Follower

Montag, Juni 11, 2007

Network Forensik Klausur

Heute wars soweit, die vielseits gefürchtete Network Forensik Klausur hat statt gefunden.

Warum gefürchtet? Ganz einfach, der Hauptteil der Vorlesung bzw. Übung war es, diverse Protokolle zu sniffen und den Inhalt anzuschaun. Und das waren derer nicht wenige, manche hatten schon nen Packerlkollaps. Jetzt wussten wir natürlich nicht, was uns den bei der Klausur erwarten wird.

Die Anfangs "befürchteten" HEX-Dumps von mitgesnifften Paketen kamen natürlich auch prompt. Wobei im Nachhinein zu sagen ist, dass gerade das der einfachere Teil war.Insgesamt gabs drei große HEX-Dumps zu analysieren und noch jede Menge Fragen (16) dazu, insgesamt also 20 Fragen.

Im Großen und Ganzen war die Klausur eine Herausforderung, welche aber dennoch fair und ok war. Ich rechne eigentlich mit einer nicht allzu schlechten Note, lass mich aber überraschen wies ausfällt.

Für die die nicht wissen was ein Hexdump eines Paketes ist, hier mal ein kleines Beispiel:

erstes Paket:
0000 ff ff ff ff ff ff 00 11 d8 5f bd 63 08 00 45 00 ........._.c..E.
0010 01 48 00 06 00 00 80 11 39 a0 00 00 00 00 ff ff .H......9.......
0020 ff ff 00 44 00 43 01 34 01 45 01 01 06 00 06 a5 ...D.C.4.E......
0030 71 4f 00 00 80 00 00 00 00 00 00 00 00 00 00 00 qO..............
0040 00 00 00 00 00 00 00 11 d8 5f bd 63 00 00 00 00 ........._.c....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 01 74 01 01 ......c.Sc5..t..
0120 3d 07 01 00 11 d8 5f bd 63 32 04 d4 f1 7f 09 0c =....._.c2......
0130 0b 50 61 69 6e 73 74 61 74 69 6f 6e 3c 08 4d 53 .Painstation<.MS
0140 46 54 20 35 2e 30 37 0c 01 0f 03 06 2c 2e 2f 1f FT 5.07.....,./.
0150 21 79 f9 2b ff 00 !y.+..

zweites paket:
0000 ff ff ff ff ff ff 00 09 5b c4 3b 82 08 00 45 00 ........[.;...E.
0010 01 3a b7 0a 40 00 20 11 e1 ff c0 a8 00 01 ff ff .:..@. .........
0020 ff ff 00 43 00 44 01 26 b7 0a 02 01 06 00 06 a5 ...C.D.&........
0030 71 4f 00 00 80 00 00 00 00 00 c0 a8 00 04 00 00 qO..............
0040 00 00 00 00 00 00 00 11 d8 5f bd 63 00 00 00 00 ........._.c....
0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0110 00 00 00 00 00 00 63 82 53 63 35 01 02 36 04 c0 ......c.Sc5..6..
0120 a8 00 01 01 04 ff ff ff 00 3a 04 00 00 a8 c0 3b .........:.....;
0130 04 00 01 1e e0 33 04 00 01 51 80 03 04 c0 a8 00 .....3...Q......
0140 01 06 04 c0 a8 c8 02 ff 00 00 00 00 00 00 00 00 ................
0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0220 00 00 00 00 ....

usw. und so fort.....
Das Beispiel ist übrigens auch vorgekommen, und zwar handelt es sich, ihr wisst das natürlich sofort, um ein DHCP-Discover und ein DHCP-Offer.
Network Forensik ist inzwischen abgeschlossen und für unsere Nachfolger kann ichs nur empfehlen, auch wenns nicht unbedingt das ist, was man sich darunter vorstellt.
Eingestellt von um
Labels:

Keine Kommentare:

Kommentar veröffentlichen

Abonnieren Kommentare zum Post (Atom)