########################################################################################## PAS-10: Take encapsulated IPv6 Traffic into account ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2015-11-27 13:15:50) Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - Reports - Data Correlation and Extraction Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Labels: Encapsulation, IPv6, Time Estimate: 30 minutes Time Logged: 30 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Currently if an IPv6 tunnel such as those provided by Helium's tunnelbroker is used we get some misleading results -- BEGIN SNIPPET -- 1447859665.899986000 192.168.3.64 216.66.80.26 57319 993 0xc030,0xc02c,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,0x0088,0x0087,0xc032,0xc02e,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,0x0084,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,0xc02f,0xc02b,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,0x009a,0x0099,0x0045,0x0044,0xc031,0xc02d,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,0x0096,0x0041,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5,0x00ff -- END SNIPPET -- IP _216.66.80.26_ is the Helium endpoint. The destination port (993) is correct, however the actual destination was _2a00:1450:400c:c02::6d_ which is a Google operated mailserver -- BEGIN SNIPPET -- ben@milleniumfalcon:/tmp$ host 2a00:1450:400c:c02::6d d.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.c.0.c.0.0.4.0.5.4.1.0.0.a.2.ip6.arpa domain name pointer wn-in-x6d.1e100.net. -- END SNIPPET -- From a single PCAP the current analysis implies that the helium endpoint is running a bunch of services that it isn't -- BEGIN SNIPPET -- 216.66.80.26 443 216.66.80.26 80 216.66.80.26 993 -- END SNIPPET -- The script needs to identify packets where IPv6 has been tunnelled over IPv4 and act accordingly ----------------------------------------------------------------------------------------- Issue Relations ================ - relates to PAS-8: Rationalise fields in webtraffic.csv ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2015-11-24 17:08:29 btasker ----------------------------------------------------------------------------------------- Excluding the encapsulated traffic is fairly straight forward -- BEGIN SNIPPET -- ben@milleniumfalcon:/tmp$ tshark -q -r LAN-64-Sample-7-split.pcap2 -Y 'ssl.handshake and ((ip.version == 4 and ipv6.version != 6) or (ipv6.version == 6) and ip.version !=6)' -T fields -e frame.time_epoch -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite > test.txt -- END SNIPPET -- Running a second to only include encapsulated traffic (with the ip dest/src fields changed) would be fairly simple too. I don't particularly like the idea of having to run every single check twice though, might be better to add a seperate set of fields into the CSV to record IPv6 src/dest. It'd also make encapsulated traffic immediately obvious at a glance Something like -- BEGIN SNIPPET -- ben@milleniumfalcon:/tmp$ tshark -q -r LAN-64-Sample-7-split.pcap2 -Y 'ssl.handshake' -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ipv6.src -e ipv6.dst -e tcp.srcport -e tcp.dstport -e ssl.handshake.extensions_server_name -e ssl.handshake.ciphersuite > test.txt -- END SNIPPET -- Though normally I'd chuck new fields on the end of the CSV, as it's dest/src IP it really does need adding towards the beginning. Will mean updating field numbering elsewhere in the script though. So, within the _webtraffic_ csv our fields would change from those defined in PAS-8 to -- BEGIN SNIPPET -- epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port, FQDN, HTTP request method, Request Path, HTTP Referer, HTTP useragent, http cookie, SNI Server name, SSL/TLS ciphersuite(s) -- END SNIPPET -- IPv4 encapsulated IPv6 traffic can be indentified by there being source and dest addresses in both the IPv4 and IPv6 columns Will give it a little more thought before actually making the changes, but it looks like it should work OK ----------------------------------------------------------------------------------------- 2015-11-24 17:09:30 btasker ----------------------------------------------------------------------------------------- Marking as related to PAS-8 as if the above is implemented, it'll change the behaviour defined there. If that proves to be the case, PAS-8 should have a comment added to note the change ----------------------------------------------------------------------------------------- 2015-11-25 14:56:41 btasker ----------------------------------------------------------------------------------------- Commit _89719a6_ moves the initial fields (epoch,ipv4 src ip,ipv4 dest ip, ipv6 src ip, ipv6 dest ip,src port, dest port) into a variable to make future updates (and introduction of new tshark calls) simpler. Commit _17a6375_ introduces the new fields for IPv6 and updates field numbers wherever used in the script. Taking the example used when raising the issue, we now get the following result (PAS-5 changed the way ciphersuites are recorded). -- BEGIN SNIPPET -- 1447859665.899986000 192.168.3.64 216.66.80.26 2001:470:69d7:4ca:a00:27ff:fe30:d463 2a00:1450:400c:c02::6d 57319 993 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ...snip... -- END SNIPPET -- Will need to update the documentation file to reflect this change ----------------------------------------------------------------------------------------- 2015-11-25 14:57:45 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: PCAPAnalyseandReport Commit: 89719a608fe85fc1e0bbac5942464bbff9c95d5c Author: Ben Tasker