CREATIVE CHAOS blog
This is my write-up of a Networking challenge Error Reporting Protocol on the CTF site 247CTF.com.
Can you identify the flag hidden within the error messages of this ICMP traffic?
There is a whole world of data hiding inside ICMP traffic, there are even solutions to push whole internet access via ICMP traffic.
Open the tcpdump in Wireshark. We can se “JFIF” in the data part of the responses, so we assume JPEG image.
Delete the first entry, as that is the request, we need only the responses from server and save it back.
It is time to parse the tcpdump, remove the header and only output the data part, you can use modified script from here:
import dpkt input=file("error_reporting.pcap", "rb") # We are going to extract all ICMP payloads and concatenate them in one file, # and see what happens: output=open("output.jpg", "w") pcap=dpkt.pcap.Reader(input) for ts, buf in pcap: eth=dpkt.ethernet.Ethernet(buf) if (eth.type != 2048): # 2048 is the code for IPv4 continue ip=eth.data icmp=ip.data # The parsed packets in the dpkt.pcap.Reader contains two members: "ts" and "buf". # The member "ts" is just the timestamp which lived in the packet when captured # by Wireshark; it is the clock when captured this packet. The member "buf" holds # the real packet data captured by capture tool, it's the raw traffic data. if (ip.p==dpkt.ip.IP_PROTO_ICMP) and len(icmp.data.data)>0: try: print icmp.data.data output.write(icmp.data.data) except: print 'Error extracting ICMP payload data from this packet.' continue input.close() output.close()
$ open output.jpg