tattoo: random thoughts on traffic analysis
goals
- Identify discrete protocols - if protcol tunneling is going on, or if multiple protocols are using the the same port of even different ports, how do we go about identifying the specific protocols?
- Determine PDU structure - what are the headers and data? what are the field boundaries? Message fields generally have the following functions
- identity - addresses, port numbers, call signs, etc.
- sequencing - track the order of messages
- type code - what kind of message it it? think Ethernet Type, IP protocol type, and much much more
- Determine communication relationships - unicast, multicast, client-server, p2p, you get the point...
- Determine if authentication is used - plaintext, shared key, some sort of key exchange
- Determine if encryption used and what type - I'm not a crypto guy, but stuff like shared key, are they using some bogus XOR algorithm, etc.
methods
Some assuming we have a traffic dump, we can compare individual messages with messages that we know are are a different protocol (like-unlike) or compare messages we know are the same (like-unlike) based on a number of characteristics
- message size - normally, we can quickly group messages together that are the same size, are there fixed length messages/fields or variable length
- byte-position frequency/variability - if you "line up" the messages and count on the number of different values that are possible for that byte (basically a column). If you do this on encrypted data you'll see that the counts are very high. You can also use this technique to distinguish between different fields and/or protocol layers.
- motifs - you see the same string of bytes appears over and over again, perhaps in the same position of the message, perhaps in different positions
- incrementation - fields such as IP IDs and TCP sequence numbers and some stuff in IPSEC increment upwards. This is pretty easy to spot.