From 88d0635a693c37861bb2dbb51c37201201364ddb Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Wed, 13 Jan 2016 21:09:36 +0100 Subject: [PATCH] It compiles! SHIP IT! --- report/exercise1.tex | 36 ++++++++++---------- report/exercise2.tex | 14 ++++---- report/exercise3.tex | 7 ++-- report/main.tex | 78 +++++++++++++++++++++++++++++++------------- 4 files changed, 84 insertions(+), 51 deletions(-) mode change 100755 => 100644 report/exercise1.tex diff --git a/report/exercise1.tex b/report/exercise1.tex old mode 100755 new mode 100644 index d29fef1..ddc48e8 --- a/report/exercise1.tex +++ b/report/exercise1.tex @@ -1,7 +1,7 @@ % tunet und eduroam down... -\section{Rep:1.a} - +\section{Exercise 1} +\subsection{Rep:1.a} \noindent\fbox{% \parbox{\textwidth}{% What is the IP address of the suspicious notebook? @@ -10,7 +10,7 @@ The IP address of the suspicious notebook (our own IP address) is {\tt 192.168.67.37}. -\section{Rep:1.b} +\subsection{Rep:1.b} \noindent\fbox{% \parbox{\textwidth}{% @@ -20,7 +20,7 @@ The IP address of the suspicious notebook (our own IP address) is {\tt 192.168.6 The remote IP address is {\tt 192.168.67.83}. -\section{Rep:1.c} +\subsection{Rep:1.c} \noindent\fbox{% \parbox{\textwidth}{% @@ -32,7 +32,7 @@ The remote IP address is {\tt 192.168.67.83}. The necessary wireshark filter expression is {\tt ip.addr == 192.168.67.83}. % TODO more verbose? -\section{Rep:1.d} +\subsection{Rep:1.d} \noindent\fbox{% \parbox{\textwidth}{% @@ -55,7 +55,7 @@ The necessary wireshark filter expression is {\tt ip.addr == 192.168.67.83}. Fixed values have been rejected as it is not possible to hide information within. -\section{Rep:1.e} +\subsection{Rep:1.e} \noindent\fbox{% \parbox{\textwidth}{% @@ -75,27 +75,27 @@ reexported to csv reimported to rapidminer -\section{Rep:1.f} +\subsection{Rep:1.f} dscp + timing changes. the DSCP value grows until 10962 grows until time 6.55 then it's fixed on DSCP 10962 -\section{Rep:1.g} +\subsection{Rep:1.g} Dest port == 118 -\section{Rep:1.h} +\subsection{Rep:1.h} siehe bladecode.py -\section{Rep:1.i} +\subsection{Rep:1.i} some bits are broken, as the timing and my decodes is more a hack. a hack is a hack is a hack ... :) -\section{Rep:1.j} +\subsection{Rep:1.j} rescan... new ip: 192.168.67.26 10min.{pcap,csv} @@ -141,7 +141,7 @@ udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842 %%%%%%%%%%%%%%%%%%%%%%% -\section{Rep:1.k} +\subsection{Rep:1.k} Unusable features: No. -> generated while monitoring fixed values: @@ -159,13 +159,13 @@ Flags: Expected distribution of values -\section{Rep:1.l} +\subsection{Rep:1.l} not a high variance detected: \begin{itemize} \item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix \item UDP Stream from 192.168.67.82:50293 to 192.168.67.37:443 %TODO fix \item TCP Traffic between 192.168.67.81:56533 to 192.168.67.37:465 %TODO fix -\imte UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464 +\item UDP Stream from 192.168.67.84:36842 to 192.168.67.26:464 \end{itemize} Length also does not vary very much: @@ -182,24 +182,24 @@ Length also does not vary very much: -> map in rapidminer ipid vs dscp -> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char -\section{Rep:1.m} +\subsection{Rep:1.m} Unknown, because we do have two shorter transmissions before a longer transmission from different source ips Later the IP address turned out to be 192.168.67.84. -\section{Rep:1.n} +\subsection{Rep:1.n} Not yet. We do not know if the three transmissions are connected to each other. Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system) Turned out that the 6 bits from the DSCP field just needed to be concatenated and then split into 8 bit chunks again. -\section{Rep:1.o} +\subsection{Rep:1.o} ./exercise2/parse\_stream\_data.py "Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on the progress. (This message was sent by agent Scott)Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on t" -\section{Rep:1.p} +\subsection{Rep:1.p} We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely. diff --git a/report/exercise2.tex b/report/exercise2.tex index ead2bcf..ef7ab90 100644 --- a/report/exercise2.tex +++ b/report/exercise2.tex @@ -1,4 +1,6 @@ -\section{Rep:2.a} + +\section{Exercise 2} +\subsection{Rep:2.a} pcap-ng format to pcap for scapy editcap -F libpcap team15\_ex21.pcap ex21.pcap @@ -33,10 +35,10 @@ large\_flow\_2.png cat large\_flow\_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits ./bitstobytes.py -\section{Rep:2.b} -Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott) +\subsection{Rep:2.b} +Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott) -\section{Rep:2.c} +\subsection{Rep:2.c} pcap-ng format to pcap for scapy editcap -F libpcap team15\_ex22.pcap ex22.pcap @@ -77,11 +79,11 @@ filter into files manually create csv files -for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh $i > ${i\%.csv}.dehexed.csv ; done +for i in large\_flow\_*.csv ; do ./../../only\_decimal.sh \$i > \${i\%.csv}.dehexed.csv ; done ./autocorrelate.sh | grep -v "All values are identical" | sort -k2 -> ./parse\_stream\_data.py -\section{Rep:2.c} +\subsection{Rep:2.c} Agent South was captured! Aborting operation. (Agent Scott) diff --git a/report/exercise3.tex b/report/exercise3.tex index 9df2fee..a76edf9 100644 --- a/report/exercise3.tex +++ b/report/exercise3.tex @@ -1,10 +1,9 @@ -\section{Rep:3.a} +\section{Exercise 3} +\subsection{Rep:3.a} scan the host for i in `seq 1 1000`; do echo "test" | nc -w1 192.168.67.115 \$i \& ; done for i in `seq 1 1000`; do echo "test" | nc -u -w1 192.168.67.115 \$i \& ; done - - -\section{Rep:3.b} +\subsection{Rep:3.b} diff --git a/report/main.tex b/report/main.tex index 539ce7d..9ce03fa 100644 --- a/report/main.tex +++ b/report/main.tex @@ -9,9 +9,18 @@ \usepackage[utf8]{inputenc} % page -%\usepackage[columnsep=.75cm,lmargin=.75cm,rmargin=.75cm,tmargin=1cm,bmargin=1cm]{geometry} +\usepackage[columnsep=1.75cm,lmargin=1.75cm,rmargin=1.75cm,tmargin=2.5cm,bmargin=2.5cm]{geometry} \setlength{\parindent}{0pt} +\usepackage{fancyhdr} +\pagestyle{fancy} +\lhead{} +\chead{} +\rhead{} +\cfoot{} +\fancyhead[LE,RO]{\leftmark} +\fancyfoot[LE,RO]{\thepage} + % Use sans serif font. \renewcommand*{\familydefault}{\sfdefault} @@ -28,8 +37,8 @@ % inhibit creation of new double page on new chapter. \usepackage{etoolbox} \makeatletter -%\patchcmd{\chapter}{\if@openright\cleardoublepage\else\clearpage\fi}{}{}{} -%\makeatother +\patchcmd{\chapter}{\if@openright\cleardoublepage\else\clearpage\fi}{}{}{} +\makeatother % change heading margins. \titlespacing*{\chapter}{0pt}{0pt}{-40pt} @@ -48,8 +57,20 @@ %%% TOC changes %%% % inhibit "Contents" Head in TOC +\makeatletter +\renewcommand\tableofcontents{\@starttoc{toc}} +\makeatother + +%make toc consider Chapter and section only. +\setcounter{tocdepth}{2} + % disable chapter, section, ... numbering \setcounter{secnumdepth}{-1} + +%%% /TOC changes %%% + +% make footnote numbering reset on every page. +\usepackage[hang,flushmargin,perpage]{footmisc} %%%%% / Formatting %%%%% % includable git commit info @@ -77,34 +98,45 @@ % quotes \usepackage[babel,german=quotes]{csquotes} -% include pdf -\usepackage{pdfpages} +\usepackage{listings} +\lstset{literate=% +{Ö}{{\"O}}1 +{Ä}{{\"A}}1 +{Ü}{{\"U}}1 +{ß}{{\ss}}2 +{ü}{{\"u}}1 +{ä}{{\"a}}1 +{ö}{{\"o}}1 +} +\usepackage{tabularx} % START DOCUMENT \begin{document}\thispagestyle{empty} -%\begin{textblock*}{\paperwidth}(0mm,0mm)\noindent\includegraphics[width=\paperwidth,height=\paperheight]{images/cover_front.png} -%\end{textblock*} -\mbox{}\newpage +\hspace{40pt} +\section*{Network Security - Advanced Topics (VU 389.160)} +\textbf{2015W} -%\small +\section*{LAB REPORT} +\textbf{Cyberministry of cyberaffairs} -%\thispagestyle{empty} -%\input{exercise1.tex} -%\input{exercise2.tex} -%\input{exercise3.tex} +\section*{David Kaufmann} +\textbf{0700719\\\url{mailto:astra@ionic.at}}\\ -\vspace{\fill}\scriptsize -\subsection{Git-repository} -\url{http://cgit.ionic.at/?p=lva/15ws/netsec2/} \url{ssh://git@git.ionic.at:22/lva/15ws/netsec2}\\ -Current maintainers: \url{astra@ionic.at}, \url{jan@jvales.net} This is revision: \textbf{\gitAbbrevHash} Document (.tex) compiled on: \textbf{\today} +\section*{Jan Vales} +\textbf{0527718\\\url{mailto:jan@jvales.net}}\\\\ -%\vspace{\fill}\newpage\thispagestyle{empty} -%\input{articles/info.tex} +\vspace{\fill} -%\vspace{\fill}\newpage\thispagestyle{empty} -%\begin{textblock*}{\paperwidth}(0mm,0mm)\noindent\includepdf[pages=1,angle=90]{articles/gutGeb.pdf} -%\end{textblock*} -\section{Easteregg} +\section*{Table of Contents}\begin{footnotesize}\tableofcontents\end{footnotesize} +\subsection*{Version}\begin{footnotesize}\url{http://cgit.ionic.at/?p=lva/15ws/netsec2/}\\ +git clone \url{ssh://git@git.ionic.at:22/lva/15ws/netsec2}\\ +This is revision: \textbf{\gitAbbrevHash}. Document (.tex) compiled on: \textbf{\today} +\end{footnotesize}\vspace{\fill}\newpage + +\input{exercise1.tex}\vspace{\fill}\newpage +\input{exercise2.tex}\vspace{\fill}\newpage +\input{exercise3.tex}\vspace{\fill}\newpage \input{easteregg.tex} + \end{document} -- 2.43.0