow:
121 ip.addr == 96.55.191.225 and ip.addr == 217.115.203.44 and eth.len == 42
122
123 -> didn't work
124 % TODO \end{didntwork}
125
126 Finally we found out, that scapy removes the frame length when parsing packets with the {\tt PcapReader}.
127
128 This does not happen with the {\tt PcapRawReader}, so we rewrote the script a bit.
129
130 % TODO continue writing here
131
132 filter into files
133
134 ./readflows.py
135
136 manually create csv files
137
138 for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh \$i > \${i\%.csv}.dehexed.csv ; done
139
140 ./autocorrelate.sh | grep -v "All values are identical" | sort -k2
141
142 -> ./parse\_stream\_data.py
143
144 \subsection{Rep:2.c}
145 Agent South was captured! Aborting operation. (Agent Scott)