work on hw4 script
This commit is contained in:
David Westgate
parent
7358b3f1ee
commit
ce23a76b41
68
hw4/app.py
68
hw4/app.py
@ -1,38 +1,60 @@
|
|||||||
from scapy.all import * #pull in all of scapy -- you could do it other ways, but this makes it isomorphic to using scapy command line
|
from scapy.all import *
|
||||||
import socket
|
import socket
|
||||||
import sys
|
import sys
|
||||||
import time
|
import time
|
||||||
|
import hashlib
|
||||||
|
|
||||||
|
def compute_checksums(file_path):
|
||||||
|
sha512_hash = hashlib.sha512()
|
||||||
|
md5_hash = hashlib.md5()
|
||||||
|
try:
|
||||||
|
with open(file_path, "rb") as f:
|
||||||
|
while chunk := f.read(8192):
|
||||||
|
sha512_hash.update(chunk)
|
||||||
|
md5_hash.update(chunk)
|
||||||
|
except FileNotFoundError:
|
||||||
|
print(f"Error: File not found - {file_path}")
|
||||||
|
return
|
||||||
|
sha512_digest = sha512_hash.hexdigest()
|
||||||
|
md5_digest = md5_hash.hexdigest()
|
||||||
|
print(f"MD5: {md5_digest}")
|
||||||
|
print(f"SHA-512: {sha512_digest}")
|
||||||
|
|
||||||
|
|
||||||
def main():
|
def main():
|
||||||
if len(sys.argv) > 1: #if we have a command line argument
|
if len(sys.argv) > 1:
|
||||||
try:
|
try:
|
||||||
packets: PacketList = rdpcap(sys.argv[1])
|
bpf: str = 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167'
|
||||||
#rdpcap is how we read a previously captured pcap file
|
#bpf = 'host 192.168.86.167 or 192.168.86.228 and port 5000'
|
||||||
|
packets: PacketList = sniff(offline = sys.argv[1], filter=bpf, session = TCPSession)
|
||||||
except:
|
except:
|
||||||
print("File read failure: %s not found" % sys.argv[1])
|
print("File read failure: %s not found" % sys.argv[1])
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
else:
|
else:
|
||||||
print("Need a pcap file to read!")
|
print("Need a pcap file to read!")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
#bpf = 'tcp and src host 192.168.86.228 and src port 80 and dst host 192.168.86.167'
|
raw_packets: PacketList = packets[Raw]
|
||||||
#filtered = packets.filter(bpf)
|
byte_accum: bytearray = bytearray(b'')
|
||||||
#print(packets) #this gives us a nice summary of what we have in the pcap file
|
count = 0
|
||||||
|
print("Total packets matching BPF: ",len(packets))
|
||||||
for p in packets[:5]: #let's only look at the first 100
|
print("Total raw packets matching BPF: ",len(raw_packets))
|
||||||
packet : Packet = p
|
for r in raw_packets:
|
||||||
#we can filter based on what scapy calls "layers"
|
raw_packet: Packet = r
|
||||||
#each layer is a portion of a packet
|
if b"Content-Type" in raw_packet[Raw].load:
|
||||||
#so a DNS packet would have an IP layer, a UDP layer, and a DNS layer
|
payload: bytes = raw_packet[Raw].load.split(b'\r\n')[-1]
|
||||||
#ICMP would be IP, TCP, ICMP layers
|
#print('Packet: ', raw_packet)
|
||||||
#and because we're on an ethernet network, all of the above also has an ether layer
|
#print("Packet Raw: ", raw_packet[Raw].load )
|
||||||
#let's not print DNS packets
|
#print()
|
||||||
#if not packet.haslayer(DNS):
|
#print('payload: ', payload)
|
||||||
# print(packet.summary)
|
#input()
|
||||||
lsc()
|
#print()
|
||||||
#packet.show() #print the contents of the packet
|
count += 1
|
||||||
#print(packet.summary()) #we also can print out a summary of the packet, similar to tcpdump default output
|
byte_accum = byte_accum + bytearray(payload)
|
||||||
time.sleep(0.2) #small pause between packets
|
result_bytes: bytes = base64_bytes(bytes(byte_accum).decode('ascii'))
|
||||||
|
file = open('download.bin','wb')
|
||||||
|
file.write(result_bytes)
|
||||||
|
print('done: ' ,count, ' packets decoded and packets written to download.bin')
|
||||||
|
compute_checksums('download.bin')
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
main()
|
main()
|
||||||
11
hw4/hw4.md
11
hw4/hw4.md
@ -21,16 +21,13 @@ A starting point of a BPF might look like `tcp and src host 192.168.86.228 and s
|
|||||||
|
|
||||||
As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167`
|
As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167`
|
||||||
|
|
||||||
Before moving on to scapy, we can filter down our `firmware.pcap` to a new capture called `filtered.pcap` with the following command
|
### Scapy
|
||||||
|
I wrote a python scapy script will help us work with this capture file to assemble the .bin from the raw response of the relevant TCP packets. This script is shown in `./app.py`. Our script will confirm the extracted binary matches the following checksums
|
||||||
```
|
```
|
||||||
tcpdump -r firmware.pcap -w filtered.pcap 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167'
|
MD5: 7aa6a7ebcbd98ce19539b668ff790655
|
||||||
|
SHA256: 2a7719719aa4f869586a7043f532e01ed4985e5c25b9a54979ac7d50c67820ec61c2805d6169b9c95a98104b8fb1d4f9ec698d23881360e99f5232a4f3cf12d4
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
###
|
|
||||||
|
|
||||||
## Questions
|
## Questions
|
||||||
1) What architecture is the firmware intended to run on?
|
1) What architecture is the firmware intended to run on?
|
||||||
2) What OS is the firmware running?
|
2) What OS is the firmware running?
|
||||||
|
|||||||
Reference in New Issue
Block a user