I'm currently working on implementing support for hardware cryptographic engine on a board we support at work. Currently it is not working and I was trying to debug it, thus trying to see what is happening. I tcpdumped the packets received, and tried to have a look at it. Sadly, for some reason, the SAs I added in wireshark do not match and he doesn't want to use them.
I then discovered that scapy now has support for that, and it was actually added by a colleague... Should have started there! I only found the issues on bitbucket showing how to use it so I thought it would be worth it to write a quick how-to, once got it down it is pretty straightforward, but knowing what to look for may not be obvious in the first place.
So here is a an example usage for an AES-CBC with no auth packet:
pkts = rdpcap("path/to/file.pcap") pkts[0].show()
Here is the ESP packet:
###[ Ethernet ]### dst= 56:1e:7d:aa:e0:b3 src= 68:05:ca:15:d1:99 type= IPv4 ###[ IP ]### version= 4L ihl= 5L tos= 0x0 len= 140 id= 0 flags= DF frag= 0L ttl= 64 proto= esp chksum= 0x2544 src= 10.125.0.2 dst= 10.125.0.1 \options\ ###[ ESP ]### spi= 0x22 seq= 1 data= '\xa7\[...]'
Then create the SA and decrypt:
sa = SecurityAssociation(ESP, spi=0x22, crypt_algo='AES-CBC', crypt_key='your_key') res = sa.decrypt(pkts[0].getlayer(IP)) res.show()
The result showing the icmp packet:
###[ IP ]### version= 4L ihl= 5L tos= 0x0 len= 104 id= 0 flags= DF frag= 0L ttl= 64 proto= ipv4 chksum= 0x2596 src= 10.125.0.2 dst= 10.125.0.1 \options\ ###[ IP ]### version= 4L ihl= 5L tos= 0x0 len= 84 id= 36470 flags= DF frag= 0L ttl= 63 proto= icmp chksum= 0x9805 src= 10.200.0.1 dst= 10.100.0.1 \options\ ###[ ICMP ]### type= echo-request code= 0 chksum= 0x7cd1 id= 0x9df seq= 0x1 ###[ Raw ]### load= '\x9fTMW[...]'
And here you go.
31 mai 2016 13:35:34 -- tags [ scapy , python , IPsec , cipher , crypto ]
