Biz44e

S Abhishek
2 min readJun 19, 2021

--

  • After analysing several packets we can conclude that there is something to be done with ICMP.
  • So apply the ICMP filter and start analyzing.
  • We can see that packets from the source = 10.30.8.102 and destination = 192.168.42.83 has some ZIP Magic Numbers.
  • In scapy there are lots of ways to extract the data.
  • Here since the length is different for each packet we can easily extract the content.
  • Here to avoid he unwanted chunks apply some filter to slice them.
  • It can be indentified by seeing the hex of the ZIP.
from scapy.all import *f=rdpcap('bizz.pcap')
b = ''
for i in f[ICMP]: # Filter ICMP Packets
if len(i) == 3528: # Filter Packet 1
b+=str(i)[329:-1] # To Avoid Unwanted hex chunks slice the output
if len(i) == 3526: # Filter Packet 2
b+=str(i)[411:-1] # To Avoid Unwanted hex chunks slice the output
if len(i) == 3524: # Filter Packet 3
b+=str(i)[451:-1] # To Avoid Unwanted hex chunks slice the output

with open("final.zip", "wb") as g: # Write to the File
g.write(bytes.fromhex(b))
g.close()
  • After compliling and running the script we shall get the ZIP file.

PCAP File — Script — Zip File — PNG File

--

--

S Abhishek

Data Engineer Intern @Rolls-Royce | Computer Science Undergraduate | Amrita Vishwa Vidyapeetham | Former Member of security research & CTF team — @teambi0s.