diff --git a/hw4/app.py b/hw4/app.py index 62b70b5..7720830 100644 --- a/hw4/app.py +++ b/hw4/app.py @@ -25,7 +25,6 @@ def main(): if len(sys.argv) > 1: try: bpf: str = 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167' - #bpf = 'host 192.168.86.167 or 192.168.86.228 and port 5000' packets: PacketList = sniff(offline = sys.argv[1], filter=bpf, session = TCPSession) except: print("File read failure: %s not found" % sys.argv[1]) @@ -34,25 +33,20 @@ def main(): print("Need a pcap file to read!") sys.exit(1) raw_packets: PacketList = packets[Raw] - byte_accum: bytearray = bytearray(b'') + byte_accum = b'' count = 0 - print("Total packets matching BPF: ",len(packets)) - print("Total raw packets matching BPF: ",len(raw_packets)) - for r in raw_packets: - raw_packet: Packet = r + for i in range(0, len(raw_packets)): + raw_packet: Packet = raw_packets[i] if b"Content-Type" in raw_packet[Raw].load: - payload: bytes = raw_packet[Raw].load.split(b'\r\n')[-1] - #print('Packet: ', raw_packet) - #print("Packet Raw: ", raw_packet[Raw].load ) - #print() - #print('payload: ', payload) - #input() - #print() + top_payload: bytes = raw_packet[Raw].load.split(b'\r\n')[-1] + bottom_payload: bytes = b'' + if i+1 < len(raw_packets): + raw_packet_2: Packet = raw_packets[i+1] + bottom_payload: bytes = raw_packet_2[Raw].load count += 1 - byte_accum = byte_accum + bytearray(payload) - result_bytes: bytes = base64_bytes(bytes(byte_accum).decode('ascii')) + byte_accum = byte_accum + base64_bytes(top_payload + bottom_payload) file = open('download.bin','wb') - file.write(result_bytes) + file.write(byte_accum) print('done: ' ,count, ' packets decoded and packets written to download.bin') compute_checksums('download.bin') diff --git a/hw4/hashes.png b/hw4/hashes.png new file mode 100644 index 0000000..472c55e Binary files /dev/null and b/hw4/hashes.png differ diff --git a/hw4/hw4.md b/hw4/hw4.md index 52b0f84..b3ec3ca 100644 --- a/hw4/hw4.md +++ b/hw4/hw4.md @@ -22,12 +22,16 @@ A starting point of a BPF might look like `tcp and src host 192.168.86.228 and s As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167` ### Scapy -I wrote a python scapy script will help us work with this capture file to assemble the .bin from the raw response of the relevant TCP packets. This script is shown in `./app.py`. Our script will confirm the extracted binary matches the following checksums +I wrote a python scapy script will help us work with this capture file to assemble the .bin from the raw response of the relevant TCP packets. This script is shown in [./app.py](./app.py). Our script will confirm the extracted binary matches the following checksums ``` MD5: 7aa6a7ebcbd98ce19539b668ff790655 SHA256: 2a7719719aa4f869586a7043f532e01ed4985e5c25b9a54979ac7d50c67820ec61c2805d6169b9c95a98104b8fb1d4f9ec698d23881360e99f5232a4f3cf12d4 ``` +When writing this script I had to dig deeper into the packet capture to understand how the content was being transmitted. As it turns out, in the interesting response packets noted above, base64 encoded data was contained accross a pair of TCP responses for every HTTP request in the session. The first packet of this pair contained content after `\r\n\r` bytes were appear in the raw data. The second packet of the pair was the immediete next packet in the TCP session, and all of its raw data comprised the rest of this chunk. I wrote a loop on the filtered packet list which was able to extract and compound the overall payload with this technique. As we see, we produce a `download.bin` with the proper hash and we can move on to exploring it + +![hashes](./hashes.png) + ## Questions 1) What architecture is the firmware intended to run on? 2) What OS is the firmware running?