david/netsec-djw2
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
This repository has been archived on 2025-04-28. You can view files and clone it, but cannot push or open issues or pull requests.
7358b3f1ee
netsec-djw2/hw4/hw4.md
David Westgate 7358b3f1ee work on hw4
2024-05-28 16:24:15 -07:00

1.4 KiB
Raw Blame History

Homework 3: Find the firmware

We start by copying the firmware capture file from ada to our machine

scp-firmware

Reverse Engineering

First lets open this capture up in wireshark and do a high level overview

Wireshark overview

wireshark-0

Knowing we are ultimetly looking to re-construct a firmware download, we can discern some important info from wireshark

  • There are 241,531 packets in this capture, but only some are the traffic directly related to this download
  • Client of the download is 192.168.86.167 and server origin is 192.168.86.228:5000
  • The download is split over multiple HTTP requests by the shown convention, which themselves are split over multiple TCP requests

A starting point of a BPF might look like tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167

As a wireshark filter, this would be tcp && ip.src == 192.168.86.228 && tcp.srcport == 5000 && ip.dst == 192.168.86.167

Before moving on to scapy, we can filter down our firmware.pcap to a new capture called filtered.pcap with the following command

tcpdump -r firmware.pcap -w filtered.pcap 'tcp and src host 192.168.86.228 and src port 5000 and dst host 192.168.86.167'

Questions

  1. What architecture is the firmware intended to run on?
  2. What OS is the firmware running?
  3. What users are present on the system?