From d4dfaf061494961836cd587fd039f82f73723b12 Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Thu, 14 Jan 2016 03:26:13 +0100 Subject: [PATCH] Am Report weitergeschrieben. --- report/exercise1.tex | 217 +++++++++++++++++++++++++++++++------------ report/main.tex | 10 +- 2 files changed, 165 insertions(+), 62 deletions(-) diff --git a/report/exercise1.tex b/report/exercise1.tex index ddc48e8..3fe9801 100644 --- a/report/exercise1.tex +++ b/report/exercise1.tex @@ -1,101 +1,168 @@ % tunet und eduroam down... -\section{Exercise 1} +\section{Exercise 1 - Task 1} \subsection{Rep:1.a} -\noindent\fbox{% -\parbox{\textwidth}{% - What is the IP address of the suspicious notebook? -}% -} +\fbox{\parbox{\textwidth}{ +What is the IP address of the suspicious notebook? +}} + +The IP address of the suspicious notebook (our own IP address) is \emph{\textbf{192.168.67.37}}. -The IP address of the suspicious notebook (our own IP address) is {\tt 192.168.67.37}. \subsection{Rep:1.b} +\fbox{\parbox{\textwidth}{ +What is the IP address of the machine presumably leaking information? +}} -\noindent\fbox{% -\parbox{\textwidth}{% - What is the IP address of the machine presumably leaking information? -}% -} +The remote IP address is \emph{\textbf{192.168.67.83}}. -The remote IP address is {\tt 192.168.67.83}. \subsection{Rep:1.c} +\fbox{\parbox{\textwidth}{ +Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer).\\ +Do also specify the keyworks and operators required. +}} -\noindent\fbox{% -\parbox{\textwidth}{% - Give a detailed (but brief) explanation of these steps you carried out to filter irrelevant data (either Wireshark or Rapidminer). - Do also specify the keyworks and operators required. -}% -} - -The necessary wireshark filter expression is {\tt ip.addr == 192.168.67.83}. +The necessary wireshark filter expression is \emph{\textbf{ip.addr == 192.168.67.83}}. % TODO more verbose? -\subsection{Rep:1.d} -\noindent\fbox{% -\parbox{\textwidth}{% - Which features are not viable to mask a covert channel and could be removed from the analysis? - List the rejected features and provide short but meaningful reasons for rejection. -}% -} +\subsection{Rep:1.d} +\fbox{\parbox{\textwidth}{ +Which features are not viable to mask a covert channel and could be removed from the analysis?\\ +List the rejected features and provide short but meaningful reasons for rejection. +}} \begin{itemize} - \item {\tt No.} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet) - \item {\tt Source IP} (fixed value: {\tt 192.168.67.83}) - \item {\tt Destination IP} (fixed value: {\tt 192.168.67.37}) - \item {\tt Protocol} (fixed value: {\tt UDP}) - \item {\tt Length} (fixed value: {\tt 82}) - \item {\tt TTL} (fixed value: {\tt 64}) - \item {\tt Dest port} (fixed value: {\tt 118}) - \item {\tt Flags} (none set) - \item {\tt Frag offset} (fixed value: {\tt 0}) + \item \emph{\textbf{No.}} (it is generated while monitoring and is strictly monotonically increasing by 1 with each packet) + \item \emph{\textbf{Source IP}} (fixed value: \emph{\textbf{192.168.67.83}}) + \item \emph{\textbf{Destination IP}} (fixed value: \emph{\textbf{192.168.67.37}}) + \item \emph{\textbf{Protocol}} (fixed value: \emph{\textbf{UDP}}) + \item \emph{\textbf{Length}} (fixed value: \emph{\textbf{82}}) + \item \emph{\textbf{TTL}} (fixed value: \emph{\textbf{64}}) + \item \emph{\textbf{Dest port}} (fixed value: \emph{\textbf{118}}) + \item \emph{\textbf{Flags}} (none set) + \item \emph{\textbf{Frag offset}} (fixed value: \emph{\textbf{0}}) \end{itemize} Fixed values have been rejected as it is not possible to hide information within. + \subsection{Rep:1.e} +\fbox{\parbox{\textwidth}{ +From the remaining features, which ones are not viable to mask a covert channel and could be removed from the analysis?\\ +List the newly rejected features and provide short but meaningful reasons for rejection. +}} -\noindent\fbox{% -\parbox{\textwidth}{% - From the remaining features, which ones are not viable to mask a covert channel and could be removed from the analysis? - List the newly rejected features and provide short but meaningful reasons for rejection. -}% -} +We can determine that the source port changes only between transmissions. The transmissions seem to be identical.\\ -% TODO continue writing here. +Therefore we can assume that the \emph{\textbf{source port}} can be ignored in further analysis. -repeating transfers, transfers seem separable over time via the udp.srcport attribute +We filter the transmission by applying the following filter in wireshark: \emph{\textbf{ip.addr == 192.168.67.83 and udp.srcport == 52899}} export the selection to a new pcap file and reload in wireshark to reset the packet numbers and export the pcap to csv. -filtered traffic via wireshark again by source port 52899 -ip.addr == 192.168.67.83 and udp.srcport == 52899 -reexported to csv +\subsection{Rep:1.f} +\fbox{\parbox{\textwidth}{ +Do you think that you have found the covert channel?\\ +Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behavior of the suspicious feature is isolated and clearly visible. +}} -reimported to rapidminer +At first we wrote a decoder that made a diff between the current and the last csv line looking at DSCP.\\ +Combined with the hint 8 bit asci we tried to extract full or partial bytes. The results did not made any sense.\\ -\subsection{Rep:1.f} -dscp + timing changes. +Later we tried to look at the timing diffs and realised that most packets had a delay of either 0.04-0.06 or 0.14-0.16 ms.\\ +So we tried to multiply the time-diff by 10 and cast the result to int. This resulted in a nice one bit/packet list which we quickly converted to 8 bit ascii. -the DSCP value grows until 10962 -grows until time 6.55 -then it's fixed on DSCP 10962 \subsection{Rep:1.g} -Dest port == 118 +\fbox{\parbox{\textwidth}{ +Write in the report the formula of the deployed filter and the steps carried out to prepare the required file. +}} + +\emph{\textbf{Dest port == 118}} + \subsection{Rep:1.h} -siehe bladecode.py +\fbox{\parbox{\textwidth}{ +Write in the report the decoded message. Explain clearly how you carried out the decoding task (step by step in a numbered list). +}} + +The message is \emph{\textbf{Starting transmission from Ministry of Cyber {\ucr}ffairs. (Agent Scott)Star{\ucr}i{\ucr}}}\\ + +somedecode.py\\ +\begin{verbatim} +#!/usr/bin/env python + +import sys +import os +import signal +import csv +import binascii + + +def somedecode(filename): + with open(filename, 'rb') as csvfile: + spamreader = csv.reader(csvfile, delimiter=',', quotechar='"') + header = None + last = None + ln = 0 + v = "" + + for row in spamreader: + if header is None: + header = row + continue + if last is None: + last = row + continue + + va = str(int((float(row[1])-float(last[1]))*10)) + if va not in ["0","1"]: + va = "1" + + v = v+va + + ln += 1 + if ln == 8: + n = int(v, 2) + print " "+binascii.unhexlify('%x' % n), + v = "" + ln = 0 + last = row + +if __name__ == "__main__": + def signal_handler(signal, frame): + print('SIG received. exitting!') + sys.exit(0) + signal.signal(signal.SIGINT, signal_handler) + + somedecode("dump_selected_udp_single_src_port_dehexed.csv") + +\end{verbatim} -\subsection{Rep:1.i} -some bits are broken, as the timing and my decodes is more a hack. -a hack is a hack is a hack ... :) +\subsection{Rep:1.i} +\fbox{\parbox{\textwidth}{ +Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise. +}} +Some characters are broken, as the some packets seem to have expirienced unexpected delays and therefore were wrongly classified. All in all the Message is still understandable. +\section{Exercise 1 - Task 2} \subsection{Rep:1.j} +\fbox{\parbox{\textwidth}{ +Give a detailed (but brief) explanation of the steps you carried out to filter irrelevant data (either Wireshark or Rapidminer). Do also specify the keywords and operators required. +}} + + + + + +% TODO continue writing here. + + + rescan... new ip: 192.168.67.26 10min.{pcap,csv} @@ -141,7 +208,13 @@ udp.port == 58493 or udp.port == 45875 or tcp.port == 40875 or udp.port == 36842 %%%%%%%%%%%%%%%%%%%%%%% + \subsection{Rep:1.k} +\fbox{\parbox{\textwidth}{ +Which features are not viable to mask a covert channel and could be removed from the analysis? List the +rejected features and provide short but meaningfureasons for rejection. +}} + Unusable features: No. -> generated while monitoring fixed values: @@ -159,7 +232,13 @@ Flags: Expected distribution of values + \subsection{Rep:1.l} +\fbox{\parbox{\textwidth}{ +From the remaining features, which ones are not viable to mask a covert channel and could be removed +from the analysis? List the newly rejected features and provide short but meaningful reasons for rejection. +}} + not a high variance detected: \begin{itemize} \item UDP Stream from 192.168.67.83:56040 to 192.168.67.37:80 %TODO fix @@ -182,25 +261,43 @@ Length also does not vary very much: -> map in rapidminer ipid vs dscp -> every dscp has two ipid's? (ipid1 xor ipid2) or (ipid1 - ipid2) -> char + \subsection{Rep:1.m} +\fbox{\parbox{\textwidth}{ +What is the IP address of the machine presumably leaking information? +}} + Unknown, because we do have two shorter transmissions before a longer transmission from different source ips Later the IP address turned out to be 192.168.67.84. + \subsection{Rep:1.n} +\fbox{\parbox{\textwidth}{ +Do you think that you have found the covert channel?\\ +Give a detailed description of where the covert channel is occurring (feature value:covert symbol relationship) and provide a capture of the plot where the abnormal behavior of the suspicious feature is isolated and clearly visible. +}} + Not yet. We do not know if the three transmissions are connected to each other. Most likely it is in the DSCP field of the third transmission. (This also has responses from the local system) Turned out that the 6 bits from the DSCP field just needed to be concatenated and then split into 8 bit chunks again. + \subsection{Rep:1.o} +\fbox{\parbox{\textwidth}{ +Write in the report the decoded message. Explain clearly how you carried out the decoding task (step by step in a numbered list). +}} ./exercise2/parse\_stream\_data.py "Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on the progress. (This message was sent by agent Scott)Agent South already successfully infiltrated The minister's office. In the next step, we try to acquire data from the Ministry of Cyber Affair's office network. Stay tuned, I will keep you updated on t" + \subsection{Rep:1.p} +\fbox{\parbox{\textwidth}{ +Report briefly any additional comment or observation related to the exercise solving to be considered during the review of your exercise. +}} We did have a wireshark configuration issue as we had mistakenly configured it to show the IPID as the DSCP field and did miss the (correct) DSCP field completely. - diff --git a/report/main.tex b/report/main.tex index 9ce03fa..cee23df 100644 --- a/report/main.tex +++ b/report/main.tex @@ -111,14 +111,20 @@ \usepackage{tabularx} +% schei encoding +\usepackage{amssymb,graphicx,stackengine,xcolor} +\def\ucr{\scalebox{1}{\stackinset{c}{-.75pt}{c}{0pt}{ + \textcolor{white}{\sffamily\bfseries\footnotesize ?}}{ + \rotatebox{35}{$\blacksquare$}}}} + % START DOCUMENT \begin{document}\thispagestyle{empty} \hspace{40pt} \section*{Network Security - Advanced Topics (VU 389.160)} \textbf{2015W} -\section*{LAB REPORT} -\textbf{Cyberministry of cyberaffairs} +\section*{CYBERLAB CYBERREPORT} +\textbf{Cyberministry of Cyberaffairs} \section*{David Kaufmann} \textbf{0700719\\\url{mailto:astra@ionic.at}}\\ -- 2.43.0