A packet challenge and how I solved it - isc(情報元のブックマーク数)

IT セキュリティ

へぇーーーTwitterでこんなチャレンジが流れていて、解析せよ!だったらしい。

さすがに、これだけじゃわからんや・・・

Yesterday morning (EDT in the US), our friend Chris Christianson twittered the following:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

I didn't see it in time to win his little challenge, but I figured I'd throw out how I decoded it and how I would have responded had @quine not already beaten me to it. It was pretty obviously (well, to us packet geeks anyway) an IPv4 packet in hex, so I copied the text and saved it in a text file (though I could have just used echo, but I thought I might want to go back to it) named foocap.txt. Then I ran the following (note, text2pcap is part of the wireshark package, so that and tcpdump both need to be installed on your linux box to do this):

InfoSec Handlers Diary Blog - A packet challenge and how I solved it

答えは以下らしいけど、hping3ってペイロードの内容を指定できるんだ!

First, I created the payload for the packet. I did this by placing some text in a file using the following command:

echo 1st2DMmegetsAStarbuckscard > payload.txt

Next, I used a tool called Hping to craft the packet:

hping3  icmp  file payload.txt  data 26 127.0.0.1

In the above command, the  icmp instructs hping to create an ICMP packet. The  file option specifies a file to be used as the payload. Next, the  data option tells hping how many bytes of data in the payload. In this case, it’s 26 bytes data. Finally there is the destination IP address which is 127.0.0.1.

To capture the packet, I ran a sniffer called tcpdump:

tcpdump -i lo0 -X -s0

Here is packet in HEX:

4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264

Packet Challenge | I Smell Packets

screenshot