From f16a5fe88011362e8e012c6052d0d553292060bb Mon Sep 17 00:00:00 2001 From: Jan Vales Date: Sun, 17 Jan 2016 01:29:21 +0100 Subject: [PATCH] Ex2-1 report done. --- ..._114_176_157_191_221_72_61_209_srcport.png | Bin 0 -> 6553 bytes report/content/exercise2.tex | 111 +++++++++++------- 2 files changed, 69 insertions(+), 42 deletions(-) create mode 100644 report/content/e21_flow_114_176_157_191_221_72_61_209_srcport.png diff --git a/report/content/e21_flow_114_176_157_191_221_72_61_209_srcport.png b/report/content/e21_flow_114_176_157_191_221_72_61_209_srcport.png new file mode 100644 index 0000000000000000000000000000000000000000..0f60457d49b4e1451861a76e2c4d615293dc7177 GIT binary patch literal 6553 zcmeHMYgAKL7QO^xK#FmQ$P}%(x@u{qt7*$vN_oUi<5I9CEfx?Nh}8;H9gNaKA|Z(> z%dybuWTwc%R7_erv*;MmDgw47Bxsf4p_rkdg5*Xi5MFr@Ab~vYoO^G8fPFZf`7uBE zLDpT#;q1rx_P4)%Zs8m8Tm6;?Er%e;FLoO}0fGphfxm2T0{G^{m;JR6^yuzb`YUg7 zy2pACWcO^V-SYM$X|HyaopFAV{&v!*^e2l?Z2LZDCTaB2y^-8j+3wr2e7i1-1VR0` zqre_s>mbNG3W8R0AZWc2f;MYCT+f3>lgWh8d?1MSM`?hSW&fvCD)n`mFN}Y-^ZcHx z`(HRhAVZsf4L**leDe!z2^UL9SBnB<-AM#P^h!=r<<9f|93cr>?*TqGYl#hwyr;Wc z3iezrO3VrsTGn|-g@QFca+N3am!sfgy^#QG8&+lYzXEnYQ(L0qlD#AWV2xKg@M#ddSyYR8kk}KaRgehnMPLnq3S55z_1{~r3cp0%l6vF~VE;_k2BXGPmLa&o)}{cr z;8mfMvG+Hs7`66qrH#IF70tAFUy?R+WBu!Ph!@vO zf-m(^l}-jsY{=CD%S{`L*|r`0;?pW$IYmKn1g@bP3Csv%AN;)9c9~7Bc<_JElZYUv5Cdg#L zm%9;L8tljOy@0ZEJJx$}lAm58`K8{sBng(3(n0}gbO@C*A6A4X0>KF+AlXfhcCwf8 zN7frP@h&wf@&Pijb$p!S7y?`ZV2+%k`WMHArP-`0)Y!eFuOcFEG$(^7wA7v*IsXXO-t19 znhPjEwjR0xKiqNn`wke)|bj_HP`b8>ruya+hQ3J;45Y zuJg>Uu(0a;A$dZuHH8zBhpXnD)0;TLOx%kSRiyfqSWHnUn{TuMqb$B(gWXWhW@eY8 z+FT~hDQ6BdT705#HBCUS3oXf=pNhqu5$ZY`JCFkmJg#g$t7wZ<*Ha_Zs9H}vMo}Qq z99D%(yJHrPmFb8Y)WT_9Z|PIO-J%kTLRF1VEOFr5>uqg?Xy9#LnnJh8iJG3+LTuIm zU$@P#+0ay|K_?b;7j7gGA4e80DU{#|LuZgmY@`4q4G13x-0A{9b9B_5^JvlO<9K}#h+qy~T!9Z^W`0;j(F1S^tog_RfUrTd61X}C zNGzxB331PA96qdK(E#XTNApRa+rj)~M$ow(2OLmV;N;v-myT7^k2>;;6VJG?X)WJL zVg3s((NVifL^F>MX-e$|GwEZ&yIMAKZ8yLdQUreZZiImJ#CkxI`^w;BLRnq;XkkO3 zwV66CQ6c8enmDCkW+TEiPunI+;e#=Pfj%Zr>=e%BJ=i=2yFPc!pw}wH(g^+wwVnI zSs&{h&pLM7)^x`fJZL=Cr~hJvCs5j^Q<3^%=Xa<5gXLv)%$yqdop5ugzChXq^P5G?i_C%XlQBsD*9>Yp8{B3HMc(pnWVU zpj;+cGpbSZ4>beE2S6YgLQFx1TUy7K@b;)k$hw^WMB}~Gd*{wfvel=moK1(Qe)V>E zijpy4Cdk_9YdakZYs zEc-+B_n+|&2wuP4y+mBC{>O-iOWui*GAMn}`R194%`C?_4OAXJbIkVLS&kIWHonjW z@nA`rE$Hnl@PfuT@)wulJkc)ngu;P`(YF4JYjI)C&u$LF`FRrLMm~)-=Krqu;84OS zv~9ji{#?^f*Y=i{>Cl@zv@Ix3W39@i3ubpo%f^rOA$sjkp&sK`tkq(o05k}!wcsM@ zVGuA&=?{SbAOc)Xu+qz2zWjv5L6sj+L5maOx=zJ9$2_Oco-cZ9D@QMR(a~v9mH%+O z?p1+{Jsk51ZgO;PP4nS$3wpPVX6=94_IH45AMNosq88k5SC~B@m8h{@E48zUC_@2p z+YPRiy|BkPpu%0ZxSrs$SCs#FhamQ5&ueGj(XejYg4#RR2*yHUE*=rSR~03z%*>e% zD$Pr(ORAvBj(gpx$(yY9w-&GprYM6g&+Ow^m#2&6Ohec3-Q&5F3ie+!JFCYl6C|CT zw=Q*C8m}C$z09q-Q9YcZm`L%lI}ANCqVt(6uf&lBYk#-VSP^y6v^S-trFs{VlE%Nu z9JXn151+`~ME&YSXQ-q^MSaYArTEV(SP}Zn_{}a+*HHWZgxy5hd(zI{t%na@OyVZ_ zHYA%tX(GQ83Uu{#s&i8}lRoOQhVC*Cwv6mNZL7@SPcWNWfD2sE%&A66N$`isWcxiN zUN{jTsNa15H&~7816Vv-tC}e z&+N^Hp!H*evUMKd_MQCTdkNP&iX6eomuA*vN39001He~8(#im<3AyVHp1yitYheod zIn=2jGWHXA9nj@%kBPeF8wDPVNa>^CO~lHzR-Tpi{+Qas-HQA3;x{2HuQ1~}3O*=~ U+;;-Ja)DyE#M96IcJ~MW29p=?m;e9( literal 0 HcmV?d00001 diff --git a/report/content/exercise2.tex b/report/content/exercise2.tex index 1f9b9e6..f77de57 100644 --- a/report/content/exercise2.tex +++ b/report/content/exercise2.tex @@ -1,61 +1,88 @@ \section{Exercise 2 - Task 1} \subsection{Rep:2.a} +In order to use scapy we need to convert out pcap-ng dump to pcap. +\begin{verbatim} +$ editcap -F libpcap team15_ex21.pcapng team15_ex21.pcap +\end{verbatim} -First we converted the file {\tt team15\_ex21.pcap} from the pcap-ng format to the pcap format to be able to use it with {\tt scapy}. -% TODO: fixme! -%\fbox{\parbox{{\textwidth} -%}} -\begin{lstlisting} -$ editcap -F libpcap team15_ex21.pcap ex21.pcap -\end{lstlisting} +We are only interested in flows with more (or equal) than 400 packets, each exported as a separate pcap file. -Then we filtered out the large flows with more or equal than 400 packets. +\begin{verbatim} +$ ./somefilter.py | sh +\end{verbatim} -% TODO include readflows.py-source +./somefilter.py +\begin{redframe}\begin{scriptsize}\begin{verbatim} +#!/usr/bin/env python -\begin{lstlisting} -$ ./readflows.py -{('113.15.85.25', '179.160.238.111'): (463, 0), - ('114.176.157.191', '221.72.61.209'): (541, 0), - ('134.134.122.170', '179.187.246.122'): (419, 0), - ('179.187.53.117', '129.49.173.82'): (472, 0), - ('211.2.138.61', '144.66.241.253'): (462, 151), - ('221.100.234.92', '161.194.49.146'): (547, 0), - ('8.73.98.88', '144.66.191.77'): (535, 0)} -\end{lstlisting} +from scapy.all import * -(Format: {\tt (src, dst) : (srctodst, dsttosrc)}) +def somefilter(pcapfile): + flows = dict() + for p in PcapReader(pcapfile): + if IP in p: + src = p[IP].src + dst = p[IP].dst -We then split the pcap into different files for each stream using the following filter expressions into separate files: -\begin{lstlisting} -(ip.addr == 113.15.85.25 and ip.addr == 179.160.238.111) -(ip.addr == 114.176.157.191 and ip.addr == 221.72.61.209) -(ip.addr == 134.134.122.170 and ip.addr == 179.187.246.122) -(ip.addr == 179.187.53.117 and ip.addr == 129.49.173.82) -(ip.addr == 211.2.138.61 and ip.addr == 144.66.241.253) -(ip.addr == 221.100.234.92 and ip.addr == 161.194.49.146) -(ip.addr == 8.73.98.88 and ip.addr == 144.66.191.77) -\end{lstlisting} - -We also did generate csv files for all pcap files. + if (src,dst) in flows: + flows[(src,dst)] +=1 + else: + flows[(src,dst)] = 1 -Then we generated graphs to visualize the respective flows and found that the second flow has suspicious source ports, alternating between two values ({\tt 5950} and {\tt 5960}). + for flow,cnt in flows.items(): + if cnt >= 400: + print 'tshark -r '+pcapfile+' -w "flow_'+flow[0]+'_'+flow[1]+'.pcap" -F pcap ' \ + + '\'ip.src == '+flow[0]+' and ip.dst == '+flow[1]+'\'' -% TODO include gnuplot-source +if __name__ == "__main__": + somefilter("team15_ex21.pcap") +\end{verbatim}\end{scriptsize}\end{redframe} -% TODO include image -large\_flow\_2.png +With Wireshark we poked around and exported the flows to csv to further investigate. -% TODO include bitstobytes.py-source +While poking around we came across an unexpected value of srcport. +\begin{verbatim} +$ ./srcfeat_power.py --input flow_114.176.157.191_221.72.61.209.csv --feature srcport +# 114.176.157.191,541,2,1.5469339647025981 +\end{verbatim} +There seemed to be 2 different srcports, occuring nearly equally often. +We looked into it with Rapidminer and found a suspiciously alternating srcport jumping between \emph{\textbf{5950}} and \emph{\textbf{5960}}. -\begin{lstlisting} -$ awk -F, '{print $8}' large_flow_2.csv | sed -e 's/5950/0/' -e 's/5960/1/' -e 's/"//g' -$ ./bitstobytes.py -\end{lstlisting} +\includegraphics[width=0.6\columnwidth,keepaspectratio]{content/e21_flow_114_176_157_191_221_72_61_209_srcport.png} \subsection{Rep:2.b} -%\fbox{\parbox{\textwidth{{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}} +The message is \emph{\textbf{Data acquired. Key for message (len=42 \& pkts>200): nSa123 (Scott)}} + +\begin{redframe}\begin{scriptsize}\begin{verbatim} +#!/usr/bin/env python + +import csv +import binascii + +def somedecode(filename): + with open(filename, 'rb') as csvfile: + spamreader = csv.reader(csvfile, delimiter=',', quotechar='"') + header = None + bits = "" + + for row in spamreader: + if header is None: + header = row + continue + + if row[2] == '114.176.157.191' and row[10] == '5950': + bits += "0" + if row[2] == '114.176.157.191' and row[10] == '5960': + bits += "1" + + bits = bits[:-(len(bits)%8)] + print binascii.unhexlify('%x' % int(bits, 2)) + +if __name__ == "__main__": + somedecode("flow_114.176.157.191_221.72.61.209.csv") +\end{verbatim}\end{scriptsize}\end{redframe} + \section{Exercise 2 - Task 2} \subsection{Rep:2.c} -- 2.43.0