From 9348d0e2e67efb457acd0879164d17b2a71c85ce Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Sat, 16 Jan 2016 20:07:39 +0100 Subject: [PATCH] task 1.1 fertig - incl. doku. --- exercise1/task1/somedecode.py | 29 ++----- report/content/exercise1.tex | 142 +++++++++++++++------------------- 2 files changed, 68 insertions(+), 103 deletions(-) diff --git a/exercise1/task1/somedecode.py b/exercise1/task1/somedecode.py index 1eebdc1..5ab72a1 100755 --- a/exercise1/task1/somedecode.py +++ b/exercise1/task1/somedecode.py @@ -1,17 +1,12 @@ #!/usr/bin/env python -import sys -import os -import signal import csv import binascii - -def bladecode(filename): +def somedecode(filename): with open(filename, 'rb') as csvfile: spamreader = csv.reader(csvfile, delimiter=',', quotechar='"') - header = None - last = None + header = last = None ln = 0 v = "" @@ -23,32 +18,18 @@ def bladecode(filename): last = row continue - #print row[0]+"-"+row[10] - #print str(int((float(row[1])-float(last[1]))*10))+"-"+str(int(row[10])-int(last[10])) - #print " "+str(unichr(int(row[10])-int(last[10])+ord('A'))), - va = str(int((float(row[1])-float(last[1]))*10)) + va = str(int((float(row[1])-float(last[1])-0.05)*10)) if va not in ["0","1"]: - #print "error: "+va+row[0]+"-"+row[10] va = "1" v = v+va - ln += 1 if ln == 8: -## print "char: "+v - n = int(v, 2) -# print "dec: "+binascii.unhexlify('%x' % n) - print " "+binascii.unhexlify('%x' % n), + print binascii.unhexlify('%x' % int(v, 2)), v = "" -# print "" ln = 0 last = row if __name__ == "__main__": - def signal_handler(signal, frame): - print('SIG received. exitting!') - sys.exit(0) - signal.signal(signal.SIGINT, signal_handler) - - bladecode("dump_selected_udp_single_src_port_dehexed.csv") + somedecode("filtered.dehexed.csv") diff --git a/report/content/exercise1.tex b/report/content/exercise1.tex index 6abbeda..c2ff87f 100644 --- a/report/content/exercise1.tex +++ b/report/content/exercise1.tex @@ -1,6 +1,4 @@ -% tunet und eduroam down... - -% LVA-Feedback: mehr freitext, weniger REP$x.$y !!! Diese Stuktur ist wirr und z.b. Failed attempts stehen an 3 unterschiedlichen stellen, obwohl sie doch alle irgendwie zusammenhängen -.- +% LVA-Feedback: mehr Freitext, weniger REP$x.$y !!! Diese Stuktur ist wirr und z.b. Failed attempts stehen an 3 unterschiedlichen stellen, obwohl sie doch alle irgendwie zusammenhängen -.- \section{Exercise 1 - Task 1} \subsection{Rep:1.a} @@ -35,18 +33,18 @@ List the rejected features and provide short but meaningful reasons for rejectio }} \begin{itemize} - \item \emph{\textbf{No.}} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet) - \item \emph{\textbf{Source IP}} (fixed value: \emph{\textbf{192.168.67.83}}) - \item \emph{\textbf{Destination IP}} (fixed value: \emph{\textbf{192.168.67.37}}) - \item \emph{\textbf{Protocol}} (fixed value: \emph{\textbf{UDP}}) - \item \emph{\textbf{Length}} (fixed value: \emph{\textbf{82}}) - \item \emph{\textbf{TTL}} (fixed value: \emph{\textbf{64}}) - \item \emph{\textbf{Dest port}} (fixed value: \emph{\textbf{118}}) - \item \emph{\textbf{Flags}} (none set) - \item \emph{\textbf{Frag offset}} (fixed value: \emph{\textbf{0}}) + \item \emph{\textbf{No.}} is just the packet number in the pcap file. + \item \emph{\textbf{Source IP}} fixed value: \emph{\textbf{192.168.67.83}} + \item \emph{\textbf{Destination IP}} fixed value: \emph{\textbf{192.168.67.37}} + \item \emph{\textbf{Protocol}} fixed value: \emph{\textbf{UDP}} + \item \emph{\textbf{Length}} fixed value: \emph{\textbf{82}} + \item \emph{\textbf{TTL}} fixed value: \emph{\textbf{64}} + \item \emph{\textbf{Dest port}} fixed value: \emph{\textbf{118}} + \item \emph{\textbf{Flags}} fixed value: \emph{\textbf{n/a}} + \item \emph{\textbf{Frag offset}} fixed value: \emph{\textbf{0}} \end{itemize} -Fixed values have been rejected as it is not possible to hide information within. +Features containing fixed values have been rejected as one obviously cannot hide more than one bit of information in them. \subsection{Rep:1.e} @@ -55,13 +53,10 @@ From the remaining features, which ones are not viable to mask a covert channel List the newly rejected features and provide short but meaningful reasons for rejection. }} -We can determine that the source port changes only between transmissions. The transmissions seem to be identical.\\ +We see that the source port changes only between transmissions. The transmission contains only one flow.\\ +Therefore we can assume that the \emph{\textbf{source port}} can be ignored.\\ -Therefore we can assume that the \emph{\textbf{source port}} can be ignored in further analysis. - -We filter the transmission by applying the following filter in wireshark: \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}} export the selection to a new pcap file and reload in wireshark to reset the packet numbers and export the pcap to csv. - -% TODO: timing bild. +The next step was to apply the following filter in wireshark: \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}}, export the result to a new pcap file and reload in wireshark (to reset the packet numbers) and export the pcap to csv. \subsection{Rep:1.f} @@ -70,19 +65,20 @@ Do you think that you have found the covert channel?\\ Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behaviour of the suspicious feature is isolated and clearly visible. }} -At first we wrote a decoder that made a diff between the current and the last csv line looking at DSCP.\\ -Combined with the hint 8 bit ASCII we tried to extract full or partial bytes. The results did not made any sense.\\ +At first we wrote a decoder that made a diff between the current and the last csv line looking at \emph{\textbf{IP.ID}}.\\ +Combined with the hint 8 bit ASCII we tried to extract full. The results did not made any sense.\\ + +After analysis with rapidminer we found that the timing diffrences were obviously not randomly distributed.\\ +\includegraphics[width=0.8\columnwidth]{content/e11_timing.pdf} -Later we tried to look at the timing diffs and realised that most packets had a delay of either 0.04-0.06 or 0.14-0.16 ms.\\ -So we tried to multiply the time-diff by 10 and cast the result to int. This resulted in a nice one bit/packet list which we quickly converted to 8 bit ascii. +So the hacky solution was to multiply the time-diff by 10 and cast the result to int. This resulted in a nice one bit/packet list which we quickly converted to 8 bit ascii. \subsection{Rep:1.g} \fbox{\parbox{\textwidth}{ Write in the report the formula of the deployed filter and the steps carried out to prepare the required file. }} - -\emph{\textbf{Dest port == 118}} +\emph{\textbf{Dest port == 118}} and later \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}}. \subsection{Rep:1.h} @@ -90,58 +86,46 @@ Write in the report the formula of the deployed filter and the steps carried out Write in the report the decoded message. Explain clearly how you carried out the decoding task (step by step in a numbered list). }} -The message is \emph{\textbf{Starting transmission from Ministry of Cyber {\ucr}ffairs. (Agent Scott)Star{\ucr}i{\ucr}}}\\ - -code\\ -\begin{verbatim} -#!/usr/bin/env python - -import sys -import os -import signal -import csv -import binascii - - -def somedecode(filename): - with open(filename, 'rb') as csvfile: - spamreader = csv.reader(csvfile, delimiter=',', quotechar='"') - header = None - last = None - ln = 0 - v = "" - - for row in spamreader: - if header is None: - header = row - continue - if last is None: - last = row - continue - - va = str(int((float(row[1])-float(last[1]))*10)) - if va not in ["0","1"]: - va = "1" - - v = v+va - - ln += 1 - if ln == 8: - n = int(v, 2) - print " "+binascii.unhexlify('%x' % n), - v = "" - ln = 0 - last = row - -if __name__ == "__main__": - def signal_handler(signal, frame): - print('SIG received. exitting!') - sys.exit(0) - signal.signal(signal.SIGINT, signal_handler) - - somedecode("dump_selected_udp_single_src_port_dehexed.csv") - -\end{verbatim} +The message was \emph{\textbf{Starting transmission from Ministry of Cyber {\ucr}ffairs. (Agent Scott)Star{\ucr}i{\ucr}}}\\ +By applying a corrective timing diffrence of 0.05 we can fully decode the message: \emph{\textbf{Starting transmission from Ministry of Cyber affairs. (Agent Scott)Startin}}\\ + +Final py-code +\begin{scriptsize}\begin{verbatim} +#!/usr/bin/env python + +import csv +import binascii + +def somedecode(filename): + with open(filename, 'rb') as csvfile: + spamreader = csv.reader(csvfile, delimiter=',', quotechar='"') + header = last = None + ln = 0 + v = "" + + for row in spamreader: + if header is None: + header = row + continue + if last is None: + last = row + continue + + va = str(int((float(row[1])-float(last[1])-0.05)*10)) + if va not in ["0","1"]: + va = "1" + + v = v+va + ln += 1 + if ln == 8: + print binascii.unhexlify('%x' % int(v, 2)), + v = "" + ln = 0 + last = row + +if __name__ == "__main__": + somedecode("filtered.dehexed.csv") +\end{verbatim}\end{scriptsize} \subsection{Rep:1.i} @@ -149,7 +133,7 @@ if __name__ == "__main__": Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise. }} -Some characters are broken, as the some packets seem to have expirienced unexpected delays and therefore were wrongly classified. All in all the Message is still understandable. +We had our wireshark misconfigured and were looking into the DSCP field for quite some time, before we realising that it was actually IP.ID. \section{Exercise 1 - Task 2} @@ -328,5 +312,5 @@ Report briefly any additional comment or observation related to the exercise sol % TODO: failed attempt 3 - config fail -We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely. + -- 2.43.0