#!/usr/bin/env nix-shell #!nix-shell -i bash -p tshark xxd steghide # NOTE: tftp.pcanpng is big, has been omitted mapfile -t FILE_REQS < <( \ tshark -r tftp.pcapng \ -Y "(ip.src==10.10.10.11 && tftp.opcode==1) || (ip.src==10.10.10.11 && tftp.opcode==2)" \ -T fields \ -e tftp.source_file \ -e tftp.destination_file \ | sed 's/\t//' \ | uniq \ ) mapfile -t STREAMS < <( \ tshark -r tftp.pcapng \ -Y "(ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.dst==10.10.10.11 && tftp.opcode==4)" \ -T fields -e udp.stream \ | sort -nu \ ) mkdir -p out for i in "${!FILE_REQS[@]}"; do FILENAME="${FILE_REQS["$i"]}" UDP_STREAM="${STREAMS["$i"]}" echo "$FILENAME -> $UDP_STREAM" tshark -r tftp.pcapng \ -Y "udp.stream==$UDP_STREAM && ((ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.src==10.10.10.11 && data.len!=4))" \ -T fields -e data.data | tr -d '\n' | xxd -r -p > "out/$FILENAME" done # NOTE: the deb file contained steghide, assuming the plan is the passphrase for one of the pics cat out/instructions.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m' cat out/plan | tr 'A-Za-z' 'N-ZA-Mn-za-m' STEGHIDE_PW="DUEDILIGENCE" steghide extract --stegofile out/picture1.bmp --passphrase "$STEGHIDE_PW" ||: steghide extract --stegofile out/picture2.bmp --passphrase "$STEGHIDE_PW" ||: steghide extract --stegofile out/picture3.bmp --passphrase "$STEGHIDE_PW" ||: