Network Protocols Bonus Project TDC375 Autumn 2009 10 John Kristoff DePaul University 1 Stage 1 part a trace pcap You were only given this http condor depaul edu jkristof tdc375 trace pcap What I did Created a libpcap formatted packet capture file tcpdump i eth0 s0 w trace pcap host 140 192 249 60 Edited pcap removed extraneous traffic Goal Find clue in that file that leads to next step TDC375 Autumn 2009 10 John Kristoff DePaul University 2 Stage 1 part a solution Decoding the pcap showed a HTTP GET session The HTML file contained next step details Wireshark would make looking at plain text easy You could have pulled up the URL yourself URL http condor depaul edu jkristof tdc375 trace html TDC375 Autumn 2009 10 John Kristoff DePaul University 3 Stage 1 part b 32 bit decode Now in that pcap you needed to Find contiguous 16 bit id and seq fields Combine and form a 32 bit number Goal Find URL based on IPv4 formed 32 bit addr TDC375 Autumn 2009 10 John Kristoff DePaul University 4 Stage 1 part b solution ICMP echo request reply has 16 bit id seq fields These are used to match requests and replies There was a single pair of ICMP messages Id 0x59 0x0f 89 and 15 in decimal Seq 0x00 0x01 0 and 1 in decimal do echo 1494155265 int2ipaddr pl In IPv4 dotted decimal that would be 89 15 0 1 URL http condor depaul edu jkristof tdc375 89 15 0 1 html TDC375 Autumn 2009 10 John Kristoff DePaul University 5 Stage one learning summary Be comfortable with pcap analysis and tools Perform basic protocol decode and analysis Perform 16 32 bit arithmetic and conversions TDC375 Autumn 2009 10 John Kristoff DePaul University 6 Stage two part a SFTP You were given a user id and some hex see http condor depaul edu jkristof tdc375 89 15 0 1 html What I did Dumped hex of just IP TCP app layers of packet Goal sftp to decoded host port using id TDC375 Autumn 2009 10 John Kristoff DePaul University 7 Stage two part a solution 45 00 are typical values for start of IP header Use RFC 791 IP and RFC 793 TCP to decode Or maybe text2pcap after editing with hex offsets 000 010 020 030 45 8c a0 00 00 c0 02 aa 00 f9 16 7c 3c ce d0 f7 e6 aa e5 00 18 0e 3b 00 40 7f 00 00 00 f3 00 00 40 fc 02 01 06 43 04 03 47 9a 05 03 86 8c c0 f9 cd ef 00 00 00 00 b4 04 02 08 0a 07 text2pcap e 0x0800 hex dump trace pcap TCP SYN packet to 140 192 249 206 port 32755 SFTP to that host port with uid t student id TDC375 Autumn 2009 10 John Kristoff DePaul University 8 Stage two part b SFTP What I did Ran a sshd on rtr research port 32755 note not the same config as sshd on port 22 Created t student id accounts on rtr research Port 32755 sshd config had this Banner usr local etc tdc375 banner Subsystem sftp internal sftp AllowGroups tdc375 Match group tdc375 ChrootDirectory h X11Forwarding no AllowTcpForwarding no ForceCommand internal sftp Goal sftp login using computed pw and get a file TDC375 Autumn 2009 10 John Kristoff DePaul University 9 Stage two part b solution You had to SFTP to odd port and see banner msg Password hmm maybe try using my int2ipaddr pl tool Password was student id number as IPv4 addr Get file named type txt in your directory TDC375 Autumn 2009 10 John Kristoff DePaul University 10 Stage two part c DNS What I did Put a file type txt in your sftp chroot directory Setup a DNS server on rtr research This was in named conf zone type master allow query any file var named zones root This was in that zones root file 1D IN TXT 30 IN TXT http condor depaul edu jkristof tdc375 hxrwop html So close but get to the root of the problem Goal Query rtr reseach to get answer with URL TDC375 Autumn 2009 10 John Kristoff DePaul University 11 Stage two part c solution Grab type txt in your directory which contained I resolve to give you an interesting answer but don t ask me about IP addresses they just aren t my type Filename a clue too but no one seemed to get it If you asked any TXT query you got So close but get to the root of the problem dig 140 192 249 206 txt to get URL http condor depaul edu jkristof tdc375 hxrwop html TDC375 Autumn 2009 10 John Kristoff DePaul University 12 Stage two learning summary Perform advanced packet decode Be able to use SFTP to an odd port Perform integer to dotted decimal conversion Optionally using my Perl script Understand root and DNS name space hierarchy Perform targeted DNS queries of type TXT TDC375 Autumn 2009 10 John Kristoff DePaul University 13 Stage three part a IRC What I did Registered channel and nick on irc freenode net Wrote a small Perl based IRC bot see http condor depaul edu jkristof tdc375 tdc375bot skeleton pl note email pw detail removed Goal Send tdc 375 an IRC privmsg Goal Discover magic ASN used for 4 byte ASNs TDC375 Autumn 2009 10 John Kristoff DePaul University 14 Stage three part a solution PRIVMSG 23456 to tdc 375 on irc freenode net Response should have been that is the 4 byte ASN magic number see http condor depaul edu jkristof tdc375 8248440f54d9575d html FYI ping just verifies tdc 375 is responsive TDC375 Autumn 2009 10 John Kristoff DePaul University 15 Stage three part b ping failure What I did Ran a sshd for SSH only access on 23456 Setup a chroot jails for your ids for details see http condor depaul edu jkristof tdc375 chroot jail txt Got ICMP ping pcap from rtr research to gulliver On rtr research arp s 140 192 249 214 00 E0 4D 0C 4F F4 Goal Diagnose rtr research gulliver problem Goal Send me PGP encrypted email TDC375 Autumn 2009 10 John Kristoff DePaul University 16 Stage three part b solution rtr research ARP entry for gulliver was wrong Ping b 140 192 249 255 got response from gulliver L2 destination is all 1 s so this makes sense Anything to specific gulliver L2 will fail My PGP key ids are found here http condor depaul edu jkristof jtk key txt http www cymru com jtk 0xFFE85F5D You just had to figure out how to use PGP email TDC375 Autumn 2009 10 John Kristoff DePaul University 17 Stage three part c traceroute What I did Setup new tdc 375 bot command arp it said Ah you ve conquered the ARP challenge good work From that SSH host traceroute to www northwestern edu Then visit http condor depaul edu jkristof tdc375 A B C D html Where A B C D is the 2nd to last hop IPv4 address to that host MmmuuWAAhahahaha Find traceroute path where hosts don …