From Chaostreff Augsburg - Wiki

Contents 1 Project Description 2 Who 3 Brainstorming 4 Code 5 Pattern file syntax 6 Screenshots 7 References

Project Description

• 22.11.2009 - Project is not dead ;-) Just needed new protocols / reasons to continue to work on this project
  • I think I will continue work on this project while analyzing VTPv3, GLBP, HSRPv2 packets -- lobo
• Tool(s) for assisting in reverse engineering (undocumented and proprietary) network protocols
  • for building packet dissectors (not for vulnerability analysis)
• Based on Python(, PyGTK, Glade) and Scapy of course
  • The packet viewer is based on Scapereal
• yadayadayada

Who

• Lobo

Brainstorming

• Search for known patterns in hexdumps and highlight them
  • IP/MAC Addresses, Usernames, Passwords, Whatever
  • I did that with the OpenOffice Python UNO Bridge before and it's ugly
    • But it worked for me until now ;-)
    • OOghost (WLCCP Protocol Demo)
  • Make highlighting a little bit more configurable
    • highlight only Raw() and Payload() data
    • add an additional TreeView wich lists the patterns found in a hexdump
• GUI for building protocol dissectors
  • mark bytes in hexdump and create a scapy Packet class that way
• Access packet data via an embedded ipython shell
• integrate code from the Protocol Informatics project for analyzing packet data
  • Toorcon 2004 Slides: The Protocol Informatics Project - Automating Network Protocol Analysis
  • Paper: Network Protocol Analysis using Bioinformatics Algorithms
• Ideas are welcome

Code

• on Lobo's Notebook
• I'll put it on Bitbucket after the code is cleaned-up. Maybe at #26c3

Pattern file syntax

• ConfigObj

[Pattern Description]
hexstr = "hex representation of pattern without \x"
str = "Human readable representation of pattern"
color = "color name used for highlighting pattern in hexdump"

Example from reverse engineering Cisco's WLCCP protocol

[MAC WDS-Master AP1]
hexstr = "0011BB2281A2"
str = "00:11:BB:22:81:A2"
color = "green"

[MAC WDS-AP AP2]
hexstr = "000F2480A7D1"
str = "00:0F:24:80:A7:D1"
color = "yellow"

[MAC address 2]
hexstr = "014096FFFFC0"
str = "01:40:96:FF:FF:C0"
color = "blue"

[MAC WLAN Client WinXP]
hexstr = "0013CE9A7568"
str = "00:13:CE:9A:75:68"
color = "blue"

[IP WDS-Master]
hexstr = "C0A80001"
str = "192.168.0.1"
color = "orange"

[IP WDS-AP]
hexstr = "C0A80002"
str = "192.168.0.2"
color = "hot pink"

[Relay Node ID]
hexstr = "00400013ce9a"
str = "00400013ce9a"
color = "blue"

[Software]
hexstr = "536F667477617265"
str = "Software"
color = "blue"

[User phoofus]
hexstr = "70686F6F667573"
str = "phoofus"
color = "blue"

[infrastructureAP]
hexstr = "696E6672617374727563747572654150"
str = "infrastructureAP"
color = "blue"

[infrastructureAP Password]
hexstr = "656B384F6853687573356869636865694E673847"
# have a look at the cisco config
str = "infrastructureAP pwd"
color = "blue"

[IOS Version]
hexstr = "31322E332838294A41"
str = "IOS Release 12.3(8)JA"
color = "blue"

[SSID swlab]
hexstr = "73776C6162"
str = "swlab"
color = "blue"
...

Screenshots

You are right, the colors are ugly ;-)

References

Interesting links about reverse engineering network protocols

• Matasano Blog - Exploring Protocols - Part 1
• Matasano Blog - Reversing a “ZLib-Obfuscated?” Network Protocol
• Protocol Informatics project
• Jeremy Rauch: PDB: The Protocol DeBugger / Black Hat Briefings 2006 Las Vegas
• Automated Protocol Reverse Engineering @ breakingpointsystems/community
• Manual Protocol Reverse Engineering @ breakingpointsystems/community