I Smell Packets


Answer to Caesar’s Challenge
June 12, 2009, 12:59 am
Filed under: Caesar cipher, file, Packet Challenge, scapy

I for one had a lot of fun with this week’s challenge. There were packets, magic, and even some shifting. Everything you need in a good packet challenge. Here’s the solution from the creator of the challenge Davy Douhine (@ddouhine on twitter.)

Davy writes:

1. Paste the packet in a text file.
2. Add “0000” at the beginning of each line, manually or with sed:

sed 's/^/0000 /' packet.txt

3. Print the result and copy it.
4. Launch scapy.
5. Import the packet in an object. To do this use the import_hexcap command, paste the packet, and hit CTRL-D:

	
>>> p1=IP(import_hexcap())
0000 4500 00c8 21c4 4000 8006 dee4 c0a8 3c01
0000 c0a8 3c35 0014 0841 ea5d efe1 32e0 3fa1
0000 5018 ffff 2c6d 0000 1f8b 0808 d92d 074a
0000 0203 6669 6c65 005d 8ecb 9104 210c 43ef
0000 1385 4210 fe01 e1b8 7ae8 fc43 1871 d8cb
0000 faa0 924b cf82 4812 6419 3aaa e5b4 2e8e
0000 81fd ec8d 87bd e00f c79f f344 767d 41a3
0000 098e 034f f31b 0c39 3f88 9e89 3a46 18dd
0000 af28 706f f8f0 82f7 5db7 d2d0 fc17 634c
0000 54d6 914c 43ed 72c4 532f 6a72 c329 4925
0000 48cb db9c 8564 2cc4 1baf b81c 7a5c cde9
0000 b7af f4b5 5882 c5f9 45c4 852e 62b1 3f3f
0000 c173 e305 f500 0000

6. Display the “p1” object:

>>> p1.display()
###[ IP ]###
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 200
  id= 8644
  flags= DF
  frag= 0L
  ttl= 128
  proto= tcp
  chksum= 0xdee4
  src= 192.168.60.1
  dst= 192.168.60.53
  options= ''
###[ TCP ]###
     sport= ftp_data
     dport= 2113
     seq= 3932024801L
     ack= 853557153L
     dataofs= 5L
     reserved= 0L
     flags= PA
     window= 65535
     chksum= 0x2c6d
     urgptr= 0
     options= []
###[ Raw ]###
        load= '\x1f\x8b\x08\x08\xd9-\x07J\x02\x03file\x00]\x8e\xcb\x91\x04!\x0cC\xef\x13\x85B\x10\xfe\x01\xe1\xb8z\xe8\xfcC\x18q\xd8\xcb\xfa\xa0\x92K\xcf\x82H\x12d\x19:\xaa\xe5\xb4.\x8e\x81\xfd\xec\x8d\x87\xbd\xe0\x0f\xc7\x9f\xf3Dv}A\xa3\t\x8e\x03O\xf3\x1b\x0c9?\x88\x9e\x89:F\x18\xdd\xaf(po\xf8\xf0\x82\xf7]\xb7\xd2\xd0\xfc\x17cLT\xd6\x91LC\xedr\xc4S/jr\xc3)I%H\xcb\xdb\x9c\x85d,\xc4\x1b\xaf\xb8\x1cz\\\xcd\xe9\xb7\xaf\xf4\xb5X\x82\xc5\xf9E\xc4\x85.b\xb1??\xc1s\xe3\x05\xf5\x00\x00\x00'

7. We now have a good looking packet. The TCP source port indicates that this should be a ftp-data transfer. In the payload we see the string “file.” This is the name of the file that was transfered. Let’s take a closer look at it.

8. Display the payload of the packet:

>>> a.payload.payload
<Raw  load='\x08\x08\xd9-\x07J\x02\x03file\x00]\x8e\xcb\x91\x04!\x0cC\xef\x13\x85B\x10\xfe\x01\xe1\xb8z\xe8\xfcC\x18q\xd8\xcb\xfa\xa0\x92K\xcf\x82H\x12d\x19:\xaa\xe5\xb4.\x8e\x81\xfd\xec\x8d\x87\xbd\xe0\x0f\xc7\x9f\xf3Dv}A\xa3\t\x8e\x03O\xf3\x1b\x0c9?\x88\x9e\x89:F\x18\xdd\xaf(po\xf8\xf0\x82\xf7]\xb7\xd2\xd0\xfc\x17cLT\xd6\x91LC\xedr\xc4S/jr\xc3)I%H\xcb\xdb\x9c\x85d,\xc4\x1b\xaf\xb8\x1cz\\\xcd\xe9\xb7\xaf\xf4\xb5X\x82\xc5\xf9E\xc4\x85.b\xb1??\xc1s\xe3\x05\xf5\x00\x00\x00' |>

9. Convert the payload from raw to string and put the result in an object:

>>> strpayload=str(a.payload.payload)
'\x1f\x8b\x08\x08\xd9-\x07J\x02\x03file\x00]\x8e\xcb\x91\x04!\x0cC\xef\x13\x85B\x10\xfe\x01\xe1\xb8z\xe8\xfcC\x18q\xd8\xcb\xfa\xa0\x92K\xcf\x82H\x12d\x19:\xaa\xe5\xb4.\x8e\x81\xfd\xec\x8d\x87\xbd\xe0\x0f\xc7\x9f\xf3Dv}A\xa3\t\x8e\x03O\xf3\x1b\x0c9?\x88\x9e\x89:F\x18\xdd\xaf(po\xf8\xf0\x82\xf7]\xb7\xd2\xd0\xfc\x17cLT\xd6\x91LC\xedr\xc4S/jr\xc3)I%H\xcb\xdb\x9c\x85d,\xc4\x1b\xaf\xb8\x1cz\\\xcd\xe9\xb7\xaf\xf4\xb5X\x82\xc5\xf9E\xc4\x85.b\xb1??\xc1s\xe3\x05\xf5\x00\x00\x00'

10. Put it in a file:

>>> fd=open('/tmp/file', 'w')
>>> fd.write(strpayload)
>>> fd.close()

11. Use file magic to guess what sort of file it is:

>>> os.system('file /tmp/file')
/tmp/file: gzip compressed data, was "file", from Unix, max compression

12. It’s a gzip file, decompress it:

>>> fd=gzip.open('/tmp/file', 'r')
>>> fd.read()
'4500 0062 a46a 0000 8011 9c99 c0a8 3c01 c0a8 3c35 5a6d 0202 004e 3523 3c31 353e 4a75 6e20 2033 2031 333a 3136 3a31 3920 4444 4444 4444 4444 2047 656e 6572 6963 4c6f 6709 3009 5657 5253 2056 5048 4f4f 4c51 4a20 5344 464e 4857 2053 4f48 4456 480a\n'

13. So we have a text file with some hex in it that begins with “45…”. Oh no, it’s another packet… 😉 Let’s format it so that it can be imported into scapy. This requires 16 bytes per line with 0000 at the beginning of each. Question for the audience. Does anybody know how to do this in python?

>>> extractedpacket=_
>>> fd.close()
>>> fd=open('/tmp/extpkt', 'w')
>>> fd.write(extractedpacket)
>>> fd.close()
>>> os.system('vi /tmp/extpkt')
>>> os.system("sed 's/^/0000 /' /tmp/extpkt")
0000 4500 0062 a46a 0000 8011 9c99 c0a8 3c01
0000 c0a8 3c35 5a6d 0202 004e 3523 3c31 353e
0000 4a75 6e20 2033 2031 333a 3136 3a31 3920
0000 4444 4444 4444 4444 2047 656e 6572 6963
0000 4c6f 6709 3009 5657 5253 2056 5048 4f4f
0000 4c51 4a20 5344 464e 4857 2053 4f48 4456
0000 480a

14. Import the packet to scapy using import_hexcap:

>>> p2=IP(import_hexcap())
0000 4500 0062 a46a 0000 8011 9c99 c0a8 3c01
0000 c0a8 3c35 5a6d 0202 004e 3523 3c31 353e
0000 4a75 6e20 2033 2031 333a 3136 3a31 3920
0000 4444 4444 4444 4444 2047 656e 6572 6963
0000 4c6f 6709 3009 5657 5253 2056 5048 4f4f
0000 4c51 4a20 5344 464e 4857 2053 4f48 4456
0000 480a

15. Display the packet details:

>>> p2.display()
###[ IP ]###
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 98
  id= 42090
  flags=
  frag= 0L
  ttl= 128
  proto= udp
  chksum= 0x9c99
  src= 192.168.60.1
  dst= 192.168.60.53
  options= ''
###[ UDP ]###
     sport= 23149
     dport= syslog
     len= 78
     chksum= 0x3523
###[ Raw ]###
        load= 'Jun  3 13:16:19 DDDDDDDD GenericLog\t0\tVWRS VPHOOLQJ SDFNHW SOHDVH\n'

16. We now have a packet containing a syslog message and there are some weird characters in it, “VWRS VPHOOLQJ SDFNHW SOHDVH”.

17. What was the name of that challenge? Caesar’s challenge… hmm… After a quick search we find something called the Caesar cipher. The Caesar cipher is a 2000 year old encryption technique named after Julius Caesar. It is a type of substitution cipher that shifts the characters 3 places.

18. Let’s try it. Shifting the characters in the syslog message by 3 we get: “STOP SMELLING PACKET PLEASE”.

Chris adds:

Thanks to Davy for coming up this week’s challenge. It was fun for me to have the opportunity to work on a challenge for once. If anyone else ever has an idea, let me know and maybe we’ll post it.

Lot’s of people got this one right. Congratulations to Alec Waters (@alecwaters on twitter) for being the first. Thanks to everyone else for playing.

Until next time.

The following are some links to more information about this week’s challenge:
Magic number (programming)
file (Unix)
Caesar cipher

Advertisement
4 Comments

4 Comments so far
Leave a comment

Awesome! I really dig seeing yet another way to look at these and how they’ve been building on past challenges (I was able to get this one based on what I learned in previous ones)!

Comment by LonerVamp June 12, 2009 @ 2:23 am
Reply

I agree. I’m learning quite a bit seeing the way others solve the challenges.

Comment by ismellpackets June 12, 2009 @ 3:37 pm
Reply

Hi,
What is the reason for following step:
“Add “0000″ at the beginning of each line, manually or with sed:”
I also noticed that this done in other packet quzzies…is this something that text2pcap requires.
Thanks

Comment by ipv4 June 15, 2009 @ 12:30 pm
Reply

In short, yes! 🙂

Comment by LonerVamp June 16, 2009 @ 9:38 pm
Reply


RSS feed for comments on this post.


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s



%d bloggers like this: