Homework of ANS

2017-11-16  本文已影响0人  Colin_0463

Task 1(warm up)

1.1 count the number of total frames

yum install -y wireshark
tshark -r warmup.pcap | wc -l

result is 100,000

capinfos warmup.pcap | grep "Number of packets"| tr -d " " | cut -d ":" -f 2

tcpdump -r test.cap 2>/dev/null| wc -l

failed!!!???

1.2 count the number of IPv4 packets

1.3 count the number of IPv6 packets

1.4 count the number of IPv4/tcp packets

1.5 count the number of IPv4/udp packets

1.6 count the number of distinct source IPv4 addresses:

1.7 count the number of distinct destination IPv4 addresses

1.8 list the top-10 source IP addresses that appeared the most.

203.50.118.210    74.157.109.74    17.157.75.206     163.162.85.250    162.98.176.7
31.242.205.139    23.32.18.78      104.167.125.139   203.50.109.231    203.50.109.226

1.9 list the top-10 destination IP addresses appeared the most

202.139.239.243    202.133.50.192    203.50.118.210    203.50.100.162    13.181.101.53 
163.162.250.91     202.139.239.29    202.133.18.189    163.162.113.121   163.162.15.96

Task 2

2.1 extract the query names from DNS query packets

mycompany.com', 'pop.gmx.com', 'password-ned-xp.pwned.se', 'password-ned-xp', 'safebrowsing.google.com', 'safebrowsing-cache.google.com', 'clients2.google.com', '_ftp._tcp.local', 'clients4.google.com', 'client.dropbox.com', '_ipp._tcp.local', 'navigator-bs.gmx.com', 'accounts.google.com', '_ipps._tcp.local', '16-0.19-a3000081.20081.1644.1e39.2f4a.210.0.lsfzcu3cfr5h1cip6rdsa7h5uj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.6fnn1j35k3nnmigna2v11i9swj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.5qzbq178cpcpkz3ash969p4vtb.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.5qwgzz8ezez1mwk72db4mfbk7t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.q5geq2e7kll2zfk2mrugnuh14q.avts.mcafee.com', 'a-0.19-a30000c1.d040083.1644.1e39.2f4a.210.0.94rhhfkzeebvlhkzt644av1snj.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.n16ddjdlrwenfmj61er2jgkb6b.avts.mcafee.com', 'c.14-0.19-a3000081.8010081.1644.1e39.2f4a.210.0.dae44v4q334j48qqwp95jaad5t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.9euk3unrrrp7k71c4r3c4mkv2t.avts.mcafee.com', 'a-0.19-a3000081.0.1644.1e39.2f4a.210.0.tdnt4a1hciwwwq61tm1ef4b3kb.avts.mcafee.com', 'c-0.19-a3000071.40481.1644.1e39.2f4a.210.0.du5czgeg5ng1hjphkd7j21qhdi.avts.mcafee.com', '16-0.19-a3000071.10081.1644.1e39.2f4a.210.0.vtb7pr9gljq31vf9tvfllftapq.avts.mcafee.com', 'a-0.19-a3000071.d020082.1644.1e39.2f4a.210.0.25nahcdech5gsrv9ecemf2lbkt.avts.mcafee.com', 'c-0.19-a3000081.70481.1644.1e39.2f4a.210.0.clq6shkdqf4qk2l2h7f23zrbdj.avts.mcafee.com', 'wpad.pwned.se', 'wpad', 'watson.microsoft.com', 'c-0.19-a7000008.8a70083.1644.1e39.2f4a.210.0.sp4llip8fbzphb22g2r6w8iu1j.avts.mcafee.com', 'go.microsoft.com', 'ctldl.windowsupdate.com', 'dmd.metaservices.microsoft.com', 'a-0.19-a3000081.9110081.1644.1e39.2f4a.210.0.5wauzj8kclu1up9r1vmvdufkaj.avts.mcafee.com', 'c-0.19-a3000081.50481.1644.1e39.2f4a.210.0.tzbz944k79p2izgrrwssktv4p6.avts.mcafee.com', 'c-0.19-a3000008.60081.1644.1e39.2f4a.210.0.iu67rk8f86junz2fmh7vk62c2b.avts.mcafee.com', 'compatexchange.trafficmanager.net', 'ocsp.msocsp.com', 'watson2.microsoft.com', 'notify8.dropbox.com', 'clients1.google.com', 'client-lb.dropbox.com', 'tools.google.com', 'redirector.gvt1.com', 'r6---sn-uxap5nvoxg5-5goe.gvt1.com', 'clients3.google.com', 'apis.google.com', 'mail.google.com', 'ssl.gstatic.com', 'www.google.com', 'www.google.se', 'www.googleapis.com', 'www.gstatic.com', 'translate.googleapis.com', 'mtalk.google.com', 'accounts.youtube.com', 'clients2.googleusercontent.com', 'zkygedkpyzdll.pwned.se', 'ltynerolirvuzj.pwned.se', 'ghurdoi.pwned.se', 'zkygedkpyzdll', 'ltynerolirvuzj', 'ghurdoi', 'changelogs.ubuntu.com', '3c-bs.gmx.com', 'isatap.pwned.se', 'Dell-Dator32', 'services.addons.mozilla.org', 'ocsp.digicert.com', 'versioncheck-bg.addons.mozilla.org', 'gfe.nvidia.com', 'addons.mozilla.org', 'blocklist.addons.mozilla.org', 'www.hipchat.com', 'ad.doubleclick.net', 'www.skybluecanvas.com', 'www.php.net', 'www.zend.com', 'php.net', 'ajax.googleapis.com', 'edit.php.net', 'bugs.php.net', 'example.com', 'www.example.com', 'softontherocks.blogspot.com', 'msdn.microsoft.com', '146.49.195.217.in-addr.arpa', 'versioncheck.addons.mozilla.org', 'fhr.data.mozilla.com', 'aus4.mozilla.org', 'lc.mcafee.com', 'update.nai.com', 'mirrorlist.centos.org', 'ftp.acc.umu.se', 'ftp.heanet.ie', 'mirror.23media.de', 'mirror.omnilance.com', 'ftp-stud.hs-esslingen.de', 'ftp.uni-bayreuth.de', 'mirror.serverbeheren.nl', 'ftp.nluug.nl', 'ftp.uni-kl.de', 'mirror.i3d.net', 'mirrors.nic.cz', 'mirror.de.leaseweb.net', 'fedora.uib.no', 'mirror.vutbr.cz', 'ftp.colocall.net', 'mirror.oss.maxcdn.com', 'fedora.tu-chemnitz.de', 'mirror.switch.ch', 'ftp.fi.muni.cz', 'ftp.linux.cz', 'ftp.upjs.sk', 'mirrors.neterra.net', 'mirror.nonstop.co.il', 'www.mirrorservice.org', 'ftp.mirrorservice.org', 'mirror.karneval.cz', 'anorien.csc.warwick.ac.uk', 'ftp.crc.dk', 'mirrors.telianet.dk', 'mirror.nl.leaseweb.net', 'mirror.duomenucentras.lt', 'ftp.wrz.de', 'ftp.icm.edu.pl', 'mirrors.uni-ruse.bg', 'vesta.informatik.rwth-aachen.de', 'mirror.euserv.net', 'mirror.proserve.nl', 'epel.mirrors.ovh.net', 'mirrors.n-ix.net', 'mirror.uv.es', 'mirror.datacenter.by', 'mir01.syntis.net', 'mirror-fr2.bbln.org', 'fedora.ip-connect.vn.ua', 'mirror-fr1.bbln.org', 'mirror.imt-systems.com', 'www.fedora.is', 'ftp.fedora.is', 'mirrors.ircam.fr', 'mirror.dgn.net.tr', 'mirror.bytemark.co.uk', 'ftp.astral.ro', 'ftp.linux.org.tr', 'mirror.vit.com.tr', 'mirror.vorboss.net', 'mirrors.coreix.net', 'epel.check-update.co.uk', 'ftp.pbone.net', 'mirror.slu.cz', 'fr2.rpmfind.net', 'repo.boun.edu.tr', 'ftp.cc.uoc.gr', 'mirror.yandex.ru', 'mirrors.ukfast.co.uk', 'mirror.fraunhofer.de', 'fedora-epel.skarta.net', 'mirror.kinamo.be', 'mirror.bacloud.com', 'mirror.pmf.kg.ac.rs', 'epel.besthosting.ua', 'mirror.digitalnova.at', 'be.mirror.eurid.eu', 'ftp.uma.es', 'mirror.ibcp.fr', 'centos.vianett.no'

2.2 list the top-10 query names that appeared the most in the DNS request packets.

mycompany.com    safebrowsing-cache.google.com    pop.gmx.com    safebrowsing.google.com    www.google.com  
 password-ned-xp   password-ned-xp.pwned.se    mail.google.com    clients4.google.com   navigator-bs.gmx.com

2.3 what was the IP address of the server named "mycompany.com" ?

192.168.0.2

3. Task 3

3.1 identify the POP3 password registered for user with the e-mail address of ned.pwned.se@gmx.com.

pop.request.command == "PASS"

3.2 what was the subject of e-mail message the user with email address of ned.pwned.se@gmx.com received from the pop server on 19:32:36 with the command of "RETR 15".

tcp.port == 110 and pop

Subject: HipChat power tips for power users

3.3 what was the name of the pop3 server used by ned.pwned.se@gmx.com?

Task 4

4.1 list all the HTTP user-agent appeared in the HTTP flows (remove duplicates).

Microsoft-Windows/6.1 UPnP/1.0
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0
McAfee Agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
urlgrabber/3.10 yum/3.4.3
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Microsoft-CryptoAPI/6.1
MICROSOFT_DEVICE_METADATA_RETRIEVAL_CLIENT
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36
Morfeus Fucking Scanner
netscan.gtisc.gatech.edu
Python-urllib/3.4
WicaAgent

4.2 what was the HTTP user-agent that appeared most?

Microsoft-Windows/6.1 UPnP/1.0

Appeared 290 times

4.3 present the URL accessed from a client with HTTP user-agent of "Python-urllib/3.4".

http.user_agent == "Python-urllib/3.4"

(http://changlogs.ubuntu.com/meta-release)

4.4 what is drawn in the file named fr.jpg?

(http.user_agent) && (http.request.method == "GET")

The catalog of a websit
(http://www.pwned.se/skyblue/fr.jpg)

Task 5

5.1 identify the largest TCP flow that users TLS and present its 5-tuple, i.e., src IP address, dst IP address, protocol, src port, and dst port.

src IP = 192.168.0.54   port = 51197
dst IP = 216.58.209.101   port = 443
protocol = tcp

5.2 identify the name of the server in the flow detected above.

5.3 list all the hostnames of the servers that used SSL/TLS (hint: use the SNI field).

Task 6

6.1 count the number of total TCP packets for original data, periodically sampled data, and randomly sampled data

Origin data: 77317 TCP packets
Periodically sampled data: 803 TCP packets(total 970 packets)
Randomly sampled data: 742 TCP packets(total 982 packets)

6.2 count the number of distinct source IP addresses for original data, periodically sampled data, and randomly sampled data

Origin data: 15839 distinct source IP addresses
Periodically sampled data: 200distinct source IP addresses(total 970 packets)
Randomly sampled data: 141distinct source IP addresses(total 982 packets)

6.3 discuss the difference between (1) and (2).

The random sample method has more similar features with origin data.
上一篇 下一篇

猜你喜欢

热点阅读