Skip to content
Branch: master
Go to file
Code

Latest commit

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

README.md

tcpunmask

tcpunmask - Attempt to unmask sanitized data from a TCP/IP packet

ToorCon15 Release was Oct 13, 2013, This version had signifigant TCP checksum issues

Nov 7, 2013 version fixed all the TCP checksum issues I know about

SYNOPSIS

tcpdump [ -vhdtbg ] [ -o filename ] packetdata

DESCRIPTION

tcpunmask takes a packet as input in ASCII-Hex format. Sanitized nibbles are formatted as ?'s. tcpunmask will attempt every possibly data value in place of these unknown nibbles and check to see if the checksum(s) match the ones reported in the packet data. Becuase of this, this script will not function if the checksums are also sanitized.

When finished, tcpmask will report all valid packets based on checksum matches. The report is displayed with values seperated by commas; this way you can redirect stdout to a csv file for further filtering

OPTIONS

-v	Verbose. While brute forcing, this will display each packet that is currently being attempted, along with the calculated IP & TCP checksums
-h	Help. Displays this dialog
-d	Debug. Because I haven't looked at 'perl -d' yet, So I go old school and use liberal 'print' statements here and there (only executed with -d)
-t	This is for performance debugging, it will give me the time spent for each subroutine, the main program, and total.
-b	Bogon Be-gone. With this enabled, current bogons will be filtered out of results (https://www.team-cymru.org/Services/Bogons/)
-o	Output. In the format of '-o results.csv'. Since output is already comma seperated, .csv makes sense
-g	GeoIP. This adds another 'column' to our results; correlating GeoIP data with each packet, based on IP addresses

EXAMPLES

We are guessing the last 2 octets of the Source IP Address, we would also like verbose mode
tcpunmask.pl -v 45000034001c4000400624a40a00????0a00010301bdc0bc984c4d618fb480cd8011038998DC00000101080a0bb24d88317a80f4

About

tcpunmask

Resources

License

Releases

No releases published

Languages

You can’t perform that action at this time.