From 55670e545762b64bdca7eb2ab628de02cd890cd3 Mon Sep 17 00:00:00 2001 From: David Kaufmann Date: Wed, 13 Jan 2016 17:33:02 +0100 Subject: [PATCH] update exercise{1,2}.tex --- exercise1.tex | 61 +++++++++++++++++++++++++++++++++++++++++++++------ exercise2.tex | 18 +++++++-------- 2 files changed, 63 insertions(+), 16 deletions(-) diff --git a/exercise1.tex b/exercise1.tex index 979399b..d29fef1 100755 --- a/exercise1.tex +++ b/exercise1.tex @@ -1,23 +1,70 @@ % tunet und eduroam down... \section{Rep:1.a} -Own IP: 192.168.67.37 + +\noindent\fbox{% +\parbox{\textwidth}{% + What is the IP address of the suspicious notebook? +}% +} + +The IP address of the suspicious notebook (our own IP address) is {\tt 192.168.67.37}. \section{Rep:1.b} -192.168.67.83 + +\noindent\fbox{% +\parbox{\textwidth}{% + What is the IP address of the machine presumably leaking information? +}% +} + +The remote IP address is {\tt 192.168.67.83}. \section{Rep:1.c} -ip.addr == 192.168.67.83 + +\noindent\fbox{% +\parbox{\textwidth}{% + Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer). + Do also specify the keyworks and operators required. +}% +} + +The necessary wireshark filter expression is {\tt ip.addr == 192.168.67.83}. +% TODO more verbose? \section{Rep:1.d} -Unusable features: -No. -> generated while monitoring -fixed values: -Source IP (192.168.67.83), Destination IP (192.168.67.37), Protocol (UDP), Length (82), TTL (64), Dest port (118), Flags (empty), Frag offset (0) +\noindent\fbox{% +\parbox{\textwidth}{% + Which features are not viable to mask a covert channel and could be removed from the analysis? + List the rejected features and provide short but meaningful reasons for rejection. +}% +} + +\begin{itemize} + \item {\tt No.} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet) + \item {\tt Source IP} (fixed value: {\tt 192.168.67.83}) + \item {\tt Destination IP} (fixed value: {\tt 192.168.67.37}) + \item {\tt Protocol} (fixed value: {\tt UDP}) + \item {\tt Length} (fixed value: {\tt 82}) + \item {\tt TTL} (fixed value: {\tt 64}) + \item {\tt Dest port} (fixed value: {\tt 118}) + \item {\tt Flags} (none set) + \item {\tt Frag offset} (fixed value: {\tt 0}) +\end{itemize} + +Fixed values have been rejected as it is not possible to hide information within. \section{Rep:1.e} +\noindent\fbox{% +\parbox{\textwidth}{% + From the remaining features, which ones are not viable to mask a covert channel and could be removed from the analysis? + List the newly rejected features and provide short but meaningful reasons for rejection. +}% +} + +% TODO continue writing here. repeating transfers, transfers seem separable over time via the udp.srcport attribute diff --git a/exercise2.tex b/exercise2.tex index d9faa04..ead2bcf 100644 --- a/exercise2.tex +++ b/exercise2.tex @@ -1,7 +1,7 @@ \section{Rep:2.a} pcap-ng format to pcap for scapy -editcap -F libpcap team15_ex21.pcap ex21.pcap +editcap -F libpcap team15\_ex21.pcap ex21.pcap filter out large flows (>=400 packets) @@ -28,9 +28,9 @@ split into separate files generate csv from wireshark for full pcap generate graphs: -large_flow_2.png +large\_flow\_2.png -cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits +cat large\_flow\_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits ./bitstobytes.py \section{Rep:2.b} @@ -39,7 +39,7 @@ Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott) \section{Rep:2.c} pcap-ng format to pcap for scapy -editcap -F libpcap team15_ex22.pcap ex22.pcap +editcap -F libpcap team15\_ex22.pcap ex22.pcap filter out large flows (>200 packets and frame.len == 42) @@ -50,13 +50,13 @@ filter into file ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 and eth.len == 42 generate graph: -large_flow.png +large\_flow.png save bytes (ipid) from stream to file -./decode_ipid.py +./decode\_ipid.py try decoding with password from previous task -openssl enc -d -rc4 -nosalt -k nSa123 -in stream_encrypted -out stream_decrypted +openssl enc -d -rc4 -nosalt -k nSa123 -in stream\_encrypted -out stream\_decrypted -> didn't work @@ -77,11 +77,11 @@ filter into files manually create csv files -for i in large_flow_*.csv ; do ./../../only_decimal.sh $i > ${i\%.csv}.dehexed.csv ; done +for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh $i > ${i\%.csv}.dehexed.csv ; done ./autocorrelate.sh | grep -v "All values are identical" | sort -k2 --> ./parse_stream_data.py +-> ./parse\_stream\_data.py \section{Rep:2.c} Agent South was captured! Aborting operation. (Agent Scott) -- 2.43.0