Files
ctf/2026/cscg/forensics/slippery-slope/decrypt_packets.py
2026-03-09 21:44:25 +01:00

39 lines
1.3 KiB
Python

#!/usr/bin/env python3
from Crypto.Cipher import AES
from scapy.all import rdpcap
from scapy.compat import raw
DATA_FRAME_KEY = bytes.fromhex("0f8278e73cb3d132d33fb84bea24288f")
def decrypt_data_frame(raw_frame: bytes, key: bytes) -> bytes:
# Data payload starts at 0x45 same as advertisement
payload = raw_frame[0x45:]
# Same nonce layout: 4-byte nonce at offset 0x24, encrypted data after 0x28
nonce_bytes = payload[0x24:0x28]
encrypted = payload[0x28:]
ctr_nonce = nonce_bytes + b'\x00' * 8
cipher = AES.new(key, AES.MODE_CTR, nonce=ctr_nonce, initial_value=1)
return cipher.decrypt(encrypted)
packets = rdpcap("./capture.pcapng")
for i, pkt in enumerate(packets):
raw_bytes = raw(pkt)
# Skip packets that are too short or look like advertisement frames
# You may need to adjust this filter for your capture
if len(raw_bytes) < 0x45 + 0x28:
continue
try:
decrypted = decrypt_data_frame(raw_bytes, DATA_FRAME_KEY)
print(f"[Packet {i}] Decrypted ({len(decrypted)} bytes):")
print(f" type: {decrypted[0:2].hex()}")
print(f" length: {int.from_bytes(decrypted[2:4], 'little')}")
print(f" payload: {decrypted[4:].hex()}")
print()
except Exception as e:
print(f"[Packet {i}] Failed: {e}")