def incoming(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
ip = IP(str(eth.data))
tcp = TCP(str(ip.data))
print str(len(tcp.data)).zfill(2) + ' bytes <- ',
global first_in
global seed_in
global rc4_in
if first_in:
s = tcp.data[:4]
seed_in = ord(s[0]) * 0x01000000 + ord(s[1]) * 0x010000 + ord(
s[2]) * 0x0100 + ord(s[3]) * 0x01
Skype_RC4_Expand_IV(seed_in, rc4_in)
plaintext = RC4_crypt(tcp.data[4:14], rc4_in)
print '\t' + str2hex(plaintext)
rc4_in = RC4_Context()
if len(tcp.data) > 14:
Skype_RC4_Expand_IV(seed_in, rc4_in)
plaintext = RC4_crypt(str(tcp.data[14:]), rc4_in)
print '\t' + str2hex(plaintext)
first_in = False
else:
Skype_RC4_Expand_IV(seed_in, rc4_in)
plaintext = RC4_crypt(str(tcp.data), rc4_in)
print '\t' + str2hex(plaintext)
def crack(self, start=0x00000000, stop=0xFFFFFFFF):
finalseed = start
last_write = 0
crc_correct = False
give_up = False
while (not crc_correct) and (not give_up):
rc4context = RC4_Context()
Skype_RC4_Expand_IV(finalseed, rc4context)
plaintext = RC4_crypt(self.cipher, rc4context)
crc = long2hex(skype_crc(plaintext))
crc_correct = crc == self.crc
if not crc_correct:
if finalseed < stop:
finalseed += 1
if finalseed - last_write > 10000:
open('currentfinalseed',
'w').write(long2hex(finalseed))
print long2hex(finalseed)
last_write = finalseed
else:
open('currentfinalseed', 'w').write(long2hex(finalseed))
print 'tried all keys without success. giving up ...'
give_up = True
if not give_up:
print long2hex(finalseed) + ' - cracked'
# print '\tcrc:\t'+crc
# print '\tplaintext:\n\t\t'+str2hex(plaintext)
# open('finalseed','w').write(long2hex(finalseed))
return plaintext
def crack(self, start=0x00000000, stop=0xFFFFFFFF, exit=True):
shortkey = start
last_key_written = 0
crc_correct = False
while (not crc_correct):
rc4context = RC4_Context()
Skype_RC4_Expand_IV(shortkey, rc4context)
plaintext = RC4_crypt(self.cipher, rc4context)
crc = long2hex(skype_crc(plaintext))
crc_correct = crc == self.crc
if not crc_correct:
if shortkey < stop:
shortkey += 1
if shortkey - last_key_written > 50000:
f = open(
'rc4bf-' + self.crc + '-' + sys.argv[1] +
'.current', 'w')
f.write(long2hex(shortkey))
f.close()
last_key_written = shortkey
print long2hex(shortkey)
else:
f = open(
'rc4bf-' + self.crc + '-' + sys.argv[1] + '.current',
'w')
f.write(long2hex(shortkey))
f.close()
print 'tried all keys without success. giving up ...'
break
if crc_correct: # cracked
f = open('rc4bf-' + self.crc + '-' + sys.argv[1] + '.cracked', 'w')
f.write('shortkey: ' + long2hex(shortkey) + '\n')
f.write('plaintext: ' + str2hex(plaintext) + '\n')
f.write('crc: ' + crc)
f.close()
print long2hex(shortkey) + ' - cracked'
print '\tcrc:\t' + crc
print '\tplaintext:\n\t\t' + str2hex(plaintext)
if exit:
sys.exit()
return plaintext
def decrypt(self, cipher, src, dst, objectid, iv, crc):
if self.print_cipher:
print '\tcipher:\n\t\t' + str2hex(cipher)
test_sources = [
src,
self.ExternalIP,
'\x00\x00\x00\x00',
]
# for j in range(2):
# for i in range(255):
# test_sources.append(chr(192)+chr(168)+chr(j+1)+chr(i+1))
test_dests = [
dst,
self.ExternalIP,
'\x00\x00\x00\x00',
]
# for j in range(2):
# for i in range(255):
# test_dests.append(chr(192)+chr(168)+chr(j+1)+chr(i+1))
correct = False
for src in test_sources:
for dst in test_dests:
if self.print_seeding:
print '\tsrc ip: ' + print_address(
src) + '\tdst ip: ' + print_address(dst),
seed = Seed(src, dst, objectid)
if self.print_seeding:
print '\tseed: ' + long2hex(seed),
seed = seed ^ str2long(iv) # XOR
if self.print_seeding:
print '\t\tseed ^ iv: ' + long2hex(seed)
rc4context = RC4_Context()
Skype_RC4_Expand_IV(seed, rc4context)
plaintext = RC4_crypt(cipher, rc4context)
calc_crc = long2hex(skype_crc(plaintext)) # long
pkt_crc = str2hex(crc) # string
correct = calc_crc == pkt_crc
if correct:
if self.print_plaintext:
print '\tcrc correct'
break
if correct:
break
if self.print_plaintext and calc_crc == pkt_crc:
print '\tdecryption succeed with src=' + print_address(
src) + ', dst=' + print_address(dst)
# print '\tplaintext:\n\t\t'+str2hex(plaintext)
if not correct:
if self.print_plaintext:
print '\tdecryption failed'
return None
return plaintext
fname = sys.argv[1]
except:
fname = 'SkypeIRC.cap'
#p = pcapObject()
#p.open_offline(fname)
streams = TCPStreams(fname).filter(dport=57322) #40022)
print str(len(streams)) + ' streams filtered.'
s = streams[0]
stream = FollowTCPStream(fname, s)
print 'Following the chat between ' + print_address(s['src']) + ':' + str(
s['sport']) + ' and ' + print_address(s['dst']) + ':' + str(s['dport'])
first_out = True
seed_out = None
rc4_out = RC4_Context()
def outgoing(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
ip = IP(str(eth.data))
tcp = TCP(str(ip.data))
print str(len(tcp.data)).zfill(2) + ' bytes -> ',
global first_out
global seed_out
global rc4_out
if first_out:
s = tcp.data[:4]
seed_out = ord(s[0]) * 0x01000000 + ord(s[1]) * 0x010000 + ord(
s[2]) * 0x0100 + ord(s[3]) * 0x01
#!/usr/bin/python # -*- coding: iso-8859-15 -*- from FluxCapacitor import Seed, Skype_RC4_Expand_IV, skype_crc, RC4_Context, RC4_crypt from utils import * shortkey = 0x10325434L rc4context = RC4_Context() Skype_RC4_Expand_IV(shortkey, rc4context) #plaintext = RC4_crypt(self.cipher, rc4context) longkey = str2hex(str(rc4context.s)) print str(len(longkey)) print longkey