A packet challenge and how I solved it
Yesterday morning (EDT in the US), our friend Chris Christianson twittered the following:
4500 0036 308b 0000 4001 0000 7f00 0001 7f00 0001 0800 89f3 5a27 0200 3173 7432 444d 6d65 6765 7473 4153 7461 7262 7563 6b73 6361 7264
I didn't see it in time to win his little challenge, but I figured I'd throw out how I decoded it and how I would have responded had @quine not already beaten me to it. It was pretty obviously (well, to us packet geeks anyway) an IPv4 packet in hex, so I copied the text and saved it in a text file (though I could have just used echo, but I thought I might want to go back to it) named foocap.txt. Then I ran the following (note, text2pcap is part of the wireshark package, so that and tcpdump both need to be installed on your linux box to do this):
jac@cantor[531]$ cat foocap.txt | perl -pe 'print "000000 ";s/(..)(..)\s/$1." ".$2." "/ge' | \ text2pcap -e 0x800 - - | tcpdump -Xnnr - Input from: Standard input Output to: Standard output Generate dummy Ethernet header: Protocol: 0x800 Wrote packet of 54 bytes at 0 Read 1 potential packet, wrote 1 packet reading from file -, link-type EN10MB (Ethernet) 11:10:08.000000 IP 127.0.0.1 > 127.0.0.1: ICMP echo request, id 23079, seq 512, length 34 0x0000: 4500 0036 308b 0000 4001 0000 7f00 0001 E..60...@....... 0x0010: 7f00 0001 0800 89f3 5a27 0200 3173 7432 ........Z'..1st2 0x0020: 444d 6d65 6765 7473 4153 7461 7262 7563 DMmegetsAStarbuc 0x0030: 6b73 6361 7264 kscard
And there it is. An ICMP echo request that says the first to DM him (via twitter) gets a Starbucks card. So, my response would have been to take the payload and run it through hping3 to create an echo response packet (or maybe just change the ICMP type, that would have been even simpler). Of course, I don't drink coffee, but I suppose my daughter could have used the card. It turns out that (hping3) is how Chris created the original packet anyway, so he probably would have enjoyed getting an echo reply back as the response. Anyway, he posted about his challenge on his blog, you can find it here: http://ismellpackets.wordpress.com/2009/05/06/packet-challenge/
LINUX Incident Response and Threat Hunting | Online | Japan Standard Time | Oct 21st - Oct 26th 2024 |
Comments
E��60‹��@�������‰óZ'�1st2DMmegetsAStarbuckscard
Ron
May 8th 2009
1 decade ago
Ron
May 8th 2009
1 decade ago