I Smell Packets

This challenge was a little harder than the previous ones. It seems a lot of people had a hard time taking the hex dump of the packets and converting them into pcap format. So, what I decided to do was break the answer to Fred’s Secret into a couple of different posts. Part 1 will describe how to convert the packets. In Part 2 we’ll go ahead and reveal the solution. This way everyone will still be able to try to find out the answer themselves.

Here are the four packets:

00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
00 f6 04 38 40 00 80 06 b7 77 c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 33 b5 d2 64 26 85 50 18
fa 97 0e ae 00 00 00 00 00 ca ff 53 4d 42 73 00
00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 00 10 00 0c ff 00 ca 00 04
11 0a 00 00 00 00 00 00 00 28 00 00 00 00 00 d4
00 00 a0 8f 00 4e 54 4c 4d 53 53 50 00 01 00 00
00 07 82 08 a2 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 05 01 28 0a 00 00 00 0f 00 57 00
69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00
30 00 30 00 32 00 20 00 53 00 65 00 72 00 76 00
69 00 63 00 65 00 20 00 50 00 61 00 63 00 6b 00
20 00 33 00 20 00 32 00 36 00 30 00 30 00 00 00
57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 20 00
32 00 30 00 30 00 32 00 20 00 35 00 2e 00 31 00
00 00 00 00


00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00
01 1f 00 9f 40 00 80 06 ba e7 c0 a8 5e 81 c0 a8
5e 80 01 bd 0d 0d d2 64 26 85 42 d0 34 83 50 18
f9 99 80 50 00 00 00 00 00 f3 ff 53 4d 42 73 16
00 00 c0 98 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 10 00 04 ff 00 f3 00 00
00 7e 00 c8 00 4e 54 4c 4d 53 53 50 00 02 00 00
00 0a 00 0a 00 38 00 00 00 05 82 8a a2 89 23 42
01 b1 62 1e d1 00 00 00 00 00 00 00 00 3c 00 3c
00 42 00 00 00 05 01 28 0a 00 00 00 0f 57 00 49
00 4c 00 4d 00 41 00 02 00 0a 00 57 00 49 00 4c
00 4d 00 41 00 01 00 0a 00 57 00 49 00 4c 00 4d
00 41 00 04 00 0a 00 57 00 49 00 4c 00 4d 00 41
00 03 00 0a 00 57 00 49 00 4c 00 4d 00 41 00 00
00 00 00 14 57 00 69 00 6e 00 64 00 6f 00 77 00
73 00 20 00 35 00 2e 00 31 00 00 00 57 00 69 00
6e 00 64 00 6f 00 77 00 73 00 20 00 32 00 30 00
30 00 30 00 20 00 4c 00 41 00 4e 00 20 00 4d 00
61 00 6e 00 61 00 67 00 65 00 72 00 00


00 0c 29 4c 6d a6 00 0c 29 0e 66 bd 08 00 45 00
01 60 04 39 40 00 80 06 b7 0c c0 a8 5e 80 c0 a8
5e 81 0d 0d 01 bd 42 d0 34 83 d2 64 27 7c 50 18
f9 a0 09 36 00 00 00 00 01 34 ff 53 4d 42 73 00
00 00 00 18 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 20 00 0c ff 00 34 01 04
11 0a 00 00 00 00 00 00 00 92 00 00 00 00 00 d4
00 00 a0 f9 00 4e 54 4c 4d 53 53 50 00 03 00 00
00 18 00 18 00 62 00 00 00 18 00 18 00 7a 00 00
00 0a 00 0a 00 48 00 00 00 08 00 08 00 52 00 00
00 08 00 08 00 5a 00 00 00 00 00 00 00 92 00 00
00 05 82 88 a2 05 01 28 0a 00 00 00 0f 77 00 69
00 6c 00 6d 00 61 00 66 00 72 00 65 00 64 00 46
00 52 00 45 00 44 00 be 16 d3 98 51 48 ba f5 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 77
72 dd 97 cb d6 6f 8d c7 ca db e1 88 6b c3 2b cc
83 df 15 dc 6e 98 41 00 57 00 69 00 6e 00 64 00
6f 00 77 00 73 00 20 00 32 00 30 00 30 00 32 00
20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00
20 00 50 00 61 00 63 00 6b 00 20 00 33 00 20 00
32 00 36 00 30 00 30 00 00 00 57 00 69 00 6e 00
64 00 6f 00 77 00 73 00 20 00 32 00 30 00 30 00
32 00 20 00 35 00 2e 00 31 00 00 00 00 00


00 0c 29 0e 66 bd 00 0c 29 4c 6d a6 08 00 45 00
00 a1 00 a0 40 00 80 06 bb 64 c0 a8 5e 81 c0 a8
5e 80 01 bd 0d 0d d2 64 27 7c 42 d0 35 bb 50 18
f8 61 c6 aa 00 00 00 00 00 75 ff 53 4d 42 73 00
00 00 00 98 07 c8 00 00 00 00 00 00 00 00 00 00
00 00 00 00 ff fe 00 08 20 00 04 ff 00 75 00 00
00 00 00 4a 00 82 57 00 69 00 6e 00 64 00 6f 00
77 00 73 00 20 00 35 00 2e 00 31 00 00 00 57 00
69 00 6e 00 64 00 6f 00 77 00 73 00 20 00 32 00
30 00 30 00 30 00 20 00 4c 00 41 00 4e 00 20 00
4d 00 61 00 6e 00 61 00 67 00 65 00 72 00 00

Converting the Hex Dump into PCAP using tr, sed, text2pcap, & mergecap.

There are a number of different ways to convert a hex dump into pcap. The method I will demonstrate here will be using the tr, sed, text2pcap, and mergecap commands. This is going to be long and drawn out, perhaps even a little painful. By doing it this way though, we are going to get use a number of different commands. Using these different commands will allow us to see what they do and become familiar with their syntax and how they work. As we go through each step in the process, take a look at the output of the command and try to get a feel of what it is actually doing.

To begin, copy and paste each of the packets into a separate text file (for example 1.txt, 2.txt, 3.txt, 4.txt.)

Then, remove the carriage returns:
tr -d '\n' 1b.txt

Next, get rid of the blank spaces:
sed 's/ //g' 1c.txt

Now, separate the bytes:
sed 's/\(..\)/\1 /g' 1d.txt

Then, prepend a’00000 ‘:
sed 's/^/00000 /' 1e.txt

Finally, convert the hex to pcap using text2pcap:
text2pcap 1e.txt 1f.pcap

All of this can be done on a single line by piping the output of one command into the input of the next command:
tr -d '\n' < 1.txt | sed 's/ //g' | sed 's/\(..\)/\1 /g' | sed 's/^/00000 /' | text2pcap - 1f.pcap

Repeat this process for each of the each of the four packets. Afterwords there should be four pcap files: 1f.pcap, 2f.pcap, 3f.pcap, and 4f.pcap. These four packets now need to combined back into a single file. This can be done using mergecap:

mergecap -w 5.pcap 1f.pcap 2f.pcap 3f.pcap 4f.pcap

If everything worked correctly, the file 5.pcap now contains four packets. To verify this, run tcpdump. Use the -v (verbose) switch to display the length of each packet. This is highlighted below:

tcpdump -nnvr 5.pcap
reading from file 5.pcap, link-type EN10MB (Ethernet)
14:13:33.000000 IP (tos 0x0, ttl 128, id 159, offset 0, flags [DF], proto TCP (6), length 287) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0x8050 (correct), 3529778821:3529779068(247) ack 1120941187 win 63897
14:13:52.000000 IP (tos 0x0, ttl 128, id 1081, offset 0, flags [DF], proto TCP (6), length 352) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0936 (correct), 1:313(312) ack 247 win 63904
14:14:12.000000 IP (tos 0x0, ttl 128, id 160, offset 0, flags [DF], proto TCP (6), length 161) 192.168.94.129.445 > 192.168.94.128.3341: P, cksum 0xc6aa (correct), 247:368(121) ack 313 win 63585
14:18:29.000000 IP (tos 0x0, ttl 128, id 1080, offset 0, flags [DF], proto TCP (6), length 246) 192.168.94.128.3341 > 192.168.94.129.445: P, cksum 0x0eae (correct), 4294967091:1(206) ack 0 win 64151

Remember, the reason for going through this long drawn out process was to demonstrate the use of a number of different commands and how they work. With this knowledge, hopefully we’ll have a better understanding of how to use each of these tools. Perhaps we can even begin writing scripts that automate such processes. 🙂

At the onset I also mentioned that there were a number of other ways to convert a hex dump to pcap. Anyone interested in writing something up on how to use scapy or any another tool to convert the hex dump? If so, let me know and we’ll post it.

Now, it’s back up to you again. What’s Fred’s secret?

Hint: You are going to have to use some brute-force.

The following are links to information on the the use of the tr, sed, text2pcap, and mergecap commands:
tr (Unix)
USEFUL ONE-LINE SCRIPTS FOR SED
text2pcap
mergecap

Tired of trying to convert the hex dump to pcap? Here is a link to the I Smell Packets Group on Google. Download the 5.pcap file.

http://groups.google.com/group/ismellpackets