From ff635c82cf75c96ffd15501dc3f8079d8ba92948 Mon Sep 17 00:00:00 2001
From: David Kaufmann <astra@ionic.at>
Date: Fri, 25 Dec 2015 20:42:17 +0100
Subject: [PATCH] add decoder

---
 exercise2.tex                   |  25 +++++++++++++++++++++----
 exercise2/task2/decode_ipid.py  |  31 +++++++++++++++++++++++++++++++
 exercise2/task2/large_flow.pcap | Bin 0 -> 12378 bytes
 3 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100755 exercise2/task2/decode_ipid.py
 create mode 100644 exercise2/task2/large_flow.pcap

diff --git a/exercise2.tex b/exercise2.tex
index 0ae3da7..03369f2 100644
--- a/exercise2.tex
+++ b/exercise2.tex
@@ -1,5 +1,6 @@
 \section{Rep:2.a}
 
+pcap-ng format to pcap for scapy
 editcap -F libpcap team15_ex21.pcap ex21.pcap
 
 filter out large flows (>=400 packets)
@@ -29,18 +30,21 @@ generate csv from wireshark for full pcap
 generate graphs:
 large_flow_2.png
 
-cat large_flow_2.dehexed.csv | awk -F, '{print $8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits
+cat large_flow_2.dehexed.csv | awk -F, '{print \$8}' | sed 's/5950/0/' | sed 's/5960/1/' | sed 's/"//g' > bits
 ./bitstobytes.py
 
-Message:
-"""Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott)"""
+\section{Rep:2.b}
+Data acquired. Key for message (len=42 & pkts>200): nSa123 (Scott)
 
+\section{Rep:2.c}
+
+pcap-ng format to pcap for scapy
 editcap -F libpcap team15_ex22.pcap ex22.pcap
 
 filter out large flows (>200 packets and frame.len == 42)
 
 ./task2/readflows.py
-{('53.151.211.106', '217.115.203.44'): (213, 0)}
+% {('53.151.211.106', '217.115.203.44'): (213, 0)}
 
 filter into file
 ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44
@@ -48,3 +52,16 @@ ip.addr == 53.151.211.106 and ip.addr == 217.115.203.44
 generate graph:
 large_flow.png
 
+save bytes (ipid) from stream to file
+./decode_ipid.py
+
+try decoding with password from previous task
+openssl enc -d -rc4 -nosalt -k nSa123 -in stream_encrypted -out stream_decrypted
+
+-> didn't work
+
+tried reversing the bytes (lower byte first, upper byte next)
+
+-> didn't work
+
+\section{Rep:2.c}
diff --git a/exercise2/task2/decode_ipid.py b/exercise2/task2/decode_ipid.py
new file mode 100755
index 0000000..4a98650
--- /dev/null
+++ b/exercise2/task2/decode_ipid.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+# disable IPv6 error message
+import logging
+logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
+from scapy.all import *
+logging.getLogger("scapy.runtime").setLevel(logging.WARN)
+from pprint import pprint
+
+# disable payload parsing (saves two seconds runtime^^)
+IP.payload_guess = []
+
+bytes = bytearray()
+
+for p in PcapReader('large_flow.pcap'):
+    if IP in p:
+        src = p[IP].src
+        dst = p[IP].dst
+        id = p[IP].id
+
+        bin = "{0:016b}".format(id)
+        upper = int(bin[0:8], 2)
+        lower = int(bin[8:16], 2)
+        print ("Upper: %s, Lower: %s" % (bin[0:8], bin[8:16]))
+        print ("Full: %s" % (bin))
+        bytes.append(upper)
+        bytes.append(lower)
+
+with open('stream_encrypted', 'a+') as encfile:
+    encfile.write(bytes)
+
diff --git a/exercise2/task2/large_flow.pcap b/exercise2/task2/large_flow.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..607da823d11678521c9e7f866b2fdd261d0ffe9e
GIT binary patch
literal 12378
zcmaLde^k%+9tZGml)i-}Az@adrij{AB0rb88l~@v`BBoPrIM8&G2h&>qFS|9jQp(Y
zVEM7t<VUHnBzM}%mx<9vit?+g=&G}^-Cpne$35qs=XpBEIsEZB&)56&{eIq`*ZcMP
zUau(J-%Vqz`QIO7jZxQs>^;Ih+}z(p<J9$U`I}PzLLb^1xwl2{U8U8$uhk4cwOgZk
zVi~#FE&Hd4TWfw8m6WTA)%5wVyieti#Ukg0BDvq1WhQ!w%&9{%e+H97twkDZk(}nu
zr1O^|+f$L8PURb~L|P3)awe6XCq+6&AlbNpRa@IEa`reR^)XCt^%nU>Es_y&Og?fD
z>CuVgDk_WGMMgLwxt7XlH$>LYL~=cqmUBe*F(4UBW%@yp+x18$Q5jh+@{|tAT~u1D
zZ@l?0NbaMuYN%u`&>-m>&puCQ50ULnNG_n#-&tf$8<Iz<wBI4}RSJ?5QdqS|e-OFe
zAIY-Mm<(Pcvium5?q4#QTqtsPB$5-UEPP93)SpNOo?@BS;UdjXBUyiu$!i-#&N+nS
zeJY#(CUU}AB%7(M@)0@zDw2s+tl9*1m*v8{Z2zxJYM)7_jSI@mqf)<1WZo7eFEp~u
z^mj#We~M(uV<x}J7r8bXNs~?{A0&yKxD!b&l~?+T^zVhFJ(Vq8Ey5E^w?RlcQaS5Q
zkvENy97W|y6OpHEklaXRWtqsprAWq8c|1pC^d=;abnij>A)}`vZU2I#n+=ni5hCq6
zkep2A*X1H(79&|r<;^=HKbVSSlLM<ZSM@^)upe@9X7ZY!WX`EUnfBwD^qDU5`fVgf
zP&vO&WR(|^b>mrP_7IV2-H?o&!ld?JB5hoe)Kh76MWn4ClBraNM2S3GfTU(Bt2SP(
z^8j3@F_n!qk~tYxYf9zM(IUO`QMKk&t{yM4-~o~cb!?r9X(DsBAz3+($pNa@?CFi<
z>JTQc$4jP9E|M`+CYy`g(+|l{sPr2q^6KwM_6lRwe%nLj>VZi1q4J^X<Hy53-ipeK
zNs<|K4`o_YnR-BEb}W+JBG@`BH;WA1jbtm8&(*Fu2JV{6wy?~@^^&<^GRh34QmgJ2
z8+d1jQ+YmEGMAo1nUi+1YLoLs?p}}N?88hNd`0RENTwK=JQ*Z%<#$L%-(@n>O=Q+1
zBrO}5tO*tAUyP)GGn0eWQ?N%Gk~vf^?~u%rcaZF)@_2*D=!r=Bo0*c{<c2zb&VuL9
zU@FVUNM`UelzDk1%XIlvWZOO@?|Cqpvr1&*H%LD9WwN_Y<WSgQJfm`+>ZyN(J+(&w
z%lutEc^%;W=|!bet5n-D8m+UQ${lJSN`w1QYZ$Axs%x0nbuMd1nJ=i!dL}Y+43eEx
zx~k`AE1cEj#;|HnL`vqzg(%Z>6O%O$Mf$rVX-?%E?jo(=Zel@Yz#k$n*`mz1sI*pl
zpLscwZ&Nu&?eWjy9`8V9@gk`<{36P9q*AAz_6GR0cc$|1ze(o7;V9FUN{ddBec`S-
zI+cABE~&|Hpef9xa@t=dv;HQMW2x-7Uu5q%Bt57MD-n4n1W8XSOQwiieizBfROYGE
zl^&k1bX1m4l+54;lo?EAU4h6MQApNPX@5rKtB;V3N@L#y*Qp{~?;xrBoXL_Rk;|7O
zIhV?JTSPvCXTfMH)6~Qz8%|t$eZi_7cug|Rd{DK0sB}`($qqQ3bfYp;O@6c5Q050z
z1}v3oFO?zbn9tT3>L9YT6G`t%Cf_?P@@^QCK2%oyL*#sTXZulkt)ECgbCl^%<(@4f
zlXf9FpUT6%MC$t@dFc_mLSuJ|Y)L}0ipu9I(*<VMP}y-&GMyHo%$nX>(%)_vE%I<H
zl3EKYUn^;c<kz-Lo+}f%49*w}s5DjY=mvS9%rjKJQv0nv+;7iPscV#K4W20TJ1Qrr
z^Jg=h)p$>4SE%WNWO@doOkXN*yf1RrEhyh(nIGkgEQ>}`N9AkvHfT6}8}#W4mKpV2
zG7Cqc%=joKFZUF=&<e>6D)s85lUI#oA(bAg2YUp2uoEe)+A|hXZMX%>JWb`t4@90A
zk7Oy8t}{fo{*2@~DzgJbrdA+XPGzy0+J(cZT_u(7v6A`Z0Lr{fW!yrM2P%;aN@Jf&
zhC1nNgD0KA=}a07lBx4WnM0{;Q{9^j?B13gW0@PXCG$`+$_%G+mFjQ5h5c<Lm5w_k
zvlG5s-a+LZ^<K~mz8Bm@WyDs=EJ{b~tpA=}q1qggvo|5xNM*uyk-48C*+ONk`jx>~
z@OL$F)vVfKmXi5rZ<J|wg~=(8MK+8@(vix|Z6fzMBk4@#F*W5`2d6wPRBloC=U#Y!
z7E}4+q*OaP0##c|<=z1zle9=SQJJMC5t(ojvDm;qm6`;}^xumz_fc8;xyaBgBomrh
zW`lb2PJvI}Zo|z;-xsX*gmSnim{NH`-78Drz0&B)GG~sHb>3=5>s;i;q<f~wCmBe7
zwUkN6#UeZ5d?=sFELV}4EhzIil_rTIhrn;bNh*yiM7|08z9K4P)vP8D&T9HDV^?VI
zZON>jj@D^S<qVbi3(P#Uf@Ll(mCW<YQ0DDbOt$<aa_lT5f2Hz!b!`_0AlXRexI2>h
z7|x7asI)yH(kK#Two%!xdJ|{Zo3vBuruKxVa8Kx<a&EFzTb+%nU9pCJDh73S(806A
z%NQo_kCe<wFHq)hRC?NpY<i94Ybp=j6S;8`lA3j_+RVWsw{}O;l*%BrgH^yC%#KR8
zmy-E(1j-yq<sen9))>jG0=CZnR+8Bp{@Q8ac_yzO73sGYWv2a;$qQ=Uw*=1nGN|0H
zx|(#@)oi@XGS~fEsy*h2s@2yrdA3qy$U-FJs0<AeSz3bRhjlE|L`__Vyp3eg114vy
z-;LM8-;KZXkjVjIQf<#7l$rIC$!%&+$bfr-We1ac`b%cA8OmJp2a}#^!rcTX+-X!6
isTt!6IAhGD@`$fg`-uTnyVA^@^k8{MMCxPyU;YOs8A`wa

literal 0
HcmV?d00001

-- 
2.43.0