search

monk-dot / killerbee

Automatically exported from code.google.com/p/killerbee
0 stars 1 forks source link

kbencrypt is destructive #30

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
0. Import a pcap: data = kbrdpcap(file.pcap)
1. Select a packet and print packet: str(data[76]).encode('hex')
2. Decrypt packet: print kbdecrypt(data[76],'nwk_key'.decode('hex'))
3. Print packet again and note difference in last two bytes: 
str(data[76]).encode('hex')

What is the expected output? What do you see instead?

Packet should be exactly the same. Instead I see the following:

----------------------------

In [1]: inf = 'iris_gateway_pair_doorsensor_20141103.pcap'

In [2]: data = kbrdpcap(inf)
WARNING: FCS on this packet is invalid or is not present in provided bytes.
WARNING: FCS on this packet is invalid or is not present in provided bytes.
WARNING: more FCS on this packet is invalid or is not present in provided bytes.

In [3]: data[76]
Out[3]: <Dot15d4FCS  fcf_reserved_1=0 fcf_panidcompress=True fcf_ackreq=True 
fcf_pending=False fcf_security=False fcf_frametype=Data fcf_srcaddrmode=Short 
fcf_framever=0 fcf_destaddrmode=Short fcf_reserved_2=0 seqnum=35 |<Dot15d4Data  
dest_panid=0x588a dest_addr=0x0 src_addr=0x333 |<ZigbeeNWK  discover_route=0 
proto_version=2 frametype=data flags=security destination=0xfffd source=0x0333 
radius=30 seqnum=248 |<ZigbeeSecurityHeader  reserved1= extended_nonce=1 
key_type=network_key nwk_seclevel=None fc=0x02 source=00:0d:6f:00:02:54:84:0a 
key_seqnum=1 
data='\xb1\xd5ZK\xebd\x13\xd7\xc6\xbf\xa8\x0c\xb6\r\xd4\x06MA{\x05\x14' |>>>>

In [4]: str(data[76]).encode('hex')
Out[4]: 
'6188238a58000033030802fdff33031ef828020000000a845402006f0d0001b1d55a4beb6413d7c
6bfa80cb60dd4064d417b0514cead'

In [5]: print kbdecrypt(data[76],nwk_key.decode('hex'))
ͺd�0    %�����a� �S

In [6]: str(data[76]).encode('hex')
Out[6]: 
'6188238a58000033030802fdff33031ef828020000000a845402006f0d0001b1d55a4beb6413d7c
6bfa80cb60dd4064d417b05141394'

----------------------------

What version of the product are you using?
[ ] KillerBee 1.0 (from TAR file)
[x] KillerBee beta (from SVN checkout) Revision # 95
[ ] Other:

On what operating system?

Kubuntu (duh!!)

With what Python version? (python -V)

Python 2.7.5+

Is scapy-com installed?

Yes (of course)

Please provide any additional information below.

The solution is to edit the kbencrypt function and add the following before the 
"pkt.nwk_seclevel=5" line (included for reference).

    # This function destroys the packet, therefore work on a copy - @cutaway
    pkt = pkt.copy()
    pkt.nwk_seclevel=5

Also, I'm not sure what this is doing. So, please comment the line with 
"pkt.nwk_seclevel=5" so we know why this is being done.

Original issue reported on code.google.com by cutaways...@gmail.com on 28 Nov 2014 at 5:58

GoogleCodeExporter commented 9 years ago 
Odd, so setting nwk_seclevel to 5 messes up the packet? This part of the code 
was contributed, so I'm not too familiar with it -- I've therefore made your 
requested change without testing.

For tracking, this is *kbdecrypt* (not kbencrypt) in 
killerbee/scapy_extensions.py.

Original comment by rmspe...@gmail.com on 28 Nov 2014 at 7:39

GoogleCodeExporter commented 9 years ago 
Oops, yes, kbdecrypt. It is an python object issue. If you pass in the
packet then this modifies it. So, to play nice with user we should work on
a copy of the packet passed in.

Original comment by cutaways...@gmail.com on 28 Nov 2014 at 9:17

GoogleCodeExporter commented 9 years ago 
Does the fix I pushed solve the issue? If so, we can close this.

Original comment by rmspe...@gmail.com on 26 Dec 2014 at 2:59