From ff635c82cf75c96ffd15501dc3f8079d8ba92948 Mon Sep 17 00:00:00 2001 From: David Kaufmann Date: Fri, 25 Dec 2015 20:42:17 +0100 Subject: [PATCH] add decoder --- exercise2.tex | 25 +++++++++++++++++++++---- exercise2/task2/decode_ipid.py | 31 +++++++++++++++++++++++++++++++ exercise2/task2/large_flow.pcap | Bin 0 -> 12378 bytes 3 files changed, 52 insertions(+), 4 deletions(-) create mode 100755 exercise2/task2/decode_ipid.py create mode 100644 exercise2/task2/large_flow.pcap diff --git a/exercise2.tex b/exercise2.tex index 0ae3da7..03369f2 100644 --- a/exercise2.tex +++ b/exercise2.tex @@ -1,5 +1,6 @@ \section{Rep:2.a} +pcap-ng format to pcap for scapy editcap -F libpcap team15_ex21.pcap ex21.pcap filter out large flows (>=400 packets) @@ -29,18 +30,21 @@ generate csv from wireshark for full pcap generate graphs: large_flow_2.png -cat large_flow_2.dehexed.csv | awk -F, '{print $8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits +cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits ./bitstobytes.py -Message: -"""Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott)""" +\section{Rep:2.b} +Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott) +\section{Rep:2.c} + +pcap-ng format to pcap for scapy editcap -F libpcap team15_ex22.pcap ex22.pcap filter out large flows (>200 packets and frame.len == 42) ./task2/readflows.py -{('53.151.211.106', '217.115.203.44'): (213, 0)} +% {('53.151.211.106', '217.115.203.44'): (213, 0)} filter into file ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 @@ -48,3 +52,16 @@ ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44 generate graph: large_flow.png +save bytes (ipid) from stream to file +./decode_ipid.py + +try decoding with password from previous task +openssl enc -d -rc4 -nosalt -k nSa123 -in stream_encrypted -out stream_decrypted + +-> didn't work + +tried reversing the bytes (lower byte first, upper byte next) + +-> didn't work + +\section{Rep:2.c} diff --git a/exercise2/task2/decode_ipid.py b/exercise2/task2/decode_ipid.py new file mode 100755 index 0000000..4a98650 --- /dev/null +++ b/exercise2/task2/decode_ipid.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python + +# disable IPv6 error message +import logging +logging.getLogger("scapy.runtime").setLevel(logging.ERROR) +from scapy.all import * +logging.getLogger("scapy.runtime").setLevel(logging.WARN) +from pprint import pprint + +# disable payload parsing (saves two seconds runtime^^) +IP.payload_guess = [] + +bytes = bytearray() + +for p in PcapReader('large_flow.pcap'): + if IP in p: + src = p[IP].src + dst = p[IP].dst + id = p[IP].id + + bin = "{0:016b}".format(id) + upper = int(bin[0:8], 2) + lower = int(bin[8:16], 2) + print ("Upper: %s, Lower: %s" % (bin[0:8], bin[8:16])) + print ("Full: %s" % (bin)) + bytes.append(upper) + bytes.append(lower) + +with open('stream_encrypted', 'a+') as encfile: + encfile.write(bytes) + diff --git a/exercise2/task2/large_flow.pcap b/exercise2/task2/large_flow.pcap new file mode 100644 index 0000000000000000000000000000000000000000..607da823d11678521c9e7f866b2fdd261d0ffe9e GIT binary patch literal 12378 zcmaLde^k%+9tZGml)i-}Az@adrij{AB0rb88l~@v`BBoPrIM8&G2h&>qFS|9jQp(Y zVEM7t^;Ih+}z(pEs_y&Og?fD z>CuVgDk_WGMMgLwxt7XlH$>LYL~=cqmUBe*F(4UBW%@yp+x18$Q5jh+@{|tAT~u1D zZ@l?0NbaMuYN%u`&>-m>&puCQ50ULnNG_n#-&tf$8A)}`vZU2I#n+=ni5hCq6 zkep2A*X1H(79&|r<;^=HKbVSSlLMmrP_7IV2-H?o&!ld?JB5hoe)Kh76MWn4ClBraNM2S3GfTU(Bt2SP( z^8j3@F_n!qk~tYxYf9zM(IUO`QMKk&t{yM4-~o~cb!?r9X(DsBAz3+($pNa@?CFi< z>JTQc$4jP9E|M`+CYy`g(+|l{sPr2q^6KwM_6lRwe%nLj>VZi1q4J^XO=Q+1 zBrO}5tO*tAUyP)GGn0eWQ?N%Gk~vf^?~u%rcaZF)@_2*D=!r=Bo0*c{ZyN(J+(&w z%lutEc^%;W=|!bet5n-D8m+UQ${lJSN`w1QYZ$Axs%x0nbuMd1nJ=i!dL}Y+43eEx zx~k`AE1cEj#;|HnL`vqzg(%Z>6O%O$Mf$rVX-?%E?jo(=Zel@Yz#k$n*`mz1sI*pl zpLscwZ&Nu&?eWjy9`8V9@gk`<{36P9q*AAz_6GR0cc$|1ze(o7;V9FUN{ddBec`S- zI+cABE~&|Hpef9xa@t=dv;HQMW2x-7Uu5q%Bt57MD-n4n1W8XSOQwiieizBfROYGE zl^&k1bX1m4l+54;lo?EAU4h6MQApNPX@5rKtB;V3N@L#y*Qp{~?;xrBoXL_Rk;|7O zIhV?JTSPvCXTfMH)6~Qz8%|t$eZi_7cug|Rd{DK0sB}`($qqQ3bfYp;O@6c5Q050z z1}v3oFO?zbn9tT3>L9YT6G`t%Cf_?P@@^QCK2%oyL*#sTXZulkt)ECgbCl^%<(@4f zlXf9FpUT6%MC$t@dFc_mLSuJ|Y)L}0ipu9I(*(%)_vE%I4SE%WNWO@doOkXN*yf1RrEhyh(nIGkgEQ>}`N9AkvHfT6}8}#W4mKpV2 zG7Cqc%=joKFZUF=&6D)s85lUI#oA(bAg2YUp2uoEe)+A|hXZMX%>JWb`t4@90A zk7Oy8t}{fo{*2@~DzgJbrdA+XPGzy0+J(cZT_u(7v6A`Z0Lr{fW!yrM2P%;aN@Jf& zhC1nNgD0KA=}a07lBx4WnM0{;Q{9^j?B13gW0@PXCG$`+$_%G+mFjQ5h5c~ z@OL$F)vVfKmXi5rZ3=5>s;i;qjj@D^Sh z7|x7asI)yH(kK#Two%!xdJ|{Zo3vBuruKxVa8KxjG0=CZnR+8Bp{@Q8ac_yzO73sGYWv2a;$qQ=Uw*=1nGN|0H zx|(#@)oi@XGS~fEsy*h2s@2yrdA3qy$U-FJs0