Skip to content

GitLab

Susceptibility of Instant Message Metadata to Traffic Analysis
Susceptibility of Instant Message Metadata to Traffic Analysis

Please review any and all PUBLIC repositories, groups and associate files. These allow anyone on the Internet to access without authentication. Repository and group owners are responsible for their content and permission settings. Go to your project(s), click on Settings > General and expand the "Visibility, project features, permissions" to change this setting.

Commit 9c95aa85 authored by Verkempinck, Jeana (PO1)'s avatar Verkempinck, Jeana (PO1)
Browse files
Options

Update Raw-Capture/2020-01-13, Scripts/MACO-Script-1.0.bat,... 

Update Raw-Capture/2020-01-13, Scripts/MACO-Script-1.0.bat, Scripts/TShark-cmds, Scripts/ChatScript/MACO typing script.docx, Scripts/ChatScript/MessageChatScript (Emoji).txt, Scripts/ChatScript/MessageChatScript(old).txt, Scripts/ChatScript/MessageChatScript.txt, Scripts/Converter/etl2pcapng.exe, Scripts/Converter/NdisEtl2Pcap-1.0.zip, Scripts/Converter/ConvertEtlToPcap.ps1, Scripts/Converter/etl2pcapng.zip, Scripts/Converter/EtlToPcap.ps1, Scripts/EnvSetup/LinearEnv.bat, Scripts/EnvSetup/LinearEnvv0-8-1 - Copy.bat, Scripts/EnvSetup/LinearEnvv0-8-1.bat, Scripts/EnvSetup/LinearEnvv0-8-2.bat, Scripts/EnvSetup/LinearEnvv0-8-3.bat, Scripts/EnvSetup/LinearEnvv0-8-4.bat, Scripts/EnvSetup/LinearEnvv0-8-5.bat, Scripts/EnvSetup/MACO-Script-1.0.bat, Scripts/EnvSetup/Notes.txt, Scripts/EnvSetup/PStester.bat, Scripts/EnvSetup/TestEnv.bat, Scripts/EnvSetup/TestFirefoxFacebookLogin.bat, Scripts/EnvSetup/testjava.bat, Scripts/EnvSetup/testrun.bat, Scripts/EnvSetup/TestURL.bat, Scripts/EnvSetup/TShark-cmds.txt files
parent a6d77888
Expand all Hide whitespace changes
Inline Side-by-side
Showing with 3177 additions and 0 deletions
Scripts/ChatScript/MessageChatScript (Emoji).txt 0 → 100644
View file @ 9c95aa85
===== Session [A/B/M]-DDMmmYYYY =======
A and B chat windows open
[Begin collect on A, B, and M]
A: What’s the weather like there [ENTER]
B: It’s always cold [ENTER]
A: I heard that California always had nice weather [ENTER]
B: It’s colder that I would like [ENTER]
A: It’s snowing here [PAUSE 3 seconds] and has been all day [ENTER]
B: I wouldn’t mind some seasons [PAUSE 5 seconds] [ENTER]
A: You could come out to visit [PAUSE 3 seconds] and be even colder [ENTER]
B: haha [Lauging Emoji][ENTER]
B: I might just take up on that offer [ENTER]
A: You are welcome anytime [ENTER]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
B: That could work [PAUSE 7 seconds, or until notification ends on A] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
[B types what A type simutaniously]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER] I have plenty of room here [ENTER]
[Individually]
B: Sounds good, talk to you later.[ENTER]
A: [Thumbs Up Emoji][ENTER]
A: Bye.[ENTER]
[End collect on A and B]
\ No newline at end of file
Scripts/ChatScript/MessageChatScript(old).txt 0 → 100644
View file @ 9c95aa85
===== Session [A/B/M]-DDMmmYYYY =======
A and B chat windows open
[Begin collect on A, B, and M]
A: What’s the weather like there [ENTER]
B: It’s always cold [ENTER]
A: I heard that California always had nice weather [ENTER]
B: It’s colder that I would like [ENTER]
A: It’s snowing here [PAUSE 3 seconds] and has been all day [ENTER]
B: I wouldn’t mind some seasons [PAUSE 5 seconds] [ENTER]
A: You could come out to visit [PAUSE 3 seconds] and be even colder [ENTER]
B: haha [ENTER]
B: I might just take up on that offer [ENTER]
A: You are welcome anytime [ENTER]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
B: That could work [PAUSE 7 seconds, or until notification ends on A] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
[B types what A type simutaniously]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER] I have plenty of room here [ENTER]
[Individually]
B: Sounds good, talk to you later.
A: Ok, bye.
[End collect on A and B]
===== Session A1-DDMmmYYYY =======
A sending to B WITHOUT B’s window open
[Begin collect on A]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
[End collect on A]
===== Session B1-DDMmmYYYY =======
B opens chat window to receive A’s previous messages
[Begin collect on B]
B: That could work [PAUSE 7 seconds] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
===== Session A1a-DDMmmYYYY =======
[Begin collect on A]
[A logs in and receives B’s previous messages]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER]
A: I have plenty of room here [ENTER]
[End collect on A, B, and M]
Scripts/ChatScript/MessageChatScript.txt 0 → 100644
View file @ 9c95aa85
A and B chat windows open
[Begin collect on A and B]
A: What’s the weather like there [ENTER]
B: It’s always cold [ENTER]
A: I heard that California always had nice weather [ENTER]
B: It’s colder than I would like [ENTER]
A: It’s snowing here [PAUSE 3 seconds] and has been all day [ENTER]
B: I wouldn’t mind some seasons [PAUSE 5 seconds] [ENTER]
A: You could come out to visit [PAUSE 3 seconds] and be even colder [ENTER]
B: haha [ENTER]
B: I might just take up on that offer [ENTER]
A: You are welcome anytime [ENTER]
[End collect on A and B]
A sending to B WITHOUT B’s window open
[Begin collect on A]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
[End collect on A]
B opens chat window to receive A’s previous messages
[Begin collect on B]
B: That could work [PAUSE 7 seconds] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
[Begin collect on A]
[A logs in and receives B’s previous messages]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER]
A: I have plenty of room here [ENTER]
[End collect on A and B]
A and B chat windows open
[Begin collect on A and B]
A: What’s the weather like there [ENTER]
B: It’s always cold [ENTER]
A: I heard that California always had nice weather [ENTER]
B: It’s colder that I would like [ENTER]
A: It’s snowing here [PAUSE 3 seconds] and has been all day [ENTER]
B: I wouldn’t mind some seasons [PAUSE 5 seconds] [ENTER]
A: You could come out to visit [PAUSE 3 seconds] and be even colder [ENTER]
B: haha [ENTER]
B: I might just take up on that offer [ENTER]
A: You are welcome anytime [ENTER]
A: If you were to visit, when would you come? [ENTER]
[PAUSE 5 seconds]
A: I have a break in early April [ENTER]
B: That could work [PAUSE 7 seconds] [ENTER]
B: I’ve never been to New England in the Spring [ENTER]
A: That would be [PAUSE 5 seconds] lovely [ENTER]
B: I’ll start looking into getting that time off work [ENTER]
A: You can stay with me [ENTER]
A: I have plenty of room here [ENTER]
[End collect on A and B]
Scripts/Converter/ConvertEtlToPcap.ps1 0 → 100644
View file @ 9c95aa85
# Usage ".\ConvertEtl-ToPcap.ps1 -Path c:\<path\file>.etl -Destination c:\<path\file>.pcap"
# in DOS: PowerShell.exe "& {.\EtlToPcap.ps1 -Path "TestToEtl.etl" -Destination "TestToEtl.pcap}"
[CmdletBinding()]
param(
[Parameter(Position=0)]
[ValidateScript({
if( -Not ($_ | Test-Path) ){
throw "File or folder $_ does not exist"
}
if($_.Extension -ne ".etl"){
throw "Source file must be .etl file"
}
return $true
})]
[System.IO.FileInfo]$Path,
[Parameter(Position=1)]
[ValidateScript({
if( -Not ($path.DirectoryName | Test-Path) ){
throw "File or folder does not exist"
}
if($_.Extension -ne ".pcap") {
throw "Estination file must be .pcap file"
}
return $true
})]
[System.IO.FileInfo]$Destination,
[Parameter(Position=2)]
[Uint32]$MaxPacketSizeBytes = 65536)
$csharp_code = @'
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace chentiangemalc
{
public static class NetworkRoutines
{
public static long ConvertEtlToPcap(string source, string destination, UInt32 maxPacketSize)
{
int result = 0;
using (BinaryWriter writer = new BinaryWriter(File.Open(destination, FileMode.Create)))
{
UInt32 magic_number = 0xa1b2c3d4;
UInt16 version_major = 2;
UInt16 version_minor = 4;
Int32 thiszone = 0;
UInt32 sigfigs = 0;
UInt32 snaplen = maxPacketSize;
UInt32 network = 1; // LINKTYPE_ETHERNET
writer.Write(magic_number);
writer.Write(version_major);
writer.Write(version_minor);
writer.Write(thiszone);
writer.Write(sigfigs);
writer.Write(snaplen);
writer.Write(network);
long c = 0;
long t = 0;
using (var reader = new EventLogReader(source, PathType.FilePath))
{
EventRecord record;
while ((record = reader.ReadEvent()) != null)
{
c++;
t++;
if (c == 10000)
{
Console.WriteLine(String.Format("Processed {0} events with {1} packets processed",t,result));
c = 0;
}
using (record)
{
if (record.ProviderName == "Microsoft-Windows-NDIS-PacketCapture")
{
result++;
DateTime timeCreated = (DateTime)record.TimeCreated;
UInt32 ts_sec = (UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
UInt32 ts_usec = (UInt32)(((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds) - ((UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds * 1000))) * 1000;
UInt32 incl_len = (UInt32)record.Properties[2].Value;
if (incl_len > maxPacketSize)
{
Console.WriteLine(String.Format("Packet size of {0} exceeded max packet size {1}, packet ignored",incl_len,maxPacketSize));
}
UInt32 orig_len = incl_len;
writer.Write(ts_sec);
writer.Write(ts_usec);
writer.Write(incl_len);
writer.Write(orig_len);
writer.Write((byte[])record.Properties[3].Value);
}
}
}
}
}
return result;
}
}
}
'@
Add-Type -Type $csharp_code
$result = [chentiangemalc.NetworkRoutines]::ConvertEtlToPcap($Path.FullName,$Destination.FullName,$MaxPacketSizeBytes)
Write-Host "$result packets converted."
\ No newline at end of file
Scripts/Converter/EtlToPcap.ps1 0 → 100644
View file @ 9c95aa85
# Usage ".\ConvertEtl-ToPcap.ps1 -Path c:\<path\file>.etl -Destination c:\<path\file>.pcap"
# in DOS: PowerShell.exe "& {.\EtlToPcap.ps1 -Path "TestToEtl.etl" -Destination "TestToEtl.pcap}"
[CmdletBinding()]
param(
[Parameter(Position=0)]
[ValidateScript({
if( -Not ($_ | Test-Path) ){
throw "File or folder $_ does not exist"
}
if($_.Extension -ne ".etl"){
throw "Source file must be .etl file"
}
return $true
})]
[System.IO.FileInfo]$Path,
[Parameter(Position=1)]
[ValidateScript({
if( -Not ($path.DirectoryName | Test-Path) ){
throw "File or folder does not exist"
}
if($_.Extension -ne ".pcap") {
throw "Estination file must be .pcap file"
}
return $true
})]
[System.IO.FileInfo]$Destination,
[Parameter(Position=2)]
[Uint32]$MaxPacketSizeBytes = 65536)
$csharp_code = @'
using System;
using System.Collections.Generic;
using System.Diagnostics.Eventing.Reader;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace chentiangemalc
{
public static class NetworkRoutines
{
public static long ConvertEtlToPcap(string source, string destination, UInt32 maxPacketSize)
{
int result = 0;
using (BinaryWriter writer = new BinaryWriter(File.Open(destination, FileMode.Create)))
{
UInt32 magic_number = 0xa1b2c3d4;
UInt16 version_major = 2;
UInt16 version_minor = 4;
Int32 thiszone = 0;
UInt32 sigfigs = 0;
UInt32 snaplen = maxPacketSize;
UInt32 network = 1; // LINKTYPE_ETHERNET
writer.Write(magic_number);
writer.Write(version_major);
writer.Write(version_minor);
writer.Write(thiszone);
writer.Write(sigfigs);
writer.Write(snaplen);
writer.Write(network);
long c = 0;
long t = 0;
using (var reader = new EventLogReader(source, PathType.FilePath))
{
EventRecord record;
while ((record = reader.ReadEvent()) != null)
{
c++;
t++;
if (c == 10000)
{
Console.WriteLine(String.Format("Processed {0} events with {1} packets processed",t,result));
c = 0;
}
using (record)
{
if (record.ProviderName == "Microsoft-Windows-NDIS-PacketCapture")
{
result++;
DateTime timeCreated = (DateTime)record.TimeCreated;
UInt32 ts_sec = (UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds);
UInt32 ts_usec = (UInt32)(((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalMilliseconds) - ((UInt32)((timeCreated.Subtract(new DateTime(1970, 1, 1))).TotalSeconds * 1000))) * 1000;
UInt32 incl_len = (UInt32)record.Properties[2].Value;
if (incl_len > maxPacketSize)
{
Console.WriteLine(String.Format("Packet size of {0} exceeded max packet size {1}, packet ignored",incl_len,maxPacketSize));
}
UInt32 orig_len = incl_len;
writer.Write(ts_sec);
writer.Write(ts_usec);
writer.Write(incl_len);
writer.Write(orig_len);
writer.Write((byte[])record.Properties[3].Value);
}
}
}
}
}
return result;
}
}
}
'@
Add-Type -Type $csharp_code
$result = [chentiangemalc.NetworkRoutines]::ConvertEtlToPcap($Path.FullName,$Destination.FullName,$MaxPacketSizeBytes)
Write-Host "$result packets converted."
\ No newline at end of file
Scripts/EnvSetup/LinearEnv.bat 0 → 100644
View file @ 9c95aa85
::===================================================================
:: Auto Capture Setup Script
:: version 0.7
::
:: Programmed by Jeana M. Verkempinck
:: MACO 2020 - Metadata Analysis Capstone
::
:: Designed to prep and tear-down Windows user enviorment to packet
:: capture using netsh trace to .etl files.
::
:: Also, to capture of SSL key logs from Chrome and Firefox.
::
::===================================================================
@ECHO OFF
:: A check to remove syslog variable at end
SET /A Rmsyslog=0
ECHO *******************************
ECHO ** Auto Capture Setup Script **
ECHO ** version 0.7 **
ECHO *******************************
choice /c:YN /m "Did you run this with admin privlages?: "%1
CLS
IF ERRORLEVEL 2 CALL :BYE A
IF ERRORLEVEL 1 GOTO BEGIN
:BYE
:: disable the ssl logfile, will have to go in later and manually remove variable later, if wanted.
if Rmsyslog=1 setx SSLKEYLOGFILE ""
:: Check what type of exit to use
if %1 == A ECHO Certain commands will only work with elevated privlages.
if %1 == E ECHO Summery: Log created. No trace ran.
if %1 == F ECHO Summery: Log created and trance completed.
if %1 == P ECHO Summery: Logs created, Capture Completed and Converted to pcap.
ECHO Goodbye!
ECHO Exiting in:
timeout /t 5
exit
:BEGIN
:: Initiate the logfile and pull some usefull info
:: Set name
ECHO Current Date and Time: %DATE% %TIME%
set /p Tfolder=Name for log Folder and File on your desktop:
set Tfile=%Tfolder%
mkdir %userprofile%\Desktop\%Tfolder%
set Tfp=%userprofile%\Desktop\%Tfolder%\%Tfile%
choice /c:YN /m "Do you want to create enviormental variable for SSLKEYLOG file?: "%1
CLS
IF ERRORLEVEL 2 GOTO LOGBEGIN
IF ERRORLEVEL 1 GOTO SYSENVSET
:SYSENVSET
:: Switch check for SSL logging to on.
SET Rmsyslog=1
:: Add variable to User Enviorment Variable
setx SSLKEYLOGFILE %Tfp%-KeyLog.log
GOTO LOGBEGIN
:LOGBEGIN
:: Add some useful tracking info
WHOAMI > %Tfp%.txt
echo Initialized at %time% on the %date% >> %Tfp%.txt
echo ================ IP Configurateions ================ >> %Tfp%.txt
ipconfig /all >> %Tfp%.txt
echo ================ Current Network Connections ======== >> %Tfp%.txt
NETSTAT -ano >> %Tfp%.txt
:: add in whatever other information would be good to log in advance
echo ================ End of initial data gather ========= >> %Tfp%.txt
choice /c:YN /m "Begin network trace?: "%1
CLS
IF ERRORLEVEL 2 CALL :BYE E
IF ERRORLEVEL 1 GOTO TRACE
:TRACE
:: Start the trace
netsh trace start persistent=no capture=yes report=no tracefile=%Tfp%.etl
ECHO Trace started at: %TIME% >> %Tfp%.txt
ECHO Ping ran for self synchronization. TTL set at 3 >> %Tfp%.txt
:: Run a ping to provide timing synchronization
ping /n 3 /l 3 127.0.0.1 >> %Tfp%.txt
CLS
REM URL Choice, always add errorlevel options from highest to lowest number.
SET URL="https://www.nps.edu"
Select which site to initiate test with on Firefox:
ECHO 1 - Facebook
ECHO 2 - Google
ECHO 3 - Exit
choice /c:123 /m "Site: " %1
IF ERRORLEVEL 3 CALL :BYE
IF ERRORLEVEL 2 SET URL="NotReadyYet"
IF ERRORLEVEL 1 SET URL="https://www.facebook.com/"
REM +++ Add section to begin key logger ++
REM Start with wait mode, so when key logger closes then rest of batch can resume.
REM START keylog.jar %CD%\%Tfp%-KeyLog.txt
REM ECHO Keylogger started at: at: %TIME% >> %Tfp%.txt
REM ++++++++++++++++++++++++++++++++++++++
REM Open of Firefox to given site
START /d "%programfiles%\Mozilla Firefox" Firefox.exe %NewWindow% "%URL%"
ECHO Firefox autostarted at: at: %TIME% >> %Tfp%.txt
CLS
ECHO The trace has now been started
ECHO Plese conduct the chat test, then when ready to stop the active netsh trace...
pause
CLS
ECHO Merging trace and generating data collection takes a few minutes.
ECHO Please remain on the current window, clicking off can sometimes cause issues.
ECHO Please be patient, this takes approx 5 minutes or so...
ECHO ...
start "" /i /wait /b netsh trace stop
echo ================ End of Trace at %TIME% ====== >> %Tfp%.txt
CLS
REM Remove next call if enabling etl converter
CALL :BYE F
REM choice /c:YN /m "Convert etl file to pcap?: "%1
REM CLS
REM IF ERRORLEVEL 2 CALL :BYE F
REM IF ERRORLEVEL 1 GOTO PSCONVERT
REM :PSCONVERT
REM ECHO Still Work in progress.
REM :: Not sure what is wrong with this call, could be a local issue.
REM PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& './EtlToPcap.ps1' -Path '%Tfp%.etl' -Destination '%Tfp%.pcap'"
REM CALL :BYE P
\ No newline at end of file
Scripts/EnvSetup/LinearEnvv0-8-1 - Copy.bat 0 → 100644
View file @ 9c95aa85
@ECHO OFF
::===================================================================
:: Auto Capture Setup Script
:: version 0.8.1
::
:: Programmed by Jeana M. Verkempinck
:: MACO 2020 - Metadata Analysis Capstone
::
:: Designed to prep and tear-down Windows user enviorment to packet
:: capture using netsh trace to .etl files.
::
:: Also, to capture of SSL key logs from Chrome and Firefox.
::
::===================================================================
:: Set a variable for URL
SET URL="https://www.nps.edu"
ECHO *******************************
ECHO ** Auto Capture Setup Script **
ECHO ** version 0.8.1 **
ECHO *******************************
set Tfile=A-13Jan2020
set Tfp=%userprofile%\Desktop\%Tfile%\%Tfile%
:: Auto Convert to PCAP - not quite working yet.
START "" /wait /d %userprofile%\Desktop\MACO-Script PowerShell.exe "& {".\ConvertEtlToPcap.ps1" -Path "%Tfp%.etl" -Destination "%Tfp%.pcap"}"
pause
Scripts/EnvSetup/LinearEnvv0-8-1.bat 0 → 100644
View file @ 9c95aa85
@ECHO OFF
::===================================================================
:: Auto Capture Setup Script
:: version 0.8.1
::
:: Programmed by Jeana M. Verkempinck
:: MACO 2020 - Metadata Analysis Capstone
::
:: Designed to prep and tear-down Windows user enviorment to packet
:: capture using netsh trace to .etl files.
::
:: Also, to capture of SSL key logs from Chrome and Firefox.
::
::===================================================================
:: Set a variable for URL
SET URL="https://www.nps.edu"
ECHO *******************************
ECHO ** Auto Capture Setup Script **
ECHO ** version 0.8.1 **
ECHO *******************************
choice /c:YN /m "Did you run this with admin privlages?: "%1
CLS
IF ERRORLEVEL 2 CALL :BYE A
IF ERRORLEVEL 1 GOTO BEGIN
:BYE
REM CLS
:: Check what type of exit to use
if %1 == A ECHO Certain commands will only work with elevated privlages.
if %1 == E ECHO Summery: Log created. No trace ran.
if %1 == F ECHO Summery: Log created and trance completed.
if %1 == P ECHO Summery: Logs created, Capture Completed and Converted to pcap.
ECHO Goodbye!
ECHO Exiting in:
timeout /t 5
exit
:BEGIN
:: Set name for folder
ECHO Current Date and Time: %DATE% %TIME%