Hide and Seek on Github 2
One detail in the part of the story in No. 1 of this section.
The video and the PCAP are same as in No. 1 of this section.
Watch the video from 0:04:28. Or open it in new window and it will play just the small footage that I'll discuss here.
---
By uncenz:
dump_180809_1931_gdO_2150-6960.pcap
---
This time, apart from running my tools I ran this little part-PCAP in Wireshark quite a lot to do my analysis. But to pinpoint at the error(s) that happened, some of the produce of my scripts will serve well.
tshark-hosts-conv produces among other files
================================================================================ IPv4 Conversations Filter:| <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 151.101.16.133 <-> 192.168.1.2 640 125177 738 131707 1378 256884 0.000000000 335.3343 192.30.253.112 <-> 192.168.1.2 700 97165 981 1274971 1681 1372136 3.384088000 220.9344 192.30.253.125 <-> 192.168.1.2 199 20758 214 34905 413 55663 4.481287000 330.4568 192.30.253.124 <-> 192.168.1.2 189 24336 187 29115 376 53451 4.499537000 330.4405 185.121.177.177 <-> 192.168.1.2 37 3111 37 5126 74 8237 6.295110000 320.2678 192.168.1.1 <-> 224.0.0.1 0 0 2 124 2 124 112.581231000 125.0039 192.30.253.113 <-> 192.168.1.2 280 39709 568 791260 848 830969 268.778966000 66.8086 ================================================================================
which IPs, looked up in the dump_180809_1931_gdO_2150-6960.hosts will tell you what I mentioned in No. 1 of this section: it's just M$ (in the robe of Github), no one else. Good securitywise, but not privacywise, as they work with the surveillor states pretty much anywhere, no privacy really with M$. If you run tshark-hosts-conv, in the educational dump_180809_1931_gdO_2150-6960_tHostsConv.log that it will make for you upon completion, you will find this section, in regard to the above:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
151.101.16.133 github.map.fastly.net
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
151.101.16.133 <-> 192.168.1.2 640 125177 738 131707 1378 256884 0.000000000 335.3343
---
192.30.253.112 github.com
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.30.253.112 <-> 192.168.1.2 700 97165 981 1274971 1681 1372136 3.384088000 220.9344
---
192.30.253.125 live.github.com
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.30.253.125 <-> 192.168.1.2 199 20758 214 34905 413 55663 4.481287000 330.4568
---
192.30.253.124 live.github.com
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.30.253.124 <-> 192.168.1.2 189 24336 187 29115 376 53451 4.499537000 330.4405
---
( abbreviated here for 185.121.177.177, the OpenNIC DNS hub, and 224.0.0.1, the IGMP IP in the local Chinese commie router ZTE ZXDSL to fiberland )
---
192.30.253.113 github.com
| <- | | -> | | Total | Relative | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | Start | |
192.30.253.113 <-> 192.168.1.2 280 39709 568 791260 848 830969 268.778966000 66.8086
---
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The relative start of what happens in the window (if you have opened it as I suggested near the top), in those some 4 seconds, is right when this last Github-M$ IP joins in (the 192.30.253.113, Relative Start 268.778966000)!
And here is the summary, taken from Wireshark: File -> Export Packet Dissections -> As Plain Text.
And then: Selected Packets Only, Range 3343-3492, and just the Summary Line.
And you should get:dump_180809_1931_gdO_2150-6960_dissect3343-3492.txt, which tells:
No. Time Source Destination Protocol Length Info 3343 268.886556 192.168.1.2 192.30.253.113 TLSv1.2 294 Client Hello 3344 268.995030 192.30.253.113 192.168.1.2 TLSv1.2 1492 Server Hello 3345 268.995259 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=227 Ack=1425 Win=32128 Len=0 TSval=105509523 TSecr=2775686674 3346 268.995311 192.30.253.113 192.168.1.2 TCP 1492 443 → 35084 [ACK] Seq=1425 Ack=227 Win=29696 Len=1424 TSval=2775686674 TSecr=105509414 [TCP segment of a reassembled PDU] 3347 268.995364 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=227 Ack=2849 Win=35072 Len=0 TSval=105509523 TSecr=2775686674 3348 268.995396 192.30.253.113 192.168.1.2 TLSv1.2 770 Certificate, Server Key Exchange, Server Hello Done 3349 268.995437 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=227 Ack=3551 Win=37888 Len=0 TSval=105509523 TSecr=2775686674 3350 269.003569 192.168.1.2 192.30.253.113 TLSv1.2 194 Client Key Exchange, Change Cipher Spec, Finished 3351 269.110748 192.30.253.113 192.168.1.2 TLSv1.2 119 Change Cipher Spec, Finished 3352 269.122895 192.168.1.2 192.30.253.113 TCP 1492 35084 → 443 [ACK] Seq=353 Ack=3602 Win=37888 Len=1424 TSval=105509651 TSecr=2775686703 [TCP segment of a reassembled PDU][1] This is where the preview request is POST'ed:
3353 269.122917 192.168.1.2 192.30.253.113 HTTP 1113 POST /preview?markdown_unsupported=false&repository=89864152&subject=30&subject_type=PullRequest HTTP/1.1 3354 269.230608 192.30.253.113 192.168.1.2 TCP 68 443 → 35084 [ACK] Seq=3602 Ack=2822 Win=35840 Len=0 TSval=2775686733 TSecr=105509651 3355 269.285954 192.30.253.113 192.168.1.2 TLSv1.2 1467 [SSL segment of a reassembled PDU] 3356 269.286059 192.30.253.113 192.168.1.2 TLSv1.2 1467 [SSL segment of a reassembled PDU] 3357 269.286122 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=2822 Ack=6400 Win=43648 Len=0 TSval=105509814 TSecr=2775686747[2] This is where is's reassembled and shown in the browser:
3358 269.286158 192.30.253.113 192.168.1.2 HTTP 489 HTTP/1.1 200 OK (text/html) 3359 269.326787 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=2822 Ack=6821 Win=46464 Len=0 TSval=105509855 TSecr=2775686747 3360 271.827606 151.101.16.133 192.168.1.2 TCP 99 [TCP Retransmission] 443 → 41410 [FIN, PSH, ACK] Seq=3102 Ack=3891 Win=15008 Len=31 TSval=1829280192 TSecr=105496592[3] The right-click-on-the-link generated GET request, but pls. notice the incomplete local address! that's not what's in that preview page, part is missing:
3361 272.067988 192.168.1.2 192.30.253.113 HTTP 1468 GET /minipli/linux-unofficial_grsec/issue_comments HTTP/1.1 3362 272.215695 192.30.253.113 192.168.1.2 TCP 68 443 → 35084 [ACK] Seq=6821 Ack=4222 Win=38912 Len=0 TSval=2775687480 TSecr=105512596 3363 272.216546 192.30.253.113 192.168.1.2 TLSv1.2 1467 [SSL segment of a reassembled PDU] 3364 272.216601 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=4222 Ack=8220 Win=49408 Len=0 TSval=105512744 TSecr=2775687480 [ 16 lines cut (8 times 2), all like the two above ] 3381 272.217682 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3382 272.217717 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=4222 Ack=20936 Win=75392 Len=0 TSval=105512746 TSecr=2775687480 3383 272.320837 151.101.16.133 192.168.1.2 TCP 99 [TCP Retransmission] 443 → 41418 [FIN, PSH, ACK] Seq=7994 Ack=2494 Win=33280 Len=31 TSval=144078401 TSecr=105496592 3384 272.323198 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3385 272.323282 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=4222 Ack=22360 Win=78336 Len=0 TSval=105512851 TSecr=2775687506 [ 94 lines cut (47 times 2), all like the two above ] 3480 272.434398 192.30.253.113 192.168.1.2 TLSv1.2 606 [SSL segment of a reassembled PDU] 3481 272.434477 192.30.253.113 192.168.1.2 TLSv1.2 1467 [SSL segment of a reassembled PDU] 3482 272.434600 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] 3483 272.434767 192.30.253.113 192.168.1.2 TLSv1.2 1442 [SSL segment of a reassembled PDU] 3484 272.434838 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] 3485 272.434958 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3486 272.435087 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3487 272.435209 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3488 272.435329 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3489 272.435452 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU] 3490 272.435573 192.30.253.113 192.168.1.2 TLSv1.2 1492 [SSL segment of a reassembled PDU] [TCP segment of a reassembled PDU][4] And surely the link is not found:
3491 272.435606 192.30.253.113 192.168.1.2 HTTP 320 HTTP/1.1 404 Not Found (text/html) 3492 272.444229 192.168.1.2 192.30.253.113 TCP 68 35084 → 443 [ACK] Seq=4222 Ack=104243 Win=141952 Len=0 TSval=105512972 TSecr=2775687533
WARNING: Familiarity with and use of some Unix-like OS such as GNU/Linux or BSD, (or being able to use Cygwin on Windows but I haven't tested that yet) is required to be able to follow.
Most of the original files of this section are produced with my (primitive) set of scripts:
Notice there are different scripts there, some I use for minimal anonymization of the dumps (dump_perl_repl.sh). Ah, and another could be useful for downloading, instead of of click-downloading each file in a list (dump_dLo.sh). If not downloading uncenz, you can get it directly: https://raw.githubusercontent.com/miroR/uncenz/master/dump_dLo.sh or later version if that looks too old.
It's also available here locally.
For analysis/stream extraction I often use my modest and lacking in good programming practices, but doing what I created them for, scripts:
and:
as well as:
workPCAPs which can run tshark-streams and tshark-hosts-conv
( and from May 2018 also stream-cont.pl from program
on (a lot) of PCAP(s) (usually) non-interactively.
NOTE: A better way than my stream-cont, since recently to my writing of it, is in tshark. Pls. see how to extract files taught by a Wireshark core dev.
Readers are advised to try and analyze the traffic dumps for themselves, with the above programs (I also try to offer some educational usefulness to them). There would anyway be too little point posting all the streams and the listings that those would produce. I usually post just the ones among that produce which are crucial for the discussion in question.
And just another one thing: I post lots of command lines and snippets of scripts. Be aware that some of those are in HTML, so before using them, check that they correspond to what the page shows, and of course, report (see the contact page) back to me the typoes and errors if you find any.
The files necessary for this study are listed in:
dump_180809_1931_gdO_2150-6960.conv-ip dump_180809_1931_gdO_2150-6960.hosts dump_180809_1931_gdO_2150-6960_tHostsConv.log dump_180809_1931_gdO_2150-6960_dissect3343-3492.txtand verify to: ls-1.sum signed by: ls-1.sum.asc
