huge commit
This commit is contained in:
38
2026/cscg/forensics/slippery-slope/decrypt_packets.py
Normal file
38
2026/cscg/forensics/slippery-slope/decrypt_packets.py
Normal file
@@ -0,0 +1,38 @@
|
||||
#!/usr/bin/env python3
|
||||
from Crypto.Cipher import AES
|
||||
from scapy.all import rdpcap
|
||||
from scapy.compat import raw
|
||||
|
||||
DATA_FRAME_KEY = bytes.fromhex("0f8278e73cb3d132d33fb84bea24288f")
|
||||
|
||||
def decrypt_data_frame(raw_frame: bytes, key: bytes) -> bytes:
|
||||
# Data payload starts at 0x45 same as advertisement
|
||||
payload = raw_frame[0x45:]
|
||||
|
||||
# Same nonce layout: 4-byte nonce at offset 0x24, encrypted data after 0x28
|
||||
nonce_bytes = payload[0x24:0x28]
|
||||
encrypted = payload[0x28:]
|
||||
|
||||
ctr_nonce = nonce_bytes + b'\x00' * 8
|
||||
cipher = AES.new(key, AES.MODE_CTR, nonce=ctr_nonce, initial_value=1)
|
||||
return cipher.decrypt(encrypted)
|
||||
|
||||
packets = rdpcap("./capture.pcapng")
|
||||
|
||||
for i, pkt in enumerate(packets):
|
||||
raw_bytes = raw(pkt)
|
||||
|
||||
# Skip packets that are too short or look like advertisement frames
|
||||
# You may need to adjust this filter for your capture
|
||||
if len(raw_bytes) < 0x45 + 0x28:
|
||||
continue
|
||||
|
||||
try:
|
||||
decrypted = decrypt_data_frame(raw_bytes, DATA_FRAME_KEY)
|
||||
print(f"[Packet {i}] Decrypted ({len(decrypted)} bytes):")
|
||||
print(f" type: {decrypted[0:2].hex()}")
|
||||
print(f" length: {int.from_bytes(decrypted[2:4], 'little')}")
|
||||
print(f" payload: {decrypted[4:].hex()}")
|
||||
print()
|
||||
except Exception as e:
|
||||
print(f"[Packet {i}] Failed: {e}")
|
||||
Reference in New Issue
Block a user