diff options
author | Mike Crute <mcrute@gmail.com> | 2016-07-27 19:33:47 -0700 |
---|---|---|
committer | Mike Crute <mcrute@gmail.com> | 2016-07-27 19:33:47 -0700 |
commit | 244e353bb6a788e5f76ed999abf3149704dea754 (patch) | |
tree | d075c1525cf8ea199f65e84c0d91563baac0897e | |
parent | d64e26457e6c891304315a7de17db886493e8039 (diff) | |
download | ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.tar.bz2 ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.tar.xz ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.zip |
Reassemble fragmented packets
-rw-r--r-- | inform.py | 14 | ||||
-rw-r--r-- | parse_pcap.py | 74 |
2 files changed, 30 insertions, 58 deletions
@@ -163,16 +163,10 @@ class InformSerializer(object): | |||
163 | 163 | ||
164 | decrypted = Cryptor(key, packet.iv).decrypt(packet.raw_payload) | 164 | decrypted = Cryptor(key, packet.iv).decrypt(packet.raw_payload) |
165 | 165 | ||
166 | try: | 166 | json.loads(decrypted.decode("latin-1")) |
167 | json.loads(decrypted.decode("latin-1")) | 167 | packet.raw_payload = decrypted |
168 | packet.raw_payload = decrypted | 168 | packet._used_key = key |
169 | packet._used_key = key | 169 | break |
170 | break | ||
171 | except ValueError as err: | ||
172 | if err.message == "No JSON object could be decoded": | ||
173 | continue | ||
174 | else: | ||
175 | raise | ||
176 | 170 | ||
177 | def parse(self, input): | 171 | def parse(self, input): |
178 | input_stream = BinaryDataStream(input) | 172 | input_stream = BinaryDataStream(input) |
diff --git a/parse_pcap.py b/parse_pcap.py index 3214f15..bcc3e69 100644 --- a/parse_pcap.py +++ b/parse_pcap.py | |||
@@ -1,61 +1,39 @@ | |||
1 | import dpkt | 1 | import dpkt |
2 | import json | ||
2 | import binascii | 3 | import binascii |
3 | from keystore import KEYSTORE | ||
4 | from cStringIO import StringIO | 4 | from cStringIO import StringIO |
5 | from inform import InformSerializer, Cryptor | 5 | from inform import InformSerializer, Cryptor |
6 | 6 | ||
7 | 7 | ||
8 | d = json.load(open("devices.json")) | ||
9 | KEYSTORE = { i['mac']: i['x_authkey'] for i in d } | ||
10 | |||
11 | |||
8 | def add_colons_to_mac(mac_addr): | 12 | def add_colons_to_mac(mac_addr): |
9 | mac_addr = binascii.hexlify(mac_addr) | 13 | mac_addr = binascii.hexlify(mac_addr) |
10 | return ":".join([mac_addr[i*2:i*2+2] for i in range(12/2)]).lower() | 14 | return ":".join([mac_addr[i*2:i*2+2] for i in range(12/2)]).lower() |
11 | 15 | ||
12 | 16 | ||
13 | for ts, buf in dpkt.pcap.Reader(open("/Users/mcrute/Desktop/http_fast.pcap")): | 17 | records = [] |
14 | eth = dpkt.ethernet.Ethernet(buf) | 18 | buffer = StringIO() |
15 | data = eth.data.tcp.data.split("\r\n") | ||
16 | header, data = data[0], data[-1] | ||
17 | |||
18 | keys = [ | ||
19 | KEYSTORE.get(add_colons_to_mac(eth.src)), | ||
20 | KEYSTORE.get(add_colons_to_mac(eth.dst)), | ||
21 | KEYSTORE.get("00:00:00:00:00:00") | ||
22 | ] | ||
23 | 19 | ||
24 | if not data.startswith("TNBU"): | 20 | for ts, buf in dpkt.pcap.Reader(open("mfi.out")): |
21 | eth = dpkt.ethernet.Ethernet(buf) | ||
22 | data = eth.data.tcp.data.split("\r\n")[-1] | ||
23 | |||
24 | if data.startswith("TNBU") and buffer.tell() != 0: | ||
25 | records.append(buffer.getvalue()) | ||
26 | buffer.seek(0) | ||
27 | buffer.write(data) | ||
28 | else: | ||
29 | buffer.write(data) | ||
30 | |||
31 | |||
32 | ser = InformSerializer("", KEYSTORE) | ||
33 | for data in records: | ||
34 | try: | ||
35 | packet = ser.parse(StringIO(data)) | ||
36 | print packet.raw_payload | ||
37 | except: | ||
38 | print "BAD" | ||
25 | continue | 39 | continue |
26 | |||
27 | for key in keys: | ||
28 | if key is None: | ||
29 | continue | ||
30 | |||
31 | ser = InformSerializer(key) | ||
32 | |||
33 | try: | ||
34 | packet = ser.parse(StringIO(data)) | ||
35 | ser._decrypt_payload(packet) | ||
36 | |||
37 | if not packet.raw_payload.startswith("{"): | ||
38 | continue | ||
39 | else: | ||
40 | break | ||
41 | except ValueError as err: | ||
42 | if '16' in err.message: | ||
43 | #to_add = 16 - (len(data[40:]) % 16) | ||
44 | #decrypted = Cryptor(KEY, packet.iv).decrypt(data[40:] + ("\x00" * to_add)) | ||
45 | continue | ||
46 | else: | ||
47 | raise | ||
48 | |||
49 | packet = None | ||
50 | |||
51 | |||
52 | if not packet: | ||
53 | print "Bad Packet" | ||
54 | continue | ||
55 | else: | ||
56 | print packet.raw_payload | ||
57 | |||
58 | #type = packet.payload.get('_type', None) | ||
59 | |||
60 | #if type and (not type == 'noop'): | ||
61 | # print packet.raw_payload | ||