PAS-10: Take encapsulated IPv6 Traffic into account

Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Done (2015-11-27 13:15:50)
Affects Version: 0.1,
Target version: 0.1,
Labels: Encapsulation, IPv6,

Created: 2015-11-24 16:45:07
Time Spent Working
Estimated:
 
60 minutes
Remaining:
  
30 minutes
Logged:
  
30 minutes


Description
Currently if an IPv6 tunnel such as those provided by Helium's tunnelbroker is used we get some misleading results 
1447859665.899986000    192.168.3.64    216.66.80.26    57319   993                                                             0xc030,0xc02c,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,0x0088,0x0087,0xc032,0xc02e,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,0x0084,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,0xc02f,0xc02b,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,0x009a,0x0099,0x0045,0x0044,0xc031,0xc02d,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,0x0096,0x0041,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,0x00ff

IP 216.66.80.26 is the Helium endpoint.
The destination port (993) is correct, however the actual destination was 2a00:1450:400c:c02::6d which is a Google operated mailserver 
ben@milleniumfalcon:/tmp$ host 2a00:1450:400c:c02::6d
d.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer wn-in-x6d.1e100.net.

From a single PCAP the current analysis implies that the helium endpoint is running a bunch of services that it isn't 
216.66.80.26 443
216.66.80.26 80
216.66.80.26 993


The script needs to identify packets where IPv6 has been tunnelled over IPv4 and act accordingly


Issue Links

relates to PAS-8: Rationalise fields in webtraffic.csv
Toggle State Changes

Activity


2015-11-24 17:08:29
Excluding the encapsulated traffic is fairly straight forward 
ben@milleniumfalcon:/tmp$ tshark -q -r LAN-64-Sample-7-split.pcap2 -Y 'ssl.handshake and ((ip.version == 4 and ipv6.version != 6) or (ipv6.version == 6) and ip.version !=6)' -T fields -e frame.time_epoch -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite > test.txt

Running a second to only include encapsulated traffic (with the ip dest/src fields changed) would be fairly simple too.

I don't particularly like the idea of having to run every single check twice though, might be better to add a seperate set of fields into the CSV to record IPv6 src/dest. It'd also make encapsulated traffic immediately obvious at a glance

Something like 
ben@milleniumfalcon:/tmp$ tshark -q -r LAN-64-Sample-7-split.pcap2 -Y 'ssl.handshake' -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ipv6.src -e ipv6.dst -e tcp.srcport -e tcp.dstport -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite > test.txt


Though normally I'd chuck new fields on the end of the CSV, as it's dest/src IP it really does need adding towards the beginning. Will mean updating field numbering elsewhere in the script though.

So, within the webtraffic csv our fields would change from those defined in PAS-8 to 
epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port, FQDN, HTTP request method, Request Path, HTTP Referer, HTTP useragent, http cookie, SNI Server name, SSL/TLS ciphersuite(s)

IPv4 encapsulated IPv6 traffic can be indentified by there being source and dest addresses in both the IPv4 and IPv6 columns

Will give it a little more thought before actually making the changes, but it looks like it should work OK

2015-11-24 17:09:30
Marking as related to PAS-8 as if the above is implemented, it'll change the behaviour defined there. If that proves to be the case, PAS-8 should have a comment added to note the change

2015-11-25 14:56:41
Commit 89719a6 moves the initial fields (epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port) into a variable to make future updates (and introduction of new tshark calls) simpler.

Commit 17a6375 introduces the new fields for IPv6 and updates field numbers wherever used in the script.

Taking the example used when raising the issue, we now get the following result (PAS-5 changed the way ciphersuites are recorded). 
1447859665.899986000	192.168.3.64	216.66.80.26	2001:470:69d7:4ca:a00:27ff:fe30:d463	2a00:1450:400c:c02::6d	57319	993				TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ...snip...

Will need to update the documentation file to reflect this change

2015-11-25 14:57:45

Repo: PCAPAnalyseandReport
Commit: 89719a608fe85fc1e0bbac5942464bbff9c95d5c
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 14:18:19 2015 +0000
Commit Message: Moved initial fields to variable ready for PAS-10



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-25 14:57:46

Repo: PCAPAnalyseandReport
Commit: 17a637572c5dcf87cab0812bc8d010b1ab52dae5
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 14:54:10 2015 +0000
Commit Message: Added IPv6 Source and Destination as new standard fields. See PAS-10



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-25 15:13:49
In terms of analysing traffic, the following is now true

Native IPv4
- Fields 2 and 3 will be populated
- Field's 4 and 5 will be empty 
cat webtraffic.csv | awk -F'    ' 'length($2) && length($3)&& !length($4) && !length($5)'


Native IPv6
- Fields 4 and 5 will be populated
- Field's 2 and 3 will be empty 
cat webtraffic.csv | awk -F'    ' '!length($2) && !length($3)&& length($4) && length($5)'


Tunnelled IPv6
- Field's 2 and 3 will be populated
- Fields 4 and 5 will also be populated 
cat webtraffic.csv | awk -F'    ' 'length($2) && length($3)&& length($4) && length($5)'


So even where both native and tunnelled IPv6 are in use (not sure why you would, but someone out there has probably found a reason) it should be possible to easily discern between the two.

2015-11-25 15:14:36
btasker changed timespent from '0 minutes' to '30 minutes'

2015-11-25 15:15:41

Repo: PCAPAnalyseandReport
Commit: 80baaddb666111687216752af85a0217c3a51d28
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Nov 25 14:59:15 2015 +0000
Commit Message: Added updated field structure for PAS-10



Modified (-)(+)
-------
Docs/Reports.md




Webhook User-Agent 

GitHub-Hookshot/333881f


View Commit


2015-11-25 18:07:08
All seems to be working correctly, marking as complete.

2015-11-25 18:07:08
btasker changed status from 'Open' to 'Resolved'

2015-11-25 18:07:08
btasker added 'Done' to resolution

2015-11-25 18:07:13
btasker changed status from 'Resolved' to 'Closed'

2015-11-27 13:15:27
Re-opening to assign to a component

2015-11-27 13:15:27
btasker removed 'Done' from resolution

2015-11-27 13:15:27
btasker changed status from 'Closed' to 'Reopened'

2015-11-27 13:15:50
btasker changed status from 'Reopened' to 'Resolved'

2015-11-27 13:15:50
btasker added 'Done' to resolution

2015-11-27 13:15:56
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
 Permalink
2015-11-25 15:14:36

Time Spent: 30 minutes
Log Entry: Implementing, testing and documenting