def chiffrement(message, i, nb_frag): arp = rdpcap(CAPFILE_CLAIR)[0] # On extrait l iv du message et on le concatene avec notre cle pour creer notre seed (pour l algo RC4) seed = arp.iv + key #Calcul CRC crc_msg = binascii.crc32(message) # on concatene le message et l icv pour avoir le message a chiffrer message_a_chiffrer = message + struct.pack('<i', crc_msg) # on chiffre le message avec rc4 message_chiffre = rc4.rc4crypt(message_a_chiffrer, seed) # "le ICV est les derniers 4 octets - je le passe en format Long big endian" icv_chiffre = message_chiffre[-4:] (icv_numerique, ) = struct.unpack('!L', icv_chiffre) # le message chiffre sans le ICV text_chiffre = message_chiffre[:-4] #Ajout des champs avec texte chiffré, ICV et numéro de fragment arp.wepdata = text_chiffre arp.icv = icv_numerique arp.SC = i #Repérer dernier fragment if i != nb_frag - 1: arp.FCfield = arp.FCfield | 0x4 return arp
def crypt(data, cap): # Calcul de l'icv icv = struct.pack('<i', binascii.crc32(data)) # fragment + icv data_bloc = data + icv # seed seed = cap.iv + key # encryption return rc4.rc4crypt(data_bloc, seed)
def encryption(fragment, arp ,key = '\xaa\xaa\xaa\xaa\xaa'): # on calcule le icv (A.K.A CRC 32) et on le converti en unsigned int little-endian # To generate the same numeric value across all Python versions and platforms use crc32(data) & 0xffffffff. icv = binascii.crc32(fragment) & 0xffffffff icv_clair = struct.pack('<I', icv) # on ajoute l'icv au fragment pour le donner en input de RC4 fragment_clair = fragment+icv_clair # on garde la meme seed seed = arp.iv + key # chiffrement rc4 return rc4.rc4crypt(fragment_clair,seed)
def encrypt(arp, data, key): seed = arp.iv + key arp.icv = crc32(data) # The crypt process works on data and icv concatenated plain_message = data + arp.icv # Crypt the data and icv cipher = rc4.rc4crypt(plain_message, seed) # Gather the for last bytes containg the cryped icv and converts it to an integer arp.icv = struct.unpack('!L', cipher[-4:])[0] # Wep data is all the cryped datas without the last four bytes(icv) arp.wepdata = cipher[:-4]
import binascii import rc4 #Cle wep AA:AA:AA:AA:AA key = '\xaa\xaa\xaa\xaa\xaa' arp = rdpcap('arp.cap')[0] # rc4 seed est composé de IV+clé seed = arp.iv + key #message with 36 chars message = "A new message ! A new message ! A nr" # create the ICV icv = struct.pack('<l', binascii.crc32(message)) # concat message and icv plaintext = message + icv print(plaintext) # encrypt the plaintext message_crypted = rc4.rc4crypt(plaintext, seed) # set the data arp.wepdata = message_crypted[:-4] # set the icv icv = struct.unpack('!L', message_crypted[-4:])[0] arp.icv = icv arp.show() # store new request wrpcap("encrypt.cap", arp)
# Création de l'icv icv=(binascii.crc32(plaintxt) & 0xFFFFFFFF) print "Base ICV: " + str(icv) # Converstion de l'icv en littleEndian icv_LittleEndian=struct.pack('<L', icv) print "ICV littleEndian: " + icv_LittleEndian.encode("hex") # Le flux à chiffrer composé de l'icv du bloc et du message en clair streamClearTxt = plaintxt + icv_LittleEndian # Chiffrement à l'aide de rc4 encryptedTxt=rc4.rc4crypt(streamClearTxt,seed) print "Encrypted Text Msg: " + encryptedTxt.encode("hex") # MAJ contenu msg chiffré (msg + icv) arp.wepdata = encryptedTxt[:-4] # MAJ contenu ICV (icv chiffré) icv_chiff = encryptedTxt[-4:] # Construit valeur numérique de l'ICV chiffrée (arp.icv,) = struct.unpack('!L', icv_chiff) wrpcap('exo2.pcap',arp, append=False) print "Output created : exo2.pcap"
arp = rdpcap('arp.cap')[0] # creation du message a chiffre message = "Salut Adaaaaaaaaaaaaaaaaaaaaaaaaaaam" # on calcule le icv (A.K.A CRC 32) et on le converti en unsigned int little-endian # To generate the same numeric value across all Python versions and platforms use crc32(data) & 0xffffffff. icv = binascii.crc32(message) & 0xffffffff icv_clair = struct.pack('<I', icv) # on ajoute l'icv au message pour le donner en input de RC4 message_clair = message + icv_clair # on garde la meme seed seed = arp.iv + key # chiffrement rc4 ciphertext = rc4.rc4crypt(message_clair, seed) print "ciphertext : " + ciphertext.encode("hex") print "icv_encrypted : " + ciphertext[-4:].encode("hex") # on recupere le icv chiffre (4 derniers bytes) et le convertit en Long big endian (icv_num, ) = struct.unpack('!L', ciphertext[-4:]) # on met a jour le icv ainsi que le message chiffre arp.icv = icv_num arp.wepdata = ciphertext[:-4] wrpcap('arpv2.cap', arp)
def hex0rcrypt(data, key): crypt = rc4.rc4crypt(data, key) return "z" + binascii.hexlify(crypt)
#Cle wep AA:AA:AA:AA:AA key = '\xaa\xaa\xaa\xaa\xaa' #Fichier de sortie .cap output = "output.cap" #Message secret plaintext = "Hello World !" #lecture de message chiffré - rdpcap retourne toujours un array, même si la capture contient un seul paquet arp = rdpcap('arp.cap')[0] # rc4 seed est composé de IV+clé seed = arp.iv + key #Calcule l'ICV sur 4 bytes et l'ajoute au texte icv_enclair = struct.pack('<i', binascii.crc32(plaintext)) plaintext = plaintext + icv_enclair #Chiffre le message ciphertext = rc4.rc4crypt(plaintext, seed) #Recupère et stock l'ICV chiffré (arp.icv, ) = struct.unpack('!L', ciphertext[-4:]) #Envoie le message sans l'ICV arp.wepdata = ciphertext[:-4] #Genère le fichier wrpcap(output, arp)
key = '\xaa\xaa\xaa\xaa\xaa' # setting plain text with 36 chars quotation = "How strange that all you have to do sometimes to meet somebody is walk up to their house and ring a doorbell, and magically they appear as if from nowhere." fragments = [quotation[0:36], quotation[36:72], quotation[72:108]] arps = [] for index in range(0, len(fragments)): arp = rdpcap('arp.cap')[0] ##1. compute ICV of fragment icv = binascii.crc32(fragments[index]) icv = struct.pack("<i", icv) ##2. seed -> (RC4) = keystream ##3. keystream XOR (fragment + ICV) = cipher cipher = rc4.rc4crypt(fragments[index] + icv, arp.iv + key) ##4. add fields arp.wepdata = cipher[:-4] (arp.icv, ) = struct.unpack("!L", cipher[-4:]) # setting fragment counter arp.SC = index # if last fragment, no more fragments after if (index != len(fragments) - 1): # setting more fragments flag to 1 arp.FCfield = arp.FCfield | 0x04 arps.append(arp) ###5. forge cap file wrpcap("fragmentsForged.cap", arps)
#fragmentation du message en 3 wep_data_fragmented = [plain_wep_data[i:i+len(plain_wep_data)/3] for i in range(0, len(plain_wep_data), len(plain_wep_data)/3)] ICV_list = [] #seed pour le chiffrement seed = IV + key # on effectue toute les opération nécessaire pour chaque fragment for i in range (0, len(wep_data_fragmented)) : ICV = binascii.crc32(wep_data_fragmented[i]) ICV = struct.pack('<i', ICV) #chiffrement du fragment wep_data_fragmented[i] = wep_data_fragmented[i] + ICV wep_data_fragmented[i] = rc4.rc4crypt(wep_data_fragmented[i], seed) #exctraction de l'ICV icv_encrypted=wep_data_fragmented[i][-4:] (numerical_icv,)=struct.unpack('!L', icv_encrypted) ICV_list.insert(len(ICV), numerical_icv) #exctraction du message sans ICV wep_data_fragmented[i] = wep_data_fragmented[i][:-4] print 'Generating the pcap...' #modification du paquet pris en template #writer afin de générer le pcap pktdump = PcapWriter("fragmented.pcap", append=True, sync=True)
# wep key AA:AA:AA:AA:AA key='\xaa\xaa\xaa\xaa\xaa' # We read the original encrypted message from the wireshark file - rdpcap always returns an array, even if the pcap only contains one frame arp = rdpcap('arp.cap')[0] # Construct the seed seed = arp.iv+key # Set the message message = 'Hello sadness' # Compute the ICV icv = crc32(message) & 0xffffffff icv = struct.pack('<L', icv) #Encrypt the data message_encrpyted = rc4.rc4crypt(message+str(icv), seed) # Edit the packet arp.icv = struct.unpack('!L', message_encrpyted[-4:])[0] arp.wepdata = message_encrpyted[:-4] #Write the pdacket wrpcap('newarp.pcap', arp) print 'Encrypted Message: ' + arp.wepdata.encode("hex")
# The message that I want to encrypt message = "SU 2019".ljust(36, '\0')[:36] # ICV icv = binascii.crc32(message) & 0xffffffff to_enc_icv = struct.pack('<L', icv) # msg + icv to_encrypt = message + to_enc_icv # IV iv = arp.iv # The rc4 seed is composed by the IV+key seed = iv + key #to_encrypt = message+icv encrypted = rc4.rc4crypt(to_encrypt, seed) #restructuring the ICV icv_num = encrypted[-4:] icv_num, = struct.unpack('!L', icv_num) #forging the packet arp.wepdata = encrypted[:-4] arp.icv = icv_num #writing the pcap file wrpcap('su19.cap', arp)
# Take the data to send from the user input data = raw_input("Please enter a message of length below 37 bytes:\n").ljust( 36, '\0')[:36] # Define the icv by computing the crc32 of the data and keeping only the last 4 bytes icv = crc32(data) & 0xffffffff # Encrypt the icv as little-endian long icv_enc = struct.pack('<L', icv) # Construct the message (cleartext) message = data + icv_enc # Encrypt this message with rc4 with the seed being iv|wepkey message_enc = rc4.rc4crypt(message, seed) # Get the encrypted icv from the (encrypted) message icv_enc = message_enc[-4:] # Unpack it as big-endian long icv_numerique, = struct.unpack('!L', icv_enc) # Get the encrypted data from the (encrypted) message text_encrypted = message_enc[:-4] # Complete the packet arp.wepdata = text_encrypted arp.icv = icv_numeriqu # Saving it in a pcap file wrpcap('arp_custom.cap', arp)
arp = rdpcap('arp.cap')[0] # rc4 seed est composé de IV+clé seed = arp.iv + key # Calcul du nouvel ICV en effectuant un CRC du message # l'instruction & 0xffffffff permet de toujours retourner un icv positif icv = binascii.crc32(message) & 0xffffffff # Conversion de l'ICV au format int icv_int = struct.pack('I', icv) # Concaténation du message et de l'ICV message_clear = message + icv_int # Calcul du frame body en faisant keystream xor message_clear cryptedText = rc4.rc4crypt(message_clear, seed) # Récupération de l'ICV crypté icv_crypted = cryptedText[-4:] (icv_numerique, ) = struct.unpack('!L', icv_crypted) # Récupération du message crypté text_crypte = cryptedText[:-4] # Remplacement du wepData par le message crypté arp.wepdata = text_crypte # Remplacement de l'icv par l'icv crypté arp.icv = icv_numerique # Affichage de quelques information
import rc4 #Cle wep AA:AA:AA:AA:AA key='\xaa\xaa\xaa\xaa\xaa' #lecture de message chiffré - rdpcap retourne toujours un array, même si la capture contient un seul paquet arp = rdpcap('arp.cap')[0] # rc4 seed est composé de IV+clé seed = arp.iv+key # recuperation de icv dans le message (arp.icv) (en chiffre) -- je passe au format "text". Il y a d'autres manières de faire ceci... icv_encrypted='{:x}'.format(arp.icv).decode("hex") # text chiffré y-compris l'icv message_encrypted=arp.wepdata+icv_encrypted # déchiffrement avec rc4 cleartext=rc4.rc4crypt(message_encrypted,seed) # le ICV est les derniers 4 octets - je le passe en format Long big endian icv_enclair=cleartext[-4:] (icv_numerique,)=struct.unpack('!L', icv_enclair) # le message sans le ICV text_enclair=cleartext[:-4] print 'Text: ' + text_enclair.encode("hex") print 'icv: ' + icv_enclair.encode("hex") print 'icv(num): ' + str(icv_numerique)
#Cle wep AA:AA:AA:AA:AA key = '\xaa\xaa\xaa\xaa\xaa' # On recupere un message qui va nous servir de base arp = rdpcap(CAPFILE_CLAIR)[0] # On extrait l iv du message et on le concatene avec notre cle pour creer notre seed (pour l algo RC4) seed = arp.iv + key crc_msg = binascii.crc32(MESSAGE) # on concatene le message et l icv pour avoir le message a chiffrer message_a_chiffrer = MESSAGE + struct.pack('<i', crc_msg) # on chiffre le message avec rc4 message_chiffre = rc4.rc4crypt(message_a_chiffrer, seed) # "le ICV est les derniers 4 octets - je le passe en format Long big endian" icv_chiffre = message_chiffre[-4:] (icv_numerique, ) = struct.unpack('!L', icv_chiffre) # le message chiffre sans le ICV text_chiffre = message_chiffre[:-4] #Vérification des entrées et sorties print("Message clair = " + message_a_chiffrer.encode("hex")) print("Texte clair = " + MESSAGE.encode("hex")) print("Message chiffré = " + message_chiffre.encode("hex")) print("Texte chiffré = " + text_chiffre.encode("hex")) arp.wepdata = text_chiffre
# rc4 seed est composé de IV+clé seed = arp.iv + key # le texte en clair text_en_clair = 'Suspendisse quis neque a risus amet.' # calcul de l'icv icv = binascii.crc32(text_en_clair) # Ivc en big endian icv_big_endian = struct.pack('<i', icv) # Chiffrement avec rc4 text_rc4 = text_en_clair + icv_big_endian encrypted_text = rc4.rc4crypt(text_rc4, seed) # extraction du message sans icv arp.wepdata = encrypted_text[:-4] # le ICV est les derniers 4 octets - je le passe en format Long big endian icv_encrypted = encrypted_text[-4:] # Ivc en big endian (icv_numerique, ) = struct.unpack('!L', icv_encrypted) # le message sans le ICV text_enclair = text_en_clair[:-4] #modification du champ icv arp.icv = icv_numerique
from base64 import b32encode from string import translate, maketrans from rc4 import rc4crypt import sys key = "abcd" msg = "" for line in sys.stdin: msg += line # remove final newlines msg = msg.strip() # pad msg with spaces to 5 byte boundary to avoid '===' if len(msg) % 5: msg += ' ' * (5 - len(msg) % 5) crypt = rc4crypt(msg, key) b32crypt = b32encode(crypt) remapped = translate(b32crypt, maketrans("ABCDEFGHIJKLMNOPQRSTUVWXYZ234567", "3:5[9&2^]{7}*<-8@=4(6#!>|)0+;1$%")) print "msg: %s (size=%d)" % (msg, len(msg)) print "crypt: %s" % [ord(i) for i in crypt] print "b32crypt: %s" % b32crypt print "remapped: %s (size %d)" % (remapped, len(remapped)) print print 'q*s = "%s";' % remapped
Sender_ip = '\xc0\xa8\x01\xc8' Target_mac = '\x90\x27\xe4\xea\x61\xf2' Target_ip = '\xc0\xa8\x01\x64' plain_wep_data = LLC_header + Hardware_type + Prot + Hardware_size + Prot_size + Opcode + Sender_mac + Sender_ip + Target_mac + Target_ip seed = IV + key # calcul de l'ICV du message et concatenation de celui-ci avec le message en clair ICV = binascii.crc32(plain_wep_data) ICV = struct.pack('<i', ICV) plain_wep_data_with_ICV = plain_wep_data + ICV #chiffrement du texte cipher_wep_data_with_ICV = rc4.rc4crypt(plain_wep_data_with_ICV, seed) # le ICV correspond aux 4 derniers octets - on le passe en format Long big endian icv_encrypted=cipher_wep_data_with_ICV[-4:] (numerical_icv,)=struct.unpack('!L', icv_encrypted) # le message sans le ICV cipher_wep_data=cipher_wep_data_with_ICV[:-4] print 'Generating the ARP packet...' #modification du paquet pris en template forged_arp = arp forged_arp.icv = numerical_icv forged_arp.wepdata = cipher_wep_data
# We read the original encrypted message from the wireshark file - rdpcap always returns an array, # even if the pcap only contains one frame arp = rdpcap('arp.cap')[0] # We create a new message. message = "Encrypt me please" # We use CRC-32 to calculate the ICV and we cast it in unsigned long # Thank to Filipe Fortunato to show us that the result of the crc32 function was too long. icvMessage = zlib.crc32(message) & 0xffffffff # We generate the full "Payload" payload = message + struct.pack('<L', icvMessage) # We kept the old way to calculate the seed. seed = arp.iv + key # Now we need to encrypt the payload, the cipherText contains crypted Data + icv cipherText = rc4.rc4crypt(payload, seed) # We kept the hex format. print 'Message to encrypt :' + message + ' with the ICV ' + '{:x}'.format( icvMessage) print 'Encrypted message : ' + cipherText[: -4] + ' and the encrypted ICV is ' + cipherText[ -4:] # We change the data in the frame so it contains our new ciphered data. arp.wepdata = cipherText[:-4] # We change the ICV too. arp.icv = struct.unpack('!L', cipherText[-4:])[0] # We are writing the pcap file name openme.pcap # This file contains the data "Encrypt me please" and can be opened with wireshark if
seed = arp.iv + key # I recover the ICV from the message (arp.icv). This is a long integer # Wireshark likes to show this number in hex. And even if Wireshark knows the correct key and # can decrypt the ICV, it will show the encrypted version only. # I convert the icv to hex using '{:x}.format and then to it's ascii representation using decode("hex") # This conversion is requiered by the rc4 implementation we are using. icv_encrypted = '{:x}'.format(arp.icv).decode("hex") print 'icv as shown by Wireshark (encrypted): ' + '{:x}'.format(arp.icv) # Encrypted text including the icv. You need to produce this if you want to decrypt the ICV message_encrypted = arp.wepdata + icv_encrypted # Decryption using rc4 cleartext = rc4.rc4crypt(message_encrypted, seed) # The ICV the last 4 bytes - I convert it to Long big endian using unpack icv_unencrypted = cleartext[-4:] (icv_numerique, ) = struct.unpack('!L', icv_unencrypted) # The payload is the messge minus the 4 last bytes text_unencrypted = cleartext[:-4] print 'Unencrypted Message: ' + text_unencrypted.encode("hex") print 'Unencrypte icv (hex): ' + icv_unencrypted.encode("hex") print 'Numerical value of icv: ' + str(icv_numerique)
# We read the original encrypted message from the wireshark file - rdpcap always returns an array, even if the pcap only contains one frame # We will use the arp frame as a template for our own frame templateFrame = rdpcap('arp.cap')[0] # Same data as the arp frame data = "\xaa\xaa\x03\x00\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\x90'\xe4\xeaa\xf2\xc0\xa8\x01d\x00\x00\x00\x00\x00\x00\xc0\xa8\x01\xc8" # ICV calculated with CRC 32 icv = binascii.crc32(data) icv = struct.pack('<l', icv) # Same IV as the arp frame iv = templateFrame.iv # Data and ICV to crypt toCrypt = data + icv # Seed formed by IV and key seed = iv + key # Crypt the data and ICV using RC4 crypted = rc4.rc4crypt(toCrypt, seed) # We get back the encrypted ICV and unpack it to have a Long int (intIcv, ) = struct.unpack('!L', crypted[-4:]) # We change the fields' value in the template frame to replace them with our own templateFrame.wepdata = crypted[:-4] templateFrame.icv = intIcv # Write a new pcap file wrpcap("crypted.cap", templateFrame)
# Calcul du nouvel ICV en effectuant un CRC du message icv1 = binascii.crc32(message1) & 0xffffffff icv2 = binascii.crc32(message2) & 0xffffffff icv3 = binascii.crc32(message3) & 0xffffffff a1 = struct.pack('I', icv1) a2 = struct.pack('I', icv2) a3 = struct.pack('I', icv3) #texte en clair (message + ICV) message_clear1=message1 + a1 message_clear2=message2 + a2 message_clear3=message3 + a3 #Calcul du keystream cryptedText1 = rc4.rc4crypt(message_clear1, seed1) cryptedText2 = rc4.rc4crypt(message_clear2, seed2) cryptedText3 = rc4.rc4crypt(message_clear3, seed3) #récupération del'ICV crypté icv_crypted1=cryptedText1[-4:] icv_crypted2=cryptedText2[-4:] icv_crypted3=cryptedText3[-4:] (icv_numerique1,)=struct.unpack('!L', icv_crypted1) (icv_numerique2,)=struct.unpack('!L', icv_crypted2) (icv_numerique3,)=struct.unpack('!L', icv_crypted3) #calcul du frame body en faisant keystream xor (data + ICV) text_crypte1=cryptedText1[:-4] text_crypte2=cryptedText2[:-4]
# Initialization (generate IV and payload) iv = trame_template.iv # Get the same IV from the original cap file. payload = "\xaa\xaa\x03\x00\x00\x00\x08\x06\x00\x01\x08\x00\x06\x04\x00\x01\x90'\xe4\xeaa\xf2\xc0\xa8\x01d\x00\x00\x00\x00\x00\x00\xc0\xa8\x01\xc8" # Calculate the CRC (A.K.A ICV) over the data payload crc = binascii.crc32(payload) # Concatenate the ICV to the end of the data crc_little_endian = struct.pack("<l",crc) # pack as little endian data = payload + crc_little_endian # Concatenate the 24 bits IV with shared key (40 bits or 104 bits) # to create the RC4 seed. seed = iv+key # Calculate the XOR of the keystream with the (payload + ICV) data_encrypt = rc4.rc4crypt(data, seed) # Extract crc encrypted and unpack using big endian network crc_big_endian_unpack = struct.unpack("!L",data_encrypt[-4:]) trame_template.wepdata = data_encrypt[:-4] #store encrypted data in the wepdata field trame_template.icv = crc_big_endian_unpack[0] #store the extracted icv in the frame # Add frame in a new cap file wrpcap("arp_rebuild.cap",trame_template) print "Frame has been rebuilt."
#!/usr/bin/env python import binascii, rc4 data = "db43194d8b49fd48af606868d6e142b483d0b98a443ca9c910071f259b8383d0991b9c9a5fb157cdfcc08bd87fe4baba37e06f9eab6e909b4e9c0c80c94be1dbbd007369b7cbd6daaf983b61e408869c1d1d6e863aa2bc0dfe91f71d30946532c12a8db9bcc6498e493350c6e9ea9a1421a12233d89d6f25c62e798c25aa610558c7c47a1dea7841b41946c905e7" data = "8c1418158048f548ab363b6b8cb013ec83d0b98a443ca9c910071f259b8383d0991b9c9a5fb157cdfcc08bd87fe4baba37e06f9eab6e909b4e9c0c80c94be1dbbd007369b7cbd6daaf983b61e408869c1d1d6e863aa2bc0dfe91f71d30946532c12a8db9bcc6498e493350c6e9ea9a1421a12233d89d6f25c62e798c25aa610558c7c47a1dea7841b41946c905e7" datagoed = "8b101147dc49fc12ab606f6fd7b54cb383d0b98a443ca9c910071f259b8383d0991b9c9a5fb157cdfcc08bd87fe4baba37e06f9eab6e909b4e9c0c80c94be1dbbd007369b7cbd6daaf983b61e408869c1d1d6e863aa2bc0dfe91f71d30946532c12a8db9bcc6498e493350c6e9ea9a1421a12233d89d6f25c62e798c25aa610558c7c47a1dea7841b41946c905e7" # datagoed = '8b154b178b1ff41fff636c3fd9e316e683d0b98a443ca9c910071f259b8383d0991b9c9a5fb157cdfcc08bd87fe4baba37e06f9eab6e909b4e9c0c80c94be1dbbd007369b7cbd6daaf983b61e408869c1d1d6e863aa2bc0dfe91f71d30946532c12a8db9bcc6498e493350c6e9ea9a1421a12233d89d6f25c62e798c25aa610558c7c47a1dea7841b41946c905e7' # datagoed = '8f1318468949a919a8663a68dcb613b683d0b98a443ca9c910071f259b8383d0991b9c9a5fb157cdfcc08bd87fe4baba37e06f9eab6e909b4e9c0c80c94be1dbbd007369b7cbd6daaf983b61e408869c1d1d6e863aa2bc0dfe91f71d30946532c12a8db9bcc6498e493350c6e9ea9a1421a12233d89d6f25c62e798c25aa610558c7c47a1dea7841b41946c905e7' datanepp = "db43194d8b49fd48af606868d6e142b483dfb68b4d6aa8cf4200152092858380cf1b9e905fbb0eeffcc08bd172ebbcac28e460d5b0218c9f00c31996d25ce4c5bc1e7275b2d4d7dba9912369e70c8f9f1d1c73873bb8b40eff98f418308b6432d9228ebfb2c5488d543251dce1e99c1a23a0202dd99d772dc528778f25a80e045cc7b4280efd4114af5d5cdc07bb59" key = "wodrocks" ding = binascii.unhexlify(datagoed) dong = binascii.unhexlify(datanepp) print rc4.rc4crypt(ding, key) print rc4.rc4crypt(dong, key)
arp = rdpcap('arp.cap')[0] #rc4 seed is the result of IV+key seed = arp.iv + key #the message in clear message = 'Bienvenu au cours Teaching-SWI-2019' #calculate icv icv = binascii.crc32(message) & 0xffffffff icv_bigedian_hex = struct.pack('<L', icv) message_Rc4 = message + icv_bigedian_hex # encrypt message + icv with rc4 message_encrypted = rc4.rc4crypt(message_Rc4, seed) # extract message without icv arp.wepdata = message_encrypted[:-4] # the 4th last octects represents icv icv_crypte = message_encrypted[-4:] # icv in Long big endian format (icv_numerique,)=struct.unpack('!L', icv_crypte ) # icv's packet arp.icv = icv_numerique #save pcap file wrpcap('arp-encrypted.pcap',arp)
#!/usr/bin/env python # -*- coding: utf-8 -*- from scapy.all import * import binascii import rc4 #Cle wep AA:AA:AA:AA:AA key = '\xaa\xaa\xaa\xaa\xaa' arp = rdpcap('arp.cap')[0] # setting plain text with 36 chars plain = "hello-world hello-world hello-world " ##1. compute ICV of plain icv = binascii.crc32(plain) icv = struct.pack("<i", icv) ##2. seed -> (RC4) = keystream ##3. keystream XOR (plain + ICV) = cipher cipher = rc4.rc4crypt(plain + icv, arp.iv + key) ##4. add fields arp.wepdata = cipher[:-4] (arp.icv, ) = struct.unpack("!L", cipher[-4:]) ###5. forge cap file wrpcap('arpForged.cap', arp)
from scapy.all import * import binascii import rc4 #Cle wep AA:AA:AA:AA:AA key = '\xaa\xaa\xaa\xaa\xaa' #lecture de message chiffré - rdpcap retourne toujours un array, même si la capture contient un seul paquet arp = rdpcap('arp.cap')[0] # rc4 seed est composé de IV+clé seed = arp.iv + key # message à envoyer msg = "123456789012345678901234567890123456" # calculer l'icv en utilisant crc32 icv_enclair = crc32(msg) # chiffrer le cleartext cleartext = msg + struct.pack('<l', icv_enclair) ciphertext = rc4.rc4crypt(cleartext, seed) # mettre les données dans le packet arp.wepdata = ciphertext[:-4] arp.icv = struct.unpack('!L', ciphertext[-4:])[0] # écrire le packet wrpcap('arp2.cap', arp)
# Trame de départ pour avoir le template arp = rdpcap('arp.cap')[0] for fragment in fragments: # La seed est composé de IV + clé seed = arp.iv + key # Calcul de l'ICV icv = zlib.crc32(fragment) icv_clair = struct.pack('<i', icv) # on concatene l'icv et le plaintext fragment = fragment + icv_clair # Chiffrement par RC4 ciphertext = rc4.rc4crypt(fragment, seed) # Prepare les datas arp.wepdata = ciphertext[:-4] (arp.icv, ) = struct.unpack('!L', ciphertext[-4:]) arp.SC = frameIndex frameIndex += 1 if frameIndex == (len(fragments) - 1): # FC Field pour le dernier bit - Lors du dernier fragment, bit à 0 arp.FCfield = arp.FCfield and 0x4 # Write packet to a pcap file wrpcap('fragmentsWepEncrypted.cap', arp, append=True)