It’s Complicated My Pal

S Abhishek
Jun 19, 2021

--

  • After analyzing several packets we can conclude that there is something to be done with ICMP.
  • So apply the ICMP filter and start analyzing.
  • We can see that packets from the source = 192.168.1.200 has some ZIP Magic Numbers.
  • In scapy there are lots of ways to extract the data.
  • We can see that the hex values of the ZIP start from the hex position x002A in all ICMP packets.
  • The Bytes Equivalent of Hex = x002A is 42 Bytes.
  • So slice the rest of the chunks.
  • It can be indentified by seeing the hex of the ZIP.
  • After compiling and running the script we shall get the ZIP file.
  • But it's Password Protected.
  • So using Frackzip we shall crack the Password.
Password --> craccer

PCAP File

Script

Zip File

JPG File

--

--

S Abhishek

Data Engineer Intern @Rolls-Royce | Computer Science Undergraduate | Amrita Vishwa Vidyapeetham | Former Member of security research & CTF team — @teambi0s.