Reassemble fragmented packets

author: Mike Crute <mcrute@gmail.com> 2016-07-27 19:33:47 -0700
committer: Mike Crute <mcrute@gmail.com> 2016-07-27 19:33:47 -0700
commit: 244e353bb6a788e5f76ed999abf3149704dea754 (patch)
tree: d075c1525cf8ea199f65e84c0d91563baac0897e
parent: d64e26457e6c891304315a7de17db886493e8039 (diff)
download: ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.tar.bz2
ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.tar.xz
ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.zip
2 files changed, 30 insertions, 58 deletions
diff --git a/inform.py b/inform.py
index 6741415..9877f45 100644
--- a/inform.py
+++ b/inform.py
@@ -163,16 +163,10 @@ class InformSerializer(object):
            decrypted = Cryptor(key, packet.iv).decrypt(packet.raw_payload)
-            try:
+            json.loads(decrypted.decode("latin-1"))
-                json.loads(decrypted.decode("latin-1"))
+            packet.raw_payload = decrypted
-                packet.raw_payload = decrypted
+            packet._used_key = key
-                packet._used_key = key
+            break
-                break
-            except ValueError as err:
-                if err.message == "No JSON object could be decoded":
-                    continue
-                else:
-                    raise
    def parse(self, input):
        input_stream = BinaryDataStream(input)
diff --git a/parse_pcap.py b/parse_pcap.py
index 3214f15..bcc3e69 100644
--- a/parse_pcap.py
+++ b/parse_pcap.py
@@ -1,61 +1,39 @@
 import dpkt
+import json
 import binascii
-from keystore import KEYSTORE
 from cStringIO import StringIO
 from inform import InformSerializer, Cryptor
+d = json.load(open("devices.json"))
+KEYSTORE = { i['mac']: i['x_authkey'] for i in d }
 def add_colons_to_mac(mac_addr):
    mac_addr = binascii.hexlify(mac_addr)
    return ":".join([mac_addr[i*2:i*2+2] for i in range(12/2)]).lower()
-for ts, buf in dpkt.pcap.Reader(open("/Users/mcrute/Desktop/http_fast.pcap")):
+records = []
-    eth = dpkt.ethernet.Ethernet(buf)
+buffer = StringIO()
-    data = eth.data.tcp.data.split("\r\n")
-    header, data = data[0], data[-1]
-    keys = [
-        KEYSTORE.get(add_colons_to_mac(eth.src)),
-        KEYSTORE.get(add_colons_to_mac(eth.dst)),
-        KEYSTORE.get("00:00:00:00:00:00")
-    ]
-    if not data.startswith("TNBU"):
+for ts, buf in dpkt.pcap.Reader(open("mfi.out")):
+    eth = dpkt.ethernet.Ethernet(buf)
+    data = eth.data.tcp.data.split("\r\n")[-1]
+    if data.startswith("TNBU") and buffer.tell() != 0:
+        records.append(buffer.getvalue())
+        buffer.seek(0)
+        buffer.write(data)
+    else:
+        buffer.write(data)
+ser = InformSerializer("", KEYSTORE)
+for data in records:
+    try:
+        packet = ser.parse(StringIO(data))
+        print packet.raw_payload
+    except:
+        print "BAD"
        continue
-    for key in keys:
-        if key is None:
-            continue
-        ser = InformSerializer(key)
-        try:
-            packet = ser.parse(StringIO(data))
-            ser._decrypt_payload(packet)
-            if not packet.raw_payload.startswith("{"):
-                continue
-            else:
-                break
-        except ValueError as err:
-            if '16' in err.message:
-                #to_add = 16 - (len(data[40:]) % 16)
-                #decrypted = Cryptor(KEY, packet.iv).decrypt(data[40:] + ("\x00" * to_add))
-                continue
-            else:
-                raise
-        packet = None
-        if not packet:
-            print "Bad Packet"
-            continue
-        else:
-            print packet.raw_payload
-        #type = packet.payload.get('_type', None)
-        #if type and (not type == 'noop'):
-        #    print packet.raw_payload
author	Mike Crute <mcrute@gmail.com>	2016-07-27 19:33:47 -0700
committer	Mike Crute <mcrute@gmail.com>	2016-07-27 19:33:47 -0700
commit	244e353bb6a788e5f76ed999abf3149704dea754 (patch)
tree	d075c1525cf8ea199f65e84c0d91563baac0897e
parent	d64e26457e6c891304315a7de17db886493e8039 (diff)
download	ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.tar.bz2 ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.tar.xz ubntmfi-244e353bb6a788e5f76ed999abf3149704dea754.zip

diff --git a/inform.py b/inform.py index 6741415..9877f45 100644 --- a/inform.py +++ b/inform.py
@@ -163,16 +163,10 @@ class InformSerializer(object):
163		163
164	decrypted = Cryptor(key, packet.iv).decrypt(packet.raw_payload)	164	decrypted = Cryptor(key, packet.iv).decrypt(packet.raw_payload)
165		165
166	try:	166	json.loads(decrypted.decode("latin-1"))
167	json.loads(decrypted.decode("latin-1"))	167	packet.raw_payload = decrypted
168	packet.raw_payload = decrypted	168	packet._used_key = key
169	packet._used_key = key	169	break
170	break
171	except ValueError as err:
172	if err.message == "No JSON object could be decoded":
173	continue
174	else:
175	raise
176		170
177	def parse(self, input):	171	def parse(self, input):
178	input_stream = BinaryDataStream(input)	172	input_stream = BinaryDataStream(input)


diff --git a/parse_pcap.py b/parse_pcap.py index 3214f15..bcc3e69 100644 --- a/parse_pcap.py +++ b/parse_pcap.py
@@ -1,61 +1,39 @@
1	import dpkt	1	import dpkt
		2	import json
2	import binascii	3	import binascii
3	from keystore import KEYSTORE
4	from cStringIO import StringIO	4	from cStringIO import StringIO
5	from inform import InformSerializer, Cryptor	5	from inform import InformSerializer, Cryptor
6		6
7		7
		8	d = json.load(open("devices.json"))
		9	KEYSTORE = { i['mac']: i['x_authkey'] for i in d }
		10
		11
8	def add_colons_to_mac(mac_addr):	12	def add_colons_to_mac(mac_addr):
9	mac_addr = binascii.hexlify(mac_addr)	13	mac_addr = binascii.hexlify(mac_addr)
10	return ":".join([mac_addr[i2:i2+2] for i in range(12/2)]).lower()	14	return ":".join([mac_addr[i2:i2+2] for i in range(12/2)]).lower()
11		15
12		16
13	for ts, buf in dpkt.pcap.Reader(open("/Users/mcrute/Desktop/http_fast.pcap")):	17	records = []
14	eth = dpkt.ethernet.Ethernet(buf)	18	buffer = StringIO()
15	data = eth.data.tcp.data.split("\r\n")
16	header, data = data[0], data[-1]
17
18	keys = [
19	KEYSTORE.get(add_colons_to_mac(eth.src)),
20	KEYSTORE.get(add_colons_to_mac(eth.dst)),
21	KEYSTORE.get("00:00:00:00:00:00")
22	]
23		19
24	if not data.startswith("TNBU"):	20	for ts, buf in dpkt.pcap.Reader(open("mfi.out")):
		21	eth = dpkt.ethernet.Ethernet(buf)
		22	data = eth.data.tcp.data.split("\r\n")[-1]
		23
		24	if data.startswith("TNBU") and buffer.tell() != 0:
		25	records.append(buffer.getvalue())
		26	buffer.seek(0)
		27	buffer.write(data)
		28	else:
		29	buffer.write(data)
		30
		31
		32	ser = InformSerializer("", KEYSTORE)
		33	for data in records:
		34	try:
		35	packet = ser.parse(StringIO(data))
		36	print packet.raw_payload
		37	except:
		38	print "BAD"
25	continue	39	continue
26
27	for key in keys:
28	if key is None:
29	continue
30
31	ser = InformSerializer(key)
32
33	try:
34	packet = ser.parse(StringIO(data))
35	ser._decrypt_payload(packet)
36
37	if not packet.raw_payload.startswith("{"):
38	continue
39	else:
40	break
41	except ValueError as err:
42	if '16' in err.message:
43	#to_add = 16 - (len(data[40:]) % 16)
44	#decrypted = Cryptor(KEY, packet.iv).decrypt(data[40:] + ("\x00" * to_add))
45	continue
46	else:
47	raise
48
49	packet = None
50
51
52	if not packet:
53	print "Bad Packet"
54	continue
55	else:
56	print packet.raw_payload
57
58	#type = packet.payload.get('_type', None)
59
60	#if type and (not type == 'noop'):
61	# print packet.raw_payload