Biz44e
2 min readJun 19, 2021
- After analysing several packets we can conclude that there is something to be done with
ICMP
. - So apply the
ICMP filter
and startanalyzing
. - We can see that packets from the
source = 10.30.8.102
anddestination = 192.168.42.83
has someZIP
Magic Numbers. - In
scapy
there are lots of ways to extract the data. - Here since the
length
is different for each packet we can easilyextract
the content. - Here to avoid he unwanted chunks apply some filter to slice them.
- It can be indentified by seeing the
hex
of theZIP
.
from scapy.all import *f=rdpcap('bizz.pcap')
b = ''for i in f[ICMP]: # Filter ICMP Packets
if len(i) == 3528: # Filter Packet 1
b+=str(i)[329:-1] # To Avoid Unwanted hex chunks slice the output
if len(i) == 3526: # Filter Packet 2
b+=str(i)[411:-1] # To Avoid Unwanted hex chunks slice the output
if len(i) == 3524: # Filter Packet 3
b+=str(i)[451:-1] # To Avoid Unwanted hex chunks slice the output
with open("final.zip", "wb") as g: # Write to the File
g.write(bytes.fromhex(b))
g.close()
- After
compliling
andrunning
thescript
we shall get theZIP
file.
PCAP File — Script — Zip File — PNG File