Decipher ESP packets with Scapy

I'm currently working on implementing support for hardware cryptographic engine on a board we support at work. Currently it is not working and I was trying to debug it, thus trying to see what is happening. I tcpdumped the packets received, and tried to have a look at it. Sadly, for some reason, the SAs I added in wireshark do not match and he doesn't want to use them.

I then discovered that scapy now has support for that, and it was actually added by a colleague... Should have started there! I only found the issues on bitbucket showing how to use it so I thought it would be worth it to write a quick how-to, once got it down it is pretty straightforward, but knowing what to look for may not be obvious in the first place.

So here is a an example usage for an AES-CBC with no auth packet:

pkts = rdpcap("path/to/file.pcap")
pkts[0].show()

Here is the ESP packet:

###[ Ethernet ]###
  dst= 56:1e:7d:aa:e0:b3
  src= 68:05:ca:15:d1:99
  type= IPv4
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 140
     id= 0
     flags= DF
     frag= 0L
     ttl= 64
     proto= esp
     chksum= 0x2544
     src= 10.125.0.2
     dst= 10.125.0.1
     \options\
###[ ESP ]###
        spi= 0x22
        seq= 1
        data= '\xa7\[...]'

Then create the SA and decrypt:

sa = SecurityAssociation(ESP, spi=0x22, crypt_algo='AES-CBC', crypt_key='your_key')
res = sa.decrypt(pkts[0].getlayer(IP))
res.show()

The result showing the icmp packet:

###[ IP ]###
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 104
  id= 0
  flags= DF
  frag= 0L
  ttl= 64
  proto= ipv4
  chksum= 0x2596
  src= 10.125.0.2
  dst= 10.125.0.1
  \options\
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 84
     id= 36470
     flags= DF
     frag= 0L
     ttl= 63
     proto= icmp
     chksum= 0x9805
     src= 10.200.0.1
     dst= 10.100.0.1
     \options\
###[ ICMP ]###
        type= echo-request
        code= 0
        chksum= 0x7cd1
        id= 0x9df
        seq= 0x1
###[ Raw ]###
       load= '\x9fTMW[...]'

And here you go.


31 mai 2016 13:35:34 -- tags [ scapy , python , IPsec , cipher , crypto ]

7 Comments