39 lines
1.3 KiB
Python
39 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
|
from Crypto.Cipher import AES
|
|
from scapy.all import rdpcap
|
|
from scapy.compat import raw
|
|
|
|
DATA_FRAME_KEY = bytes.fromhex("0f8278e73cb3d132d33fb84bea24288f")
|
|
|
|
def decrypt_data_frame(raw_frame: bytes, key: bytes) -> bytes:
|
|
# Data payload starts at 0x45 same as advertisement
|
|
payload = raw_frame[0x45:]
|
|
|
|
# Same nonce layout: 4-byte nonce at offset 0x24, encrypted data after 0x28
|
|
nonce_bytes = payload[0x24:0x28]
|
|
encrypted = payload[0x28:]
|
|
|
|
ctr_nonce = nonce_bytes + b'\x00' * 8
|
|
cipher = AES.new(key, AES.MODE_CTR, nonce=ctr_nonce, initial_value=1)
|
|
return cipher.decrypt(encrypted)
|
|
|
|
packets = rdpcap("./capture.pcapng")
|
|
|
|
for i, pkt in enumerate(packets):
|
|
raw_bytes = raw(pkt)
|
|
|
|
# Skip packets that are too short or look like advertisement frames
|
|
# You may need to adjust this filter for your capture
|
|
if len(raw_bytes) < 0x45 + 0x28:
|
|
continue
|
|
|
|
try:
|
|
decrypted = decrypt_data_frame(raw_bytes, DATA_FRAME_KEY)
|
|
print(f"[Packet {i}] Decrypted ({len(decrypted)} bytes):")
|
|
print(f" type: {decrypted[0:2].hex()}")
|
|
print(f" length: {int.from_bytes(decrypted[2:4], 'little')}")
|
|
print(f" payload: {decrypted[4:].hex()}")
|
|
print()
|
|
except Exception as e:
|
|
print(f"[Packet {i}] Failed: {e}")
|