Carving Exfiltrated Network Data from a Hack (Python & Scapy)
HTML-код
- Опубликовано: 11 июл 2024
- j-h.io/ctt || Level-up your techs with tailored cybersecurity training, custom for you and your team -- from Capture the Talent! j-h.io/ctt
00:00 - lactf{EBE}
00:23 - Challenge start
01:09 - What is RFC 3514
02:02 - About PCAP files
05:58 - Scripting out the answer
11:50 - Final Thoughts
🔥 RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
First I would use the Wireshark build-in filter. file->'strip headers...' select ip add filter: `ip.flags.rb != 1`, click ok. then right-click a package and click follow -> 'udp stream'.
But if you do what to use the commandline it is easier with tcpdump: `tcpdump 'ip[6] != 128' -Ar EBE.pcap` and if the print should be on one line, fix that with `awk`, while also remove all the package info.
You constantly making these small tutorials for ctfs makes me really want to get back into hacking so thank you so much for all your work here!
John never disappoints
11:35
import sys
from scapy.all import *
print(b"".join([p[Raw].load for p in rdpcap(sys.argv[1]) if not "evil" in p[IP].flags]).decode("utf-8"))
And now you can use it on any .pcap file. It will throw an error if you don't provide a filename as the first argument on the command line
Thats awesome again. I think You should make a video on most usefull Python libraries for ctfs/penetration testing. I've noticed weird thing, sponsor adds are usually anoying, but John somehow chooses the right ones (not advertising lingerie, drinks, or other unrelated stuff), and makes them interesting.
For scapy, just pip install scapy --upgrade fixes errors.
What is so bad about John in lingerie?
Man ... be a little bit more open minded!
Hehehe:)
Learned about new things about scapy. I used to use pyshark. Thank you, sir.
very cool, bro
Found out about your channel through Network Chuck. You guys rock!
Sort of new to WireShark, and have been able to capture some BLE transmissions between my phone and a wireless thermometer just for tinkering. Never was able to make sense of what the heck to do with the massive .pcap file. I look forward to reading the docs for the “scapy” library to see what all cool stuff I might be able to do with it.
Thanks so much for your awesome tutorials!
Great video John!
Helped seeing the a use case too as I’m learning Python myself.
This was awesome. I feel dumb when watching your videos, lol. I miss your RUclips videos. I have a long way to go, but you, sir, are a GOD, and we newbies appreciate all you do.
Super awesome John
Appreciate the content...
And the outro music as well...
Good job editor...
Please more...
Great video, nice to use Python Libs 👏👏👏
Really nice tutorial. Thanks
That's so satisfying seeing it just present the flag like that!
Something to play with when I get home later now!
Don't ever take the red pill man...we'd miss you. Another great video...
Hey there from Va
Scapy is great not only for packet inspection, but also as easy to use building base layer for new things ;) And please, update your scapy to 2.5.0 :D
You are my master
🤩
best
Hi john
Hey john Why don't u make a course?
4th comment buddy
One liner
i have question is it possible to crack password from wpa2.pcap using programming without worldlist , bruteforce...🤔
Why would anyone sane abide by RFC 3514?
It makes no sense as an attacker to intentionally announce the attack within the packet ? o.O
Also cant unsee that it was published on April 1, 2003, also known as April Fool's Day :/
It is not a "real" thing but an april fools joke by Steve Bellovin.
Because they needed a theme for a CTF. :P
And many RFCs published with this date are worth reading. My favorite is RFC1925. When you read many RFCs you'll notice that only the ones published on April 1st mention the day. All others have Month / Year as publishing date.
me first
Yo this RFC made no sense to me. Why would attackers want us to know that their traffic is evil? And then I did some googling and found out it was published on April 1st :/
First ong
You wanted a one liner, you get a one line. Can you try the following with the pcap file?
tshark -Y "ip.flags.rb==0" -r EBE.pcap -Tfields -e data | xxd -r -p
"List Comprehension" you say? "Cramming your code verbatim all onto one line for no good reason" you say? ("To shreds" you say?)
from scapy.all import *
print(b"".join([packet[Raw].load for packet in rdpcap("./EBE.pcap") if not "evil" in packet[IP].flags]).decode("utf-8"))
For extra credit, here's the same thing but also technically a one-liner shell command:
python3 -c 'from scapy.all import *; print(b"".join([packet[Raw].load for packet in rdpcap("./EBE.pcap") if not "evil" in packet[IP].flags]).decode("utf-8"))'
🔥🔥🔥
here's a horrenduous one-liner:
tshark -Y "ip.flags.rb==0" -r EBE.pcap -Tfields -e data | xxd -r -p
Ultimate 🥏
Wow you are the first ever comment!