49 lines
1.4 KiB
Bash
Executable File
49 lines
1.4 KiB
Bash
Executable File
#!/usr/bin/env nix-shell
|
|
#!nix-shell -i bash -p tshark xxd steghide
|
|
|
|
# NOTE: tftp.pcanpng is big, has been omitted
|
|
|
|
mapfile -t FILE_REQS < <( \
|
|
tshark -r tftp.pcapng \
|
|
-Y "(ip.src==10.10.10.11 && tftp.opcode==1) || (ip.src==10.10.10.11 && tftp.opcode==2)" \
|
|
-T fields \
|
|
-e tftp.source_file \
|
|
-e tftp.destination_file \
|
|
| sed 's/\t//' \
|
|
| uniq \
|
|
)
|
|
|
|
mapfile -t STREAMS < <( \
|
|
tshark -r tftp.pcapng \
|
|
-Y "(ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.dst==10.10.10.11 && tftp.opcode==4)" \
|
|
-T fields -e udp.stream \
|
|
| sort -nu \
|
|
)
|
|
|
|
mkdir -p out
|
|
|
|
for i in "${!FILE_REQS[@]}"; do
|
|
FILENAME="${FILE_REQS["$i"]}"
|
|
UDP_STREAM="${STREAMS["$i"]}"
|
|
|
|
echo "$FILENAME -> $UDP_STREAM"
|
|
|
|
tshark -r tftp.pcapng \
|
|
-Y "udp.stream==$UDP_STREAM && ((ip.dst==10.10.10.11 && tftp.opcode==3) || (ip.src==10.10.10.11 && data.len!=4))" \
|
|
-T fields -e data.data |
|
|
tr -d '\n' |
|
|
xxd -r -p > "out/$FILENAME"
|
|
done
|
|
|
|
# NOTE: the deb file contained steghide, assuming the plan is the passphrase for one of the pics
|
|
|
|
cat out/instructions.txt | tr 'A-Za-z' 'N-ZA-Mn-za-m'
|
|
cat out/plan | tr 'A-Za-z' 'N-ZA-Mn-za-m'
|
|
|
|
STEGHIDE_PW="DUEDILIGENCE"
|
|
|
|
steghide extract --stegofile out/picture1.bmp --passphrase "$STEGHIDE_PW" ||:
|
|
steghide extract --stegofile out/picture2.bmp --passphrase "$STEGHIDE_PW" ||:
|
|
steghide extract --stegofile out/picture3.bmp --passphrase "$STEGHIDE_PW" ||:
|
|
|