Sec 503.5 Case 2 Solution. Find a string in a packet.

Slides:



Advertisements
Similar presentations
Intro to WinHex CSC 414.
Advertisements

Ch 20. Internet Protocol (IP) Internetworking PHY and data link layers operate locally.
BMP Hide ‘n’ Seek What is BMP Hide ‘n’ Seek ? –It’s a tool that lets you hide text messages in BMP files without much visible change in the picture. –Change.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
CE363 Data Communications & Networking Chapter 7 Network Layer: Internet Protocol.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
$100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500 $100 $200 $300 $400 $500.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Section 2.1 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.
13.5 Representing Data Elements Fields, Records, Blocks Variable-length Data Modifying Records.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
Physical, Logical, Conceptual DSA Lecture
ECE 526 – Network Processing Systems Design Packet Processing II: algorithms and data structures Chapter 5: D. E. Comer.
1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.
Trying to like a boss… REVERSE ENGINEERING. WHAT EVEN IS… REVERSE ENGINEERING?? Reverse engineering is the process of disassembling and analyzing a particular.
Section 2.2 Network Forensics TRACKING HACKERS THROUGH CYBERSPACE
Fragmentation Fragmentation and reassembly are done by the IP layer Fragmentation and reassembly are done by the IP layer Identification (16 bits) Identification.
Internet Protocol Internetworking Lab 1. Why Internet?
Transmission Control Protocol
Dr. John P. Abraham Professor UTPA
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Transmission Control Protocol (TCP)
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
VTP: VDIF Transport Protocol Chris Phillips, Alan Whitney, Mamoru Sekido & Mark Kettenis November 2011.
E0262 -Multimedia Information Systems MULTIMEDIA DATA.
ICMP : Internet Control Message Protocol
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
Chapter 20 Network Layer: Internet Protocol
Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”
Decoding an IP Header (1)
Samples of Descriptive Problems CSC/ECE 573, Sections 001 Fall, 2012.
Chapter 3 The Power of HEX Finding Slivers of Data.
WiFi networks & RAW SOCKETS IL-HACK2009 Eddie Harari.
MTU Fragmentation process. MTU The Maximum Transmission Unit (MTU) is – the maximum length of data that can be transmitted by a protocol in one instance.
Lecture 7 Rootkits Hoglund/Butler (Chapter 5-6). Avoiding detection Two ways rootkits can avoid detection –Modify execution path of operating system to.
Mandatory Assignment INF3190. Part 1: Client-server communication via TCP Develop a client-server application in C which allows a client to send UNIX.
 Throughput subject to packet size  High latency: 11 – 32 ms  Not flexible  Choose high throughput or low latency.
Network Layer. application transport network link physical message segment packet frame signal Network Architecture.
IP Fragmentation. Network layer transport segment from sending to receiving host on sending side encapsulates segments into datagrams on rcving side,
Starting Out With Java 5 Control Structures to Objects By Tony Gaddis Copyright © 2005 Pearson Addison- Wesley. All rights reserved. Chapter 1 Slide #1.
Network Layer/IP Protocols 1. Outline IP Datagram (IPv4) NAT Connection less and connection oriented service 2.
Discussion for Compatibility. Common Recognition Data transport protocol in e-VLBI is ONLY important for realtime e-vlbi. Data (FILE) format is important.
CR Kit Packet Formatting WINLAB Rutgers University Date : June Authors : Khanh Le, Prasanthi Maddala,
Traffic Analysis– Traffic Forensic Example
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Software for Testing the New Injector BLM Electronics
Introduction to TCP/IP networking
Multiplexing.
Do-more Technical Training
Paul Vixie, ISC with Duane Wessels, Measurement Factory July, 2007
CR Kit Packet Formatting
Steganography Siddarth Senthilkumar
Standards Basics.
Encapsulation/Decapsulation
BACK SOLUTION:
Help! Tell me about Computer Data!
Dr. John P. Abraham Professor UTPA
Dr. John P. Abraham Professor UTRGV, EDINBURG, TX
VTP: VDIF Transport Protocol
Handles disk file 0000: array of file-offsets 0001: 0002: 0003: 0: …
What does this packet do?
Washington University in St. Louis
Dr. John P. Abraham Professor UTPA
Traffic Analysis– Traffic Forensic Example
Network Analyzer :- Introduction to Wireshark
Additional Measurements & Analysis Confirming the RLAN Duty Cycle
16EC Computer networks unit II Mr.M.Jagadesh
KySat Packet format legend
Editors: Bala’zs Varga, Jouni Korhonen
Presentation transcript:

Sec Case 2 Solution

Find a string in a packet

Find the string smsses.exe

Frame 208 is the 1 st Fragment

Frame 209 gives us the last fragment frame

Frame 231 is the Last Fragment and Contains the File Size

Analyze>Follow TCP Stream shows the PE Header (MZ)

Further into the stream is the end of the executable

Save the raw file

The extract_file.raw is considerably larger than SMSSES.EXE (file size 24576)

Open extract_file.raw in Hex Editor

Locate the Header MZ or Hex 4D5A90

Remove Packet Data before MZ Header

File after removing bytes preceeding MZ Header

24576 is 6000 in Hex

Remove everything after the offset

Find ics.exe

Packet 8092 start of tranfer

Packet 8093 shows last fragment is 8134 (which will have the file size)

File size is 45056

Total size of raw file