I Smell Packets


Answer to Fred’s Secret Packet Challenge – Part 1
June 2, 2009, 4:53 am
Filed under: mergecap, Packet Challenge, scapy, sed, tcpdump, text2pcap, tr

This challenge was a little harder than the previous ones. It seems a lot of people had a hard time taking the hex dump of the packets and converting them into pcap format. So, what I decided to do was break the answer to Fred’s Secret into a couple of different posts. Part 1 will describe how to convert the packets. In Part 2 we’ll go ahead and reveal the solution. This way everyone will still be able to try to find out the answer themselves.

Here are the four packets:

00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 00 10 00 0c ff 00 ca 00 04
11 0a 00 00 00 00 00 00 00 28 00 00 00 00 00 d4
00 00 a0 8f 00 4e 54 4c 4d 53 53 50 00 01 00 00
00 07 82 08 a2 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 05 01 28 0a 00 00 00 0f 00 57 00
69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00
30 00 30 00 32 00 20 00 53 00 65 00 72 00 76 00
69 00 63 00 65 00 20 00 50 00 61 00 63 00 6b 00
20 00 33 00 20 00 32 00 36 00 30 00 30 00 00 00
57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00
32 00 30 00 30 00 32 00 20 00 35 00 2e 00 31 00
00 00 00 00


00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00
01 1f 00 9f 40 00 80 06 ba e7 c0 a8 5e 81 c0 a8
5e 80 01 bd 0d 0d d2 64 26 85 42 d0 34 83 50 18
f9 99 80 50 00 00 00 00 00 f3 ff 53 4d 42 73 16
00 00 c0 98 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 10 00 04 ff 00 f3 00 00
00 7e 00 c8 00 4e 54 4c 4d 53 53 50 00 02 00 00
00 0a 00 0a 00 38 00 00 00 05 82 8a a2 89 23 42
01 b1 62 1e d1 00 00 00 00 00 00 00 00 3c 00 3c
00 42 00 00 00 05 01 28 0a 00 00 00 0f 57 00 49
00 4c 00 4d 00 41 00 02 00 0a 00 57 00 49 00 4c
00 4d 00 41 00 01 00 0a 00 57 00 49 00 4c 00 4d
00 41 00 04 00 0a 00 57 00 49 00 4c 00 4d 00 41
00 03 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 00
00 00 00 14 57 00 69 00 6e 00 64 00 6f 00 77 00
73 00 20 00 35 00 2e 00 31 00 00 00 57 00 69 00
6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00
30 00 30 00 20 00 4c 00 41 00 4e 00 20 00 4d 00
61 00 6e 00 61 00 67 00 65 00 72 00 00


00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
01 60 04 39 40 00 80 06 b7 0c c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 34 83 d2 64 27 7c 50 18
f9 a0 09 36 00 00 00 00 01 34 ff 53 4d 42 73 00
00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 20 00 0c ff 00 34 01 04
11 0a 00 00 00 00 00 00 00 92 00 00 00 00 00 d4
00 00 a0 f9 00 4e 54 4c 4d 53 53 50 00 03 00 00
00 18 00 18 00 62 00 00 00 18 00 18 00 7a 00 00
00 0a 00 0a 00 48 00 00 00 08 00 08 00 52 00 00
00 08 00 08 00 5a 00 00 00 00 00 00 00 92 00 00
00 05 82 88 a2 05 01 28 0a 00 00 00 0f 77 00 69
00 6c 00 6d 00 61 00 66 00 72 00 65 00 64 00 46
00 52 00 45 00 44 00 be 16 d3 98 51 48 ba f5 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77
72 dd 97 cb d6 6f 8d c7 ca db e1 88 6b c3 2b cc
83 df 15 dc 6e 98 41 00 57 00 69 00 6e 00 64 00
6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00
20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00
20 00 50 00 61 00 63 00 6b 00 20 00 33 00 20 00
32 00 36 00 30 00 30 00 00 00 57 00 69 00 6e 00
64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00
32 00 20 00 35 00 2e 00 31 00 00 00 00 00


00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00
00 a1 00 a0 40 00 80 06 bb 64 c0 a8 5e 81 c0 a8
5e 80 01 bd 0d 0d d2 64 27 7c 42 d0 35 bb 50 18
f8 61 c6 aa 00 00 00 00 00 75 ff 53 4d 42 73 00
00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 20 00 04 ff 00 75 00 00
00 00 00 4a 00 82 57 00 69 00 6e 00 64 00 6f 00
77 00 73 00 20 00 35 00 2e 00 31 00 00 00 57 00
69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00
30 00 30 00 30 00 20 00 4c 00 41 00 4e 00 20 00
4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 00

Converting the Hex Dump into PCAP using tr, sed, text2pcap, & mergecap.

There are a number of different ways to convert a hex dump into pcap. The method I will demonstrate here will be using the tr, sed, text2pcap, and mergecap commands. This is going to be long and drawn out, perhaps even a little painful. By doing it this way though, we are going to get use a number of different commands. Using these different commands will allow us to see what they do and become familiar with their syntax and how they work. As we go through each step in the process, take a look at the output of the command and try to get a feel of what it is actually doing.

To begin, copy and paste each of the packets into a separate text file (for example 1.txt, 2.txt, 3.txt, 4.txt.)

Then, remove the carriage returns:
tr -d '\n' 1b.txt

Next, get rid of the blank spaces:
sed 's/ //g' 1c.txt

Now, separate the bytes:
sed 's/\(..\)/\1 /g' 1d.txt

Then, prepend a’00000 ‘:
sed 's/^/00000 /' 1e.txt

Finally, convert the hex to pcap using text2pcap:
text2pcap 1e.txt 1f.pcap

All of this can be done on a single line by piping the output of one command into the input of the next command:
tr -d '\n' < 1.txt | sed 's/ //g' | sed 's/\(..\)/\1 /g' | sed 's/^/00000 /' | text2pcap - 1f.pcap

Repeat this process for each of the each of the four packets. Afterwords there should be four pcap files: 1f.pcap, 2f.pcap, 3f.pcap, and 4f.pcap. These four packets now need to combined back into a single file. This can be done using mergecap:

mergecap -w 5.pcap 1f.pcap 2f.pcap 3f.pcap 4f.pcap

If everything worked correctly, the file 5.pcap now contains four packets. To verify this, run tcpdump. Use the -v (verbose) switch to display the length of each packet. This is highlighted below:

tcpdump -nnvr 5.pcap
reading from file 5.pcap, link-type EN10MB (Ethernet)
14:13:33.000000 IP (tos 0x0, ttl 128, id 159, offset 0, flags [DF], proto TCP (6), length 287) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0x8050 (correct), 3529778821:3529779068(247) ack 1120941187 win 63897
14:13:52.000000 IP (tos 0x0, ttl 128, id 1081, offset 0, flags [DF], proto TCP (6), length 352) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0936 (correct), 1:313(312) ack 247 win 63904
14:14:12.000000 IP (tos 0x0, ttl 128, id 160, offset 0, flags [DF], proto TCP (6), length 161) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0xc6aa (correct), 247:368(121) ack 313 win 63585
14:18:29.000000 IP (tos 0x0, ttl 128, id 1080, offset 0, flags [DF], proto TCP (6), length 246) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0eae (correct), 4294967091:1(206) ack 0 win 64151

Remember, the reason for going through this long drawn out process was to demonstrate the use of a number of different commands and how they work. With this knowledge, hopefully we’ll have a better understanding of how to use each of these tools. Perhaps we can even begin writing scripts that automate such processes. 🙂

At the onset I also mentioned that there were a number of other ways to convert a hex dump to pcap. Anyone interested in writing something up on how to use scapy or any another tool to convert the hex dump? If so, let me know and we’ll post it.

Now, it’s back up to you again. What’s Fred’s secret?

Hint: You are going to have to use some brute-force.

The following are links to information on the the use of the tr, sed, text2pcap, and mergecap commands:
tr (Unix)
USEFUL ONE-LINE SCRIPTS FOR SED
text2pcap
mergecap

Tired of trying to convert the hex dump to pcap? Here is a link to the I Smell Packets Group on Google. Download the 5.pcap file.

http://groups.google.com/group/ismellpackets

Advertisements

2 Comments so far
Leave a comment

Jon Wohlberg wrote in and made the following suggestion, stating it looked cleaner:

cat 1.txt | tr ‘\n’ ‘ ‘ | sed ‘s/^/00000 /’

I agree with Jon 100%.

Comment by ismellpackets

I just noticed that some of the commands got messed up because I didn’t use the ‘code’ tag to separate them in the post. Everything has been fixed now. I apologize if this caused any problems.

Comment by ismellpackets




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



%d bloggers like this: