From ce23a76b412edfe85ecd48ab40d2f8e537ace82d Mon Sep 17 00:00:00 2001 From: David Westgate Date: Wed, 29 May 2024 21:28:11 -0700 Subject: [PATCH] work on hw4 script --- hw4/app.py | 68 ++++++++++++++++++++++++++++++++++++------------------ hw4/hw4.md | 11 ++++----- 2 files changed, 49 insertions(+), 30 deletions(-) diff --git a/hw4/app.py b/hw4/app.py index c140a74..62b70b5 100644 --- a/hw4/app.py +++ b/hw4/app.py @@ -1,38 +1,60 @@ -from scapy.all import * #pull in all of scapy -- you could do it other ways, but this makes it isomorphic to using scapy command line +from scapy.all import * import socket import sys import time +import hashlib + +def compute_checksums(file_path): + sha512_hash = hashlib.sha512() + md5_hash = hashlib.md5() + try: + with open(file_path, "rb") as f: + while chunk := f.read(8192): + sha512_hash.update(chunk) + md5_hash.update(chunk) + except FileNotFoundError: + print(f"Error: File not found - {file_path}") + return + sha512_digest = sha512_hash.hexdigest() + md5_digest = md5_hash.hexdigest() + print(f"MD5: {md5_digest}") + print(f"SHA-512: {sha512_digest}") + def main(): - if len(sys.argv) > 1: #if we have a command line argument + if len(sys.argv) > 1: try: - packets: PacketList = rdpcap(sys.argv[1]) - #rdpcap is how we read a previously captured pcap file + bpf: str = 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167' + #bpf = 'host 192.168.86.167 or 192.168.86.228 and port 5000' + packets: PacketList = sniff(offline = sys.argv[1], filter=bpf, session = TCPSession) except: print("File read failure: %s not found" % sys.argv[1]) sys.exit(1) else: print("Need a pcap file to read!") sys.exit(1) - #bpf = 'tcp and src host 192.168.86.228 and src port 80 and dst host 192.168.86.167' - #filtered = packets.filter(bpf) - #print(packets) #this gives us a nice summary of what we have in the pcap file - - for p in packets[:5]: #let's only look at the first 100 - packet : Packet = p - #we can filter based on what scapy calls "layers" - #each layer is a portion of a packet - #so a DNS packet would have an IP layer, a UDP layer, and a DNS layer - #ICMP would be IP, TCP, ICMP layers - #and because we're on an ethernet network, all of the above also has an ether layer - #let's not print DNS packets - #if not packet.haslayer(DNS): - # print(packet.summary) - lsc() - #packet.show() #print the contents of the packet - #print(packet.summary()) #we also can print out a summary of the packet, similar to tcpdump default output - time.sleep(0.2) #small pause between packets - + raw_packets: PacketList = packets[Raw] + byte_accum: bytearray = bytearray(b'') + count = 0 + print("Total packets matching BPF: ",len(packets)) + print("Total raw packets matching BPF: ",len(raw_packets)) + for r in raw_packets: + raw_packet: Packet = r + if b"Content-Type" in raw_packet[Raw].load: + payload: bytes = raw_packet[Raw].load.split(b'\r\n')[-1] + #print('Packet: ', raw_packet) + #print("Packet Raw: ", raw_packet[Raw].load ) + #print() + #print('payload: ', payload) + #input() + #print() + count += 1 + byte_accum = byte_accum + bytearray(payload) + result_bytes: bytes = base64_bytes(bytes(byte_accum).decode('ascii')) + file = open('download.bin','wb') + file.write(result_bytes) + print('done: ' ,count, ' packets decoded and packets written to download.bin') + compute_checksums('download.bin') if __name__ == '__main__': main() \ No newline at end of file diff --git a/hw4/hw4.md b/hw4/hw4.md index 141cdc0..52b0f84 100644 --- a/hw4/hw4.md +++ b/hw4/hw4.md @@ -21,16 +21,13 @@ A starting point of a BPF might look like `tcp and src host 192.168.86.228 and s As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167` -Before moving on to scapy, we can filter down our `firmware.pcap` to a new capture called `filtered.pcap` with the following command - +### Scapy +I wrote a python scapy script will help us work with this capture file to assemble the .bin from the raw response of the relevant TCP packets. This script is shown in `./app.py`. Our script will confirm the extracted binary matches the following checksums ``` -tcpdump -r firmware.pcap -w filtered.pcap 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167' - +MD5: 7aa6a7ebcbd98ce19539b668ff790655 +SHA256: 2a7719719aa4f869586a7043f532e01ed4985e5c25b9a54979ac7d50c67820ec61c2805d6169b9c95a98104b8fb1d4f9ec698d23881360e99f5232a4f3cf12d4 ``` - -### - ## Questions 1) What architecture is the firmware intended to run on? 2) What OS is the firmware running?