david/netsec-djw2
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

work on hw4 script

Browse Source
This commit is contained in:
David Westgate 2024-05-29 21:28:11 -07:00
parent 7358b3f1ee
commit ce23a76b41
2 changed files with 49 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
hw4/app.py
View File

@ -1,38 +1,60 @@
from scapy.all import * #pull in all of scapy -- you could do it other ways, but this makes it isomorphic to using scapy command line
from scapy.all import *
import socket
import sys
import time
import hashlib
def compute_checksums(file_path):
sha512_hash = hashlib.sha512()
md5_hash = hashlib.md5()
try:
with open(file_path, "rb") as f:
while chunk := f.read(8192):
sha512_hash.update(chunk)
md5_hash.update(chunk)
except FileNotFoundError:
print(f"Error: File not found - {file_path}")
return
sha512_digest = sha512_hash.hexdigest()
md5_digest = md5_hash.hexdigest()
print(f"MD5: {md5_digest}")
print(f"SHA-512: {sha512_digest}")
def main():
if len(sys.argv) > 1: #if we have a command line argument
if len(sys.argv) > 1:
try:
packets: PacketList = rdpcap(sys.argv[1])
#rdpcap is how we read a previously captured pcap file
bpf: str = 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167'
#bpf = 'host 192.168.86.167 or 192.168.86.228 and port 5000'
packets: PacketList = sniff(offline = sys.argv[1], filter=bpf, session = TCPSession)
except:
print("File read failure: %s not found" % sys.argv[1])
sys.exit(1)
else:
print("Need a pcap file to read!")
sys.exit(1)
#bpf = 'tcp and src host 192.168.86.228 and src port 80 and dst host 192.168.86.167'
#filtered = packets.filter(bpf)
#print(packets) #this gives us a nice summary of what we have in the pcap file
for p in packets[:5]: #let's only look at the first 100
packet : Packet = p
#we can filter based on what scapy calls "layers"
#each layer is a portion of a packet
#so a DNS packet would have an IP layer, a UDP layer, and a DNS layer
#ICMP would be IP, TCP, ICMP layers
#and because we're on an ethernet network, all of the above also has an ether layer
#let's not print DNS packets
#if not packet.haslayer(DNS):
# print(packet.summary)
lsc()
#packet.show() #print the contents of the packet
#print(packet.summary()) #we also can print out a summary of the packet, similar to tcpdump default output
time.sleep(0.2) #small pause between packets
raw_packets: PacketList = packets[Raw]
byte_accum: bytearray = bytearray(b'')
count = 0
print("Total packets matching BPF: ",len(packets))
print("Total raw packets matching BPF: ",len(raw_packets))
for r in raw_packets:
raw_packet: Packet = r
if b"Content-Type" in raw_packet[Raw].load:
payload: bytes = raw_packet[Raw].load.split(b'\r\n')[-1]
#print('Packet: ', raw_packet)
#print("Packet Raw: ", raw_packet[Raw].load )
#print()
#print('payload: ', payload)
#input()
#print()
count += 1
byte_accum = byte_accum + bytearray(payload)
result_bytes: bytes = base64_bytes(bytes(byte_accum).decode('ascii'))
file = open('download.bin','wb')
file.write(result_bytes)
print('done: ' ,count, ' packets decoded and packets written to download.bin')
compute_checksums('download.bin')
if __name__ == '__main__':
main()

11
hw4/hw4.md
View File

@ -21,16 +21,13 @@ A starting point of a BPF might look like `tcp and src host 192.168.86.228 and s
As a wireshark filter, this would be `tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167`
Before moving on to scapy, we can filter down our `firmware.pcap` to a new capture called `filtered.pcap` with the following command
### Scapy
I wrote a python scapy script will help us work with this capture file to assemble the .bin from the raw response of the relevant TCP packets. This script is shown in `./app.py`. Our script will confirm the extracted binary matches the following checksums
```
tcpdump -r firmware.pcap -w filtered.pcap 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167'
MD5: 7aa6a7ebcbd98ce19539b668ff790655
SHA256: 2a7719719aa4f869586a7043f532e01ed4985e5c25b9a54979ac7d50c67820ec61c2805d6169b9c95a98104b8fb1d4f9ec698d23881360e99f5232a4f3cf12d4
```
###
## Questions
1) What architecture is the firmware intended to run on?
2) What OS is the firmware running?