My next class:
Reverse-Engineering Malware: Malware Analysis Tools and TechniquesOnline | Australia Eastern Standard TimeSep 16th - Sep 21st 2024

A packet challenge and how I solved it

Published: 2009-05-07. Last Updated: 2009-05-08 00:03:08 UTC
by Jim Clausing (Version: 1)
2 comment(s)

Yesterday morning (EDT in the US), our friend Chris Christianson twittered the following:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264   

I didn't see it in time to win his little challenge, but I figured I'd throw out how I decoded it and how I would have responded had @quine not already beaten me to it.  It was pretty obviously (well, to us packet geeks anyway) an IPv4 packet in hex, so I copied the text and saved it in a text file (though I could have just used echo, but I thought I might want to go back to it) named foocap.txt.  Then I ran the following (note, text2pcap is part of the wireshark package, so that and tcpdump both need to be installed on your linux box to do this):

 

jac@cantor[531]$ cat foocap.txt | perl -pe 'print "000000 ";s/(..)(..)\s/$1." ".$2." "/ge' | \
text2pcap -e 0x800 - - | tcpdump -Xnnr - 
Input from: Standard input
Output to: Standard output
Generate dummy Ethernet header: Protocol: 0x800
Wrote packet of 54 bytes at 0
Read 1 potential packet, wrote 1 packet
reading from file -, link-type EN10MB (Ethernet)
11:10:08.000000 IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23079, seq 512, length 34
    0x0000:  4500 0036 308b 0000 4001 0000 7f00 0001  E..60...@.......
    0x0010:  7f00 0001 0800 89f3 5a27 0200 3173 7432  ........Z'..1st2
    0x0020:  444d 6d65 6765 7473 4153 7461 7262 7563  DMmegetsAStarbuc
    0x0030:  6b73 6361 7264                           kscard

 

And there it is.  An ICMP echo request that says the first to DM him (via twitter) gets a Starbucks card.  So, my response would have been to take the payload and run it through hping3 to create an echo response packet (or maybe just change the ICMP type, that would have been even simpler).  Of course, I don't drink coffee, but I suppose my daughter could have used the card.  It turns out that (hping3) is how Chris created the original packet anyway, so he probably would have enjoyed getting an echo reply back as the response.  Anyway, he posted about his challenge on his blog, you can find it here: http://ismellpackets.wordpress.com/2009/05/06/packet-challenge/

Keywords: packets
2 comment(s)
My next class:
Reverse-Engineering Malware: Malware Analysis Tools and TechniquesOnline | Australia Eastern Standard TimeSep 16th - Sep 21st 2024

Comments

I did the same thing via http://snarkles.net/scripts/sneak/sneak.php. I copied and pasted the code into the input window and selected "hex to ascii" and got the following:

E��60‹��@�������‰óZ'�1st2DMmegetsAStarbuckscard
Yeah, I know that's only half the picture (that Snarkles doesn't offer header info). :)

Diary Archives