“It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?”
We get a pcap file with the P2P part of a BitTorrent exchange between 2 peers.
Hopefully Wireshark has a fairly complete BitTorrent dissector which we will use to get the “pieces” of data.
According to the protocol specification, data is transferred in pieces that have an index and an offset. We need to extract each pieces with its index and offset and a Python script will reorder them.
import sys
import struct
if len(sys.argv) ==2:
print "Parsing "+str(sys.argv[1])
else:
print "Usage: python "+sys.argv[0]+" file.pcap"
exit(10)
pcap=file(sys.argv[1],"r")
out=file(sys.argv[1]+".hex","w")
data = {}
for p in pcap:
a = p.split("|")
index = int(a[0], 16)
offset = int(a[1], 16)
print 'Index', index, 'Offset', offset
order = "%08x" % index + "_" + "%08x" % offset
data[order] = a[2].split(":")
for key in sorted(data.iterkeys()):
print key + "\n"
for b in data[key]:
out.write(chr(int(b,16)))
pcap.close()
out.close()
$ file torrents.dump.hex
torrents.dump.hex: bzip2 compressed data, block size = 900k
$ mkdir key ; cd key ; tar xvfj ../torrents.dump.hex
key.mp3
key.txt
$ cat key.txt
t0renz0_v0n_m4tt3rh0rn
The key is: t0renz0_v0n_m4tt3rh0rn
PS: notice the useless MP3 file just to make the archive and so the bittorrent transfer bigger 😉
