From 748bd1f07ac070633b591cc13858a76ac5b8b408 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Sat, 16 Jan 2016 22:11:19 +0100 Subject: [PATCH] Ex1-report is now *really* done. --- report/content/e12_dst_ports.png | Bin 0 -> 7645 bytes report/content/e12_local.png | Bin 0 -> 8364 bytes report/content/exercise1.tex | 169 +++++++++++-------------------- report/main.tex | 2 +- 4 files changed, 62 insertions(+), 109 deletions(-) create mode 100644 report/content/e12_dst_ports.png create mode 100644 report/content/e12_local.png diff --git a/report/content/e12_dst_ports.png b/report/content/e12_dst_ports.png new file mode 100644 index 0000000000000000000000000000000000000000..d3a3b627f52db00eee04161440ec3b125423c33c GIT binary patch literal 7645 zcmeHMeK-^9`=4s*OlXBEjiU37=tZ4KvvE2~PA6|AN6KO$l~yU_Wwbh)@{;r}=8zPz zN=Vr3bZVXC{p4+7wUp&$lbK;Jzh@g#M;*WKb-w?d>l)Xt=X&-$_w(GJ`@TQ-=ZSW- zw^fDBgFzq=RlAKg&Jf6yRPc9r#uPAe{$_gt1cJP7XY>8m;O6d@eId=yv`%_PU98zX zUw7Wrr~9u-uZ7P}-*whzQ+UF*fnjw2BNX$-t+b?-XU;4)hd`>42si|i%2I+v5|tqk zm@Wij7%Usm6CPUJ-gb#P*ewkgV>=P6htXElL;}*e{#*+Gbf)X_hu;fY`LyeWewutN z?-DAS8P2iN8*qD;kc3`kEWLMle=X&pJlP%WvMDnw_P(Vf|G9|JW$K*ed$P`D{pq78w<;ODiVsS zo|p(LYnf)dE0=+7%9jfmtR1hp)eN5bxp2^)IjdK6c_u9x|TPa$! zz7^Q3Ukna2Wca>_ol%G`{XJ0c)terns?pt+&>!&(vn{+cP_mFkXt!#Jc;lDTl6b3g~)Wo&$SOUXN<)$PGZ^?!V2-;sSu5@`KxrSbTgll*KHrd;-${( zUbiojv|XUJr?Qo->5Kyd@2s?nd#nEQR^-`#o_6^1;3;NXE|q&}I>4bTPX~taZKnD4 zH+ep)An8JY3mtAX=2S&c5WMGd_WN&qq7OG*=%;(h3Sx8`yVb9R<)6#M@v1*Jy^%H@8C28Z~taL zkZl;Oub-xt!HOo4G)my5Zd#~yINLp4+BL?(i;p9Jy=(AYAQ(r(;R*0k;$nS$XI_+5 z*U!Ho!3s7MR`RsKlTYHR8=ZI?_%=2+8~Csk5@{n{rzXjJZpB@k`W>7)ICxc@OXFP_ z3g$td1BcHAE9>j)L-98Fi;uxi;qy@7XRUU-z^*f5kzm}x#^$=h9-?` z2N(mkBbuiHLsq7_^1zm`R#J-07|p<#4$YFpGR2CrQ4;AXNxq{|ut7+kNxH?aO;gw9 zDT8U2C^a*b0D=-k%1-ogp;nVKiWC2Jsf~1*)y_QFSLTe{E->b8<6UL&(J0AzG?~*M zywfx?Uv}3M-Vw9Na>XzgmV#7HLWV{nLl^9(Q>5(L3ubBR=9uR2RqY}Z;3RQ04AZWo z5q5hoO*}*^Xmz%*+61mMwxiA?Co)K*Ko+v(D(!mA*Vd*)f6jOG>v==z?n94%vDqHpddW!)B5D@??JZ zH3?pRZwn8&|7id(<%Cs!a%M{F5nP4j_PbWaO%TzGn69T=x}x&=fg4Qr0vMn!@}$m-u^i4Of;rN2Rx@YeYNI@zm+@4Y-UJ^{{Drqz0r2 zFrum*U2#rP1+SaD_V?*z&OtVRNPt=`m2TxxXzmq+Ok&%SOYh@WOR3gT1!>yJd!RJ` z?tV%ehAMr~C-ko)v4>7Qr%-}m9zL;@hJoJu7nnQ9j1K!0=8sXEOr!c<2s@Xp+8<$c zR-1h#03{+U=(P!|hcXbNu7HJkQ1XY{(eGI1nqf0gr%dj1daUHP|*?2MCu9$3@WcYGm<{kzcr_>Lk@6Qv@to1^scPQeuQ9dat88Tb&pUdB$2 z8cvjmKjxs=4p61WDuYNKGQS|d#!gyI%J;;{3$``L^^+(=_EQuT%n;BP8BvlK2F;R5 zFtZK(Niwr`0|HP8H&C&XeD}|NNZr4}Jj-rXfi$-zG@d{g+Ga7s4d0iqPRf2W}TR zFkUx8@6LSO?Gxb_wf70Obh|IEj>h=ACJ)*e3m?X_^cM3vtq2mhxJYm)KlEfJF6`L~ zpBRws9yiuSs}0T<)us!O@o%kq0NLW}0JfD+!@R>BV3#J&M0mwqcr`bPql-(OS=IE@ zN|T>?uPXbgBK1&BaV=#^F{7Um*MSqKg;W~VUE!)tiG6FYi#rb&&zM`^TD$YWdVC^N zWLEUtmIotrT2}?|VAQ;(!+2=hq9+pa30GdeEk7wGh8!Nh<9y*CN2TYky-E>k;I1K> zENWJEt$ET2ZL3gj*-`nu^00HvN{w{w#~q1XVOy7?FlpyTp!+cd>Qp3UuS(*xzLoJ| z83V`QZQ5oVgeahW_s4!BUc}o;&y#l;aV}X1dHW!9+O1|8qjFjdl?oeMm~WnsP@T+E zaB*E8cdQ3Uwue#6U1iiMc1;>~_-4dtNN&C|N~`UMmV}Vkf7TJ4?lZHfk_WLf&o(?J zd90>o9H0;5R(%>*X)`9~TzTwWc_V!b2)>Eue7p;JIshG@yfOMp%zSK&{=cMDaB~dK zip}JlbaD(>qUiFz!b!=lJn!YAkW#Zd)jqO@5Kv?eL33QI1<2U{I315~BLA&@|IB66 z4x&>ey@%hO1yp0ftV}~;Q!`y0e!8m9m z-Ae7J6mu?xY1N*Csx;a67PG+MiKlIVh3UMio;5Y=_64LBTl~t%J$#VvP+oGif&iBek>D*FWB4eEN`3 zr~M8wA{1@kua7bqx|e;vqFR>uA8+7io5FG`qI(Fztv;F{3Crvjvx0 z;==9(;n(lXXWOXww{6?X`vDOKFWJ28^)$OEFH8R@ult(mZSxgP%wD=q#Y8=vt&G!6 zkuf(%-c-cIWjIX6=@!fy?S>}q&;DKLAH5?qLiCR709b};25SqDwRB$U`YT$PUy^%V zop_(7`!8hj|2o@4DPL$(KP8B1zKk*Q$6TvmXXz}tuJ9$UHKOiV%f*AqF|x7h^7jc} zrn-5L$s#}rlV2Io=)R)C(CJ!N(F?u{RhR@flFN6KK0oLwzebP=S?_2iVp~8TMr*s5 zhKPOiDm5i5JcB)I;LqQB(5nbPBoS%PJtc{WDKj4%ZkT)e?%o*B4SZ!S(GOjP+7TKb zv8Lq{IqP$_JZZ@bke;u|Vjnft6lA)^h|GuY9N{BC!23)r9-nyUkII5_C3phNyOYiKWu;!?mz(4(?`>OXBEE>l z=dFGaksWgIq82Q~DwS2(GCf~~$~tZQ0#$q{TPqBX?Q|{P6@phcLpfO8JF+mN>o&!? zzPuiLAxp~=6^(Efv9`AC=QNafs2T|$Lak5--lwuU2iIPQpJCdSlpUGW#17vHSN z*}}QuH@L!7oN(a9G0)P_qaqKha0c~>%I){1{9Erg*ZJh-zx4C(shjsQ=U75Z z^jb_0^Gy~t<9fxgT?zUL^UXFwEYGZH)&2q>?(z!L%Tm&B%r_878Ap$L8oY>(f2tXM zy8&;Tk(A=-XL?hiVCW|Ebsl+MHcJVrUdBEOoNRrPh#lJ9R!BDOLdYhNw(^Xz%fqLF zwHAcYLuY{p7Dx+*s0=U!zQJ_M+*Bljl^F=5Pu@)@-WZ{zfYCHo1RNKz{&Gh7Wnd)4 NZoR!t?z&yX{{zXsuG0Vj literal 0 HcmV?d00001 diff --git a/report/content/e12_local.png b/report/content/e12_local.png new file mode 100644 index 0000000000000000000000000000000000000000..1cabf17cbd1e655e63674f873ab8a588eaa5341a GIT binary patch literal 8364 zcmeHN2~<;8w+;yqG)h2gsWJo&qIM7m5G_McXrpz&->Os*uC0n%lqd=b0ttay@L33g zf}#?KDq5AOC@6&FS`-9CpbDr+5}5@_E(SZx{QeTlho_>dd&>qM?f0h#(CY%~)&=#~tE2le-Lg-g?uoq^n*Ex$eIN@gx`66y z0umr%Fs2R|jD;r#W5obDApiFB#lr9BS}7)5c%~L+=IH5Z^mQupex9f5!Y?t`Tp^b# z_vP|jSMi5c)C;P}oq{j3ILqZtzr<|Jl4Z8bf6<(ArF>k)`9j|Ei{_Rq#ic6qf@<4N zW>A*+Xggh9ZLv}n^dii2!nQG?#nAbJhT5hW^(Zch(kHlr(o^E2H zlH3K&LefojU5S@<#}d4o(^;J+Y`il;b0=Li=@v9dtf_9*ezf;8DVlD(vstymdp#n}8A+r>RQxJP4>f6-&yMD20A z&vka1YtWRwvm3h5ynp{y_()8KUkmzk9E`(Y*idRtPL6v62J;Ak)>$draFlZO%bv*l zX)p%ov~__a(m2i&?5&uLNIZy7JRU(sl#HdY;}sM`3H_u@0ze}7y)h| z9FBv@OTit=tr=`QD57{%(OJ7OBLU`p0?a8SxWw#Us3(w&(yX4j}MM*uGJi*O&*%NJ6ii=I@ zhEUe@T6K}B!+GI*=5Yv{CkvGYisZUbUEf*Ab>TVgp{k_}OLcXyd#gip7WmGZbyt*S;G%lSI>tCy&`4L3+lZcyVN0Q!>VK#0+KC!9Pb3yLg}Ilj$9Nf<>(M*SuU3}ui7*A8tqerF=DV?V)=Nh__KMGaMz_k@15<~<`>}x$T zw-}q!Vi?^4<+{(Im-y$Q_*f8ij(B}teVN3;G z8O_M<_ZIr|sSKsN%z!2UKZn6Y`2Z`n`wa-p?=)Ws_A~DXj-+uaO&HUEtXTGw!p$C< z{ZuR&6wgG;)Xg3zlGRI#?T7>0Jnoc^w| zG}=!F3UHsD_ zL>*xTPgxhdI)bvB?URPlz>UR~ zHthfLz@^(M^hWK2`wOt*wW&zgSf~3`5-{lpO${K2kz3kgG1*CFYtZu{Obw{Xc z)^Q(s&r*90y!Z;)lq;R6;kCcNX6G4cJ@Y1X>tipa_v#Y^)s;+Qk)2(wKV#}qp~&Tn z_5zYJdX<{0dEL{2J-`a+go&5bdpU)3G6wnUj}1Jja{jT@XZH&Zp-x#Bdm$QJBO|QwvD9A#JihewFwQ1A6I|_cjyXpiO76%3hz| zWU9N{yS%CW9-HFIOeYmZQKZ)jx#rm=+aQOvio>NmmG|9JnA6$)DGri9TG`nlDKlf1 za3+0A>>%|!GH;fst`nOBrst87uT+UVGU9NLbJyCpTaXV2=t`4GwJtWwIn=&9GiC;P za5WohwAM}ofI%rg=!htSC)n_=Mpa7PXVy{n2FRUaY55KEE#cjRd}rh=H$k|A-yxCB zef}|m1WCN`!d9}fb(f^9HEZft<_y@qnz8i5 zUvZe-V=7qWh!D&HeLl4T%Nk@(T8@eX6wYQOpqO$N(9;Eo%^leER~2F9jo2j9BR(-m z3C;0Ss7_!iqt{;j?Dw?-A;usCT8cUiEWgCozZbl}A>{$Tq4rq~>k5KrG$!u0xoDqJ zHLxj!-{Ux%<&ndKn8A@Gpu8i^-$*W)*)vq=Soke909?Spb-13$;3oj3+sj%}wqOio zgGI^1OoL&Ga+H%NHhc%GXCE*CtqsEn$ADwl)e`s~uBhO_;soW74WofiN}q_1GUb2a zdk1@xM0f4L?1p{bz@)>{MZ@>q^&w(&K@rqv92J0LRXy5ujoN23LynaV|BaG%GqfRS z81F%~4wD)%O;LtE#N%8>_y_~#9f0H+1}=e5p7kpo3YNqM8+0HlmPXBuQEbo!k=6`p zw!b`~Ryi+2#TdFJ!-9>uBn#)p6ZV%D3t#9iNa+#%yR-IvNb{{CwW1U+Uu7Y%e>+ea z06kad9)O-4=^C_ssSY!6Edd4YXOlKI*G52r61@E~xAb{Wn)Y|@X27&VZCjrQdWe&` z>mCfQ{NDRaSbZ{#x6pXyXvw<1!0Lrp7Xb7c%L)`N=s)1WEwng;EtOdV8#~Q}B$ts?&pKvI`T=!-+BCFP`X%UKg z*1{;&;d&lZm!H?blBrmfCRuy5PPxl=hh_>+eEQj9BCqW904Mrm?`FCe5N(w$b$6me z>N9hA>SZlCg{R3l{Tc=LSOd(hFSb{v6#7q5E<3eilOmMO?H9P8k@9FyAVnZs_<&2% z{{kJ&F4V6);fxUPWNayp`IjOSR*3!eH~O<0*|Y}jbRVt;_sNbx*G@if+pBWchhvE$joOGQ*9 z56|4uWX9|~dkQ9Kex~-#H)Z}zMH($MV>z8TuXr2f80K&JVzteF&1-vqRU*rhnO`W5 z_Jj0xnz@K|c7kxAEXtDkXdlu8a~Cj8v6Sw8hzpw+W2t-FFP@0f$qLp_kridVmCQ2b ztHy2-v(kSfH;2P!y{eSE?{L>mmy=6WjVA>5^ubc$R^~m~IWT>@E3f6e;v}awHaCH&*-aR+(Y@|uo?t%X|%pN z@}3dnz%Y>37<`#=7Qbd!pNo#;s6avn>PFm zLq64%HwH22fJK?E3(~>nw#G^$J-#u3&Ah+O`T55h3xD4-X5X3i{sPe*ML?tQsWvxP zuyWrj?e0!(9(VjiUVf)01uKD?)>P}F!zf~s_QZ99_J^Q5;P$O<1C3%tZvGGqWig( zP1>NCJ_VYT@C0Vv(9W3meO+;0Z)mYr<}i^luDE`|WaT4LZyjoQ4SSr7@RNmI*HV#|F2Q41A$oHV zCl1rBPw6bs*u^xdGzYi|tfvOO3cI|oydu8wTzggZATUz6__D6{cGis7(L|Alt}msd zy+b$mu1PY~sSZhW^Daw|$2pYo);x?Wjn1HNQ+(tP3_0f(6AGTxO#Nn!_T?(`sorPK zQf7O*VmZgmMdeQaj~v^-t#6N05Sj1*OCMR( zLE2t` zZckgSy8Qq!HV(8)nmxJiZFy#F0gkmplcbfREfZ_5m-5QXkLSGdk`<+ts(rpwJA3GBl3AT0aMKR$*LyA}?rEmxP17B> zOTXcL##S|V5nJJ3_i6Svlx;neQ1*jErr}c_RIUALd5Y5>HGb~_0 z8;)3cBgzc5yoYq(a8DX!%OCVDATQ1cN@1LVnjSL6M>V$5$O9_Q$Z}GCG~fg1k6}hO z3tw8HgTIrlSYM zTm679U_32e*fs_ecgRY)n|T(FD>6X`NjzNSJ0Ixbaj9tR$f+e&ja#p!eeghgB|_7a zD_E@kXiMx0`Lj+z)iNouC2XKHH)$Ywg?i^=NqW7u?_jdF=W|VeH#E7MCsqeM%TCT` zdnytS|JcSSzD!G1J&A`q#>QxKge%Pj>OmQE+Z~v$pOn9Si=V_jigii&+*UBn9C%CI z_rb2XM|juvKDZ5UC&WBfC%^@qxxX+sg1r?h#cL(|%)L9buj*H>jQH&7txXaj#nFFE zg8!OU&4jWXGj{bPrIXkxt+lbDkaBm1-nnR(A~BHi`73Wj7Tb5lWRucuwdY-|fkR$T zwAd{wU5C3YB}#Epb1dfvs3sLQAGH}nr|csegGV=MbA7c(gKqA`jTkl_?3<~B&m~x) zvsq$d;ThL&F0j*8)dt>ZV1P*Q8rb;jDRAcFmIG|OsRLY!a~S{!!xnbRa5cqbHi8}! r|NGYCM^2Z44LN-1|LCC}H(z&b?R83e8u(ubm}Q@>^2=SaIsU%^73*91 literal 0 HcmV?d00001 diff --git a/report/content/exercise1.tex b/report/content/exercise1.tex index c2ff87f..b4847f1 100644 --- a/report/content/exercise1.tex +++ b/report/content/exercise1.tex @@ -20,10 +20,10 @@ The remote IP address is \emph{\textbf{192.168.67.83}}. \subsection{Rep:1.c} \fbox{\parbox{\textwidth}{ Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer).\\ -Do also specify the keyworks and operators required. +Do also specify the keywords and operators required. }} -The necessary wireshark filter expression is \emph{\textbf{ip.addr == 192.168.67.83}}. +The necessary Wireshark filter expression is \emph{\textbf{ip.addr == 192.168.67.83}}. \subsection{Rep:1.d} @@ -39,7 +39,7 @@ List the rejected features and provide short but meaningful reasons for rejectio \item \emph{\textbf{Protocol}} fixed value: \emph{\textbf{UDP}} \item \emph{\textbf{Length}} fixed value: \emph{\textbf{82}} \item \emph{\textbf{TTL}} fixed value: \emph{\textbf{64}} - \item \emph{\textbf{Dest port}} fixed value: \emph{\textbf{118}} + \item \emph{\textbf{Destination port}} fixed value: \emph{\textbf{118}} \item \emph{\textbf{Flags}} fixed value: \emph{\textbf{n/a}} \item \emph{\textbf{Frag offset}} fixed value: \emph{\textbf{0}} \end{itemize} @@ -56,7 +56,7 @@ List the newly rejected features and provide short but meaningful reasons for re We see that the source port changes only between transmissions. The transmission contains only one flow.\\ Therefore we can assume that the \emph{\textbf{source port}} can be ignored.\\ -The next step was to apply the following filter in wireshark: \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}}, export the result to a new pcap file and reload in wireshark (to reset the packet numbers) and export the pcap to csv. +The next step was to apply the following filter in Wireshark: \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}}, export the result to a new pcap file and reload in Wireshark (to reset the packet numbers) and export the pcap to csv. \subsection{Rep:1.f} @@ -65,20 +65,20 @@ Do you think that you have found the covert channel?\\ Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behaviour of the suspicious feature is isolated and clearly visible. }} -At first we wrote a decoder that made a diff between the current and the last csv line looking at \emph{\textbf{IP.ID}}.\\ +At first we wrote a decoder that printed the difference between the current and the last csv line looking at \emph{\textbf{IP.ID}}.\\ Combined with the hint 8 bit ASCII we tried to extract full. The results did not made any sense.\\ -After analysis with rapidminer we found that the timing diffrences were obviously not randomly distributed.\\ +After analysis with Rapidminer we found that the timing differences were obviously not randomly distributed.\\ \includegraphics[width=0.8\columnwidth]{content/e11_timing.pdf} -So the hacky solution was to multiply the time-diff by 10 and cast the result to int. This resulted in a nice one bit/packet list which we quickly converted to 8 bit ascii. +So the hacky solution was to multiply the time-difference by 10 and cast the result to int. This resulted in a nice one bit/packet list which we quickly converted to 8 bit ascii. \subsection{Rep:1.g} \fbox{\parbox{\textwidth}{ Write in the report the formula of the deployed filter and the steps carried out to prepare the required file. }} -\emph{\textbf{Dest port == 118}} and later \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}}. +\emph{\textbf{udp.dstport == 118}} and later \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}}. \subsection{Rep:1.h} @@ -87,7 +87,7 @@ Write in the report the decoded message. Explain clearly how you carried out the }} The message was \emph{\textbf{Starting transmission from Ministry of Cyber {\ucr}ffairs. (Agent Scott)Star{\ucr}i{\ucr}}}\\ -By applying a corrective timing diffrence of 0.05 we can fully decode the message: \emph{\textbf{Starting transmission from Ministry of Cyber affairs. (Agent Scott)Startin}}\\ +By applying a corrective timing difference of 0.05 we can fully decode the message: \emph{\textbf{Starting transmission from Ministry of Cyber affairs. (Agent Scott)Startin}}\\ Final py-code \begin{scriptsize}\begin{verbatim} @@ -133,7 +133,7 @@ if __name__ == "__main__": Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise. }} -We had our wireshark misconfigured and were looking into the DSCP field for quite some time, before we realising that it was actually IP.ID. +We had our Wireshark misconfigured and were looking into the DSCP field for quite some time, before realising that it was actually IP.ID. \section{Exercise 1 - Task 2} @@ -142,55 +142,26 @@ We had our wireshark misconfigured and were looking into the DSCP field for quit Give a detailed (but brief) explanation of the steps you carried out to filter irrelevant data (either Wireshark or Rapidminer). Do also specify the keywords and operators required. }} -Captured. Our new IP is \emph{\textbf{192.168.67.26}}.\\ +We captured 10 minutes of traffic. Our IP was \emph{\textbf{192.168.67.26}}.\\ +We exported the packets matching our Wireshark filter rules to csv and looked at them in Rapidminer, adapted our Wireshark filter rules, exported ... -Selected local network packets: \emph{\textbf{ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24}} and saved as separate pcap file and also exported the packets to csv.\\ +\begin{enumerate} +\item At first we looked at all packets. This was a mess as we use sshfs snd ssh-reverse-shells. +\item We selected only packets within our local network. \emph{\textbf{ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24}}. +\item Then removed packets from our gateway \emph{\textbf{ip.src != 192.168.67.1}} +\item And later we removed packets sent from us, as we are not going to send a covert message. \emph{\textbf{ip.src != 192.168.67.1}} +\end{enumerate} -In Rapidminer we analyzed the csv and removed our gateway (.1) and self (.26) as sources.\\ +The full ruleset was: \emph{\textbf{ip.src == 192.168.67.0/24 and ip.dst == 192.168.67.0/24 and ip.src != 192.168.67.1 and ip.src != 192.168.67.26}} -% TODO image:stream\_localnet.pdf +\includegraphics[width=0.8\columnwidth,keepaspectratio]{content/e12_local.png}\\ +\includegraphics[width=0.8\columnwidth,keepaspectratio]{content/e12_dst_ports.png} -We get 4 network flows: The first from .83 to 80/udp, then from .82 to 443/udp, then .81 to 465/tcp, then .84 to 464/udp.\\ +We saw repeatedly traffic from .83 to 80/udp, then .82 to 443/udp, then .81 to 465/tcp, then .84 to 464/udp. We assumed that one complete transmission consists of those 4 flows.\\ -% TODO image:stream\_localnet\_ports.pdf - -Filters for one complete transmission: +We select a complete transmission (not the first and not the last one): \emph{\textbf{udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842}} -% TODO: failed attempt - -%%%%%%%%%%%%%%%%%%%%% -% WTF ?! % WTF ?! % WTF ?! % WTF ?! % WTF ?! -% WTF ?! % WTF ?! % WTF ?! % WTF ?! % WTF ?! -% WTF ?! % WTF ?! % WTF ?! % WTF ?! % WTF ?! -% WTF ?! % WTF ?! % WTF ?! % WTF ?! % WTF ?! -% WTF ?! % WTF ?! % WTF ?! % WTF ?! % WTF ?! -%%%%%%%%%%%%%%%%%%%%% - -%filtered away nfs and ssh -%!(tcp.port == 666 || tcp.port == 2049) -%asdf.{pcap,csv} - -%look at it via rapidminer -%image:stream2.pdf - -%((ip.addr eq 192.168.67.81 or ip.addr eq 192.168.67.82 or ip.addr eq 192.168.67.83) and ip.addr eq 192.168.67.37) -%better.{pcap,csv} - -%look at it again via rapidminer -%image:stream\_better.pdf - -%dest ports are always first 80/udp, then 443/udp, then 465/tcp - -%filtered for one complete transaction -%tcp.port == 56533 or udp.port == 50293 or udp.port == 56040 -%cool.{pcap,csv} - -%look at it again via rapidminer -%image:stream\_cool.pdf - -%%%%%%%%%%%%%%%%%%%%%%% - \subsection{Rep:1.k} \fbox{\parbox{\textwidth}{ @@ -199,19 +170,14 @@ rejected features and provide short but meaningful reasons for rejection. }} \begin{itemize} - \item \emph{\textbf{No.}} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet) - \item \emph{\textbf{Time}} (packets arrive with almost equal delays) - \item \emph{\textbf{TTL}} (fixed value: \emph{\textbf{64}}) - \item \emph{\textbf{Frag offset}} (fixed value: \emph{\textbf{0}}) -\end{itemize} - -We can also ignore \emph{\textbf{IP.Flags}} as they meet our expected distribution: -\begin{itemize} - \item 0x0002: SYN (1x) - \item 0x0012: SYN,ACK (1x) - \item 0x0010: ACK (602x) - \item 0x0018: ACK,PSH (600x) - \item 0x0011: ACK,FIN (2x) + \item \emph{\textbf{No.}} is just the packet number in the pcap file. + \item \emph{\textbf{Time}} packets arrived with almost equal delays. + \item \emph{\textbf{Destination IP}} fixed value: \emph{\textbf{192.168.67.26}} + \item \emph{\textbf{Source IP}} fixed values: \emph{\textbf{192.168.67.83, .82, .81, .84}} + \item \emph{\textbf{Protocol}} fixed values: \emph{\textbf{TCP}} or \emph{\textbf{UDP}} + \item \emph{\textbf{TTL}} fixed value: \emph{\textbf{64}} + \item \emph{\textbf{Destination port}} fixed values: \emph{\textbf{80, 443, 465, 464}} + \item \emph{\textbf{Frag offset}} fixed value: \emph{\textbf{0}} \end{itemize} @@ -221,40 +187,31 @@ From the remaining features, which ones are not viable to mask a covert channel from the analysis? List the newly rejected features and provide short but meaningful reasons for rejection. }} - -% TODO continue writing here. - -not a high variance detected: +We could also ignore \emph{\textbf{IP.Flags}} as they meet our expected distribution: \begin{itemize} -\item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix -\item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix -\item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix -\item UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464 + \item 0x0002: SYN (1x) + \item 0x0012: SYN,ACK (1x) + \item 0x0010: ACK (602x) + \item 0x0018: ACK,PSH (600x) + \item 0x0011: ACK,FIN (2x) \end{itemize} Length also does not vary very much: \begin{itemize} \item Length 60 for Source Port 56040/udp \item Length 60 for Source Port 52093/udp +\item Length 60 for Source Port 36842/udp \item Length 70 for ACK,PSH (600x), 74 for SYN (1x), 66 for ACK (1x) and 66 for FIN (1x) for Source Port 56533/tcp \item Length 66 for ACK, 74 for SYN,ACK for Source Port 465/tcp -\item %TODO fix for sport 464 \end{itemize} -% TODO: failed attempt -%-> map in rapidminer ipid vs dscp -%-> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char - \subsection{Rep:1.m} \fbox{\parbox{\textwidth}{ What is the IP address of the machine presumably leaking information? }} - -Unknown, because we do have two shorter transmissions before a longer transmission from different source ips - -% TODO: failed attempt 1 - nicht alles -Later the IP address turned out to be 192.168.67.84. +At first none.\\ +In the second run it turned out to be \emph{\textbf{192.168.67.81}}. \subsection{Rep:1.n} @@ -263,12 +220,10 @@ Do you think that you have found the covert channel?\\ Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behaviour of the suspicious feature is isolated and clearly visible. }} -Not yet. We do not know if the three transmissions are connected to each other. - -% TODO: failed attempt 2 - dumm rum gesucht -Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system) +It appears that the DSCP field varies a lot when it should stay constant for the duration of one connection.\\ +How to decode the information took pretty long to figure out. -Turned out that the 6 bits from the DSCP field in the 4. transmission just needed to be concatenated and then split into 8 bit chunks again. +It turned out that DSCP field (6 bits) needed to be converted to bits from the separate packets and appended to a large bit string and then converted back to 8bit-ascii. \subsection{Rep:1.o} @@ -280,28 +235,29 @@ Write in the report the decoded message. Explain clearly how you carried out the code\\ \begin{verbatim} -#!/usr/bin/python +#!/usr/bin/env python -from pprint import pprint +import csv +import binascii -fullstr = "" +def somedecode(filename): + with open(filename, 'rb') as csvfile: + spamreader = csv.reader(csvfile, delimiter=',', quotechar='"') + header = None + bits = "" -with open('stream_data.txt', 'r') as infile: - for line in infile: - if len(line) > 0: - i = int(line) - bin = "{0:06b}".format(i) - fullstr += bin + for row in spamreader: + if header is None: + header = row + continue -bytelist = [ fullstr[i:i+8] for i in range(0, len(fullstr), 8) ] + if row[2] == '192.168.67.81': + bits += "{0:06b}".format(int(row[7])) -solution = "" + print binascii.unhexlify('%x' % int(bits, 2)) -for bchar in bytelist: - solution += chr(int(bchar, 2)) - -print ("%s" % solution) -print ("len: %d" % len(solution)) +if __name__ == "__main__": + somedecode("transmission.csv") \end{verbatim} @@ -310,7 +266,4 @@ print ("len: %d" % len(solution)) Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise. }} - -% TODO: failed attempt 3 - config fail - - +Actually we described our second run, as our first didn't seem to contain any covert channels. By gossip we learned that there are four flows in the transmission. We somehow managed to capture only three at first and our hidden message was hidden in the fourth. diff --git a/report/main.tex b/report/main.tex index d239c90..0f2a5c3 100644 --- a/report/main.tex +++ b/report/main.tex @@ -146,7 +146,7 @@ This is revision: \textbf{\gitAbbrevHash}. Document (.tex) compiled on: \textbf{ \section{Move on - nothing to see here!} -\noindent\includegraphics[width=0.8\columnwidth]{content/rickroll.jpg} +\noindent\includegraphics[width=0.8\columnwidth,keepaspectratio]{content/rickroll.jpg} \input{content/easteregg.tex}\vspace{\fill}\newpage \input{content/exercise1.tex}\vspace{\fill}\newpage -- 2.43.0