Root-me

ETHERNET Patched Transmission

Frame reconstitution

We got a couple of frames our goal is to find the lost information.

>>> INGRESS >>>
       0x0000:  0050 569e 7bf9 0050 569e 7bfb 8100 0185  
       0x0010:  86dd 6000 0000 0040 3a40 2002 c000 0203  
       0x0020:  0000 0000 0000 0000 7331 2002 c000 0203  
       0x0030:  0000 0000 0000 0000 dead 8000 0af0 0792  
       0x0040:  0001 146d a451 0000 0000 d020 0300 0000  
       0x0050:  0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
       0x0060:  452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
       0x0070:  4720 524f 4f54 2d4d 452e                 

>>> INGRESS >>>
       0x0000:  0050 569e 7bf7 0050 569e 7bf9 8100 0186  
       0x0010:  86dd 6000 0000 0040 3a40 2002 c000 0203  
       0x0020:  0000 0000 0000 0000 b00b 2002 c000 0203  
       0x0030:  0000 0000 0000 0000 fada 8000 0af0 0792  
       0x0040:  0001 146d a451 0000 0000 d020 0300 0000  
       0x0050:  0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
       0x0060:  452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
       0x0070:  4720 524f 4f54 2d4d 452e                 

>>> INGRESS >>>
       0x0000:  0050 569e 7bfe 0050 569e 7bf7 8100 0186  
       0x0010:  86dd 6000 0000 0040 3a40 2002 c000 0203  
       0x0020:  0000 0000 0000 0000 7331 2002 c000 0203  
       0x0030:  0000 0000 0000 0000 b00b 8000 c760 0795  
       0x0040:  0001 906d a451 0000 0000 8fac 0b00 0000  
       0x0050:  0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
       0x0060:  452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
       0x0070:  4720 524f 4f54 2d4d 452e                 
                
<<< EGRESS <<<
       0x0000:  0050 569e 7b?? 0050 569e 7b?? ???? 0186  
       0x0010:  86dd 6000 0000 0040 ??40 2002 c000 0203  
       0x0020:  0000 0000 0000 0000 ???? 2002 c000 0203  
       0x0030:  0000 0000 0000 0000 ???? ??00 09f0 0792 
       0x0040:  0001 146d a451 0000 0000 d020 0300 0000  
       0x0050:  0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
       0x0060:  452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
       0x0070:  4720 524f 4f54 2d4d 452e  

These are 4 frames. We need to decode them.

The following website allows you us to decode the packets and see what’s inside it.

https://www.gasmi.net/hpd/

The format of the packet will be

0050 569e 7bf9 0050 569e 7bfb 8100 0185  
86dd 6000 0000 0040 3a40 2002 c000 0203  
0000 0000 0000 0000 7331 2002 c000 0203  
0000 0000 0000 0000 dead 8000 0af0 0792  
0001 146d a451 0000 0000 d020 0300 0000  
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
4720 524f 4f54 2d4d 452e                 

0050 569e 7bf7 0050 569e 7bf9 8100 0186  
86dd 6000 0000 0040 3a40 2002 c000 0203  
0000 0000 0000 0000 b00b 2002 c000 0203  
0000 0000 0000 0000 fada 8000 0af0 0792  
0001 146d a451 0000 0000 d020 0300 0000  
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
4720 524f 4f54 2d4d 452e                 

0050 569e 7bfe 0050 569e 7bf7 8100 0186  
86dd 6000 0000 0040 3a40 2002 c000 0203  
0000 0000 0000 0000 7331 2002 c000 0203  
0000 0000 0000 0000 b00b 8000 c760 0795  
0001 906d a451 0000 0000 8fac 0b00 0000  
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
4720 524f 4f54 2d4d 452e                 

0050 569e 7b?? 0050 569e 7b?? ???? 0186  
86dd 6000 0000 0040 ??40 2002 c000 0203  
0000 0000 0000 0000 ???? 2002 c000 0203  
0000 0000 0000 0000 ???? ??00 09f0 0792 
0001 146d a451 0000 0000 d020 0300 0000  
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
4720 524f 4f54 2d4d 452e  

This gives us this.

Packet 1 Packet 2 Packet 3

We need to find the missing bytes in the 4th packet.

We need to understand of the structure of a ethernet packet.

Ethernet packet

So slicing the data will allow us understand what is going on.

So i decided to the a single packet and put it in a single line.

cat frame

0050 569e 7bfe 0050 569e 7bf7 8100 0186
86dd 6000 0000 0040 3a40 2002 c000 0203
0000 0000 0000 0000 7331 2002 c000 0203
0000 0000 0000 0000 b00b 8000 c760 0795
0001 906d a451 0000 0000 8fac 0b00 0000
0000 2d4d 452e 4f52 4720 524f 4f54 2d4d
452e 4f52 4720 524f 4f54 2d4d 452e 4f52
4720 524f 4f54 2d4d 452e

I’ll put it in a single line and without any space.

cat frame | tr -d " " | tr -d "\n" > single_line_packet

So i wrote a single script to slice the header.

It looks like this

line=$(cat single_line_packet)

#Mac first 6 characters
src_mac=$(echo $line| cut -c1-12)
dst_mac=$(echo $line| cut -c13-24)
TPID=$(echo $line| cut -c25-28)
TCI=$(echo $line| cut -c29-32)
type_id=$(echo $line| cut -c33-36)

echo "Character count: $count"
echo "SourceMac: $src_mac"
echo "DstMac: $dst_mac"
echo "Type: $type_id"
echo "TCI: $TCI"
echo "Type: $type_id"

The result is

SourceMac: 0050569e7bf9
DstMac: 0050569e7bfb
Type: 86dd
TCI: 0185
Type: 86dd

To the type is 86dd. If we look up a the ethertype we end up with the procotol IPV6.

So the next part will contain the ipv6 header.

This is how the header looks like.

 Version (4 bits) 
 Traffic Class (6+2 bits) 
 Flow Label (20 bits) 
 Payload Length (16 bits) 
 Next Header (8 bits) 
 Hop Limit (8 bits) 
 Source Address (128 bits) 
 Destination Address (128 bits) 

Another script to slice it.

line=$(cat single_line_packet)
# Format for IPv6
version=$(echo $line | cut -c37-44)
payload_len=$(echo $line | cut -c45-48)
next_header=$(echo $line | cut -c49-50)
hop_limit=$(echo $line | cut -c51-52)
src_adr=$(echo $line | cut -c53-84)
dst_adr=$(echo $line | cut -c85-116)

The result is

Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c000020300000000000000007331
Dst address : 2002c00002030000000000000000dead

The next header is 3a, a google search lead us to know that 3a is the extension header for ICMPv6

Another header to slice.

This is the format of the header

 Type (8 bits) 
 Code (8 bits) 
 Checksum (16 bits) 
 Message Body (32 bits) 

More cutting.

line=$(cat single_line_packet)
type_icmpv6=$(echo $line | cut -c117-118)
code=$(echo $line | cut -c119-120)
checksum=$(echo $line | cut -c121-124)
mbody=$(echo $line | cut -c125-132)

The result looks like this

Type= 80
Code= 00
Checksum= 0af0
Messagebody= 07920001

Type=80(128 in decimal) means ICMP Request

This is the last field that we need for this challenge. If we look at the broken packet, the last unknown character are in the header part of the ICMPv6.

<<< EGRESS <<<
       0x0000:  0050 569e 7b?? 0050 569e 7b?? ???? 0186  
       0x0010:  86dd 6000 0000 0040 ??40 2002 c000 0203  
       0x0020:  0000 0000 0000 0000 ???? 2002 c000 0203  
       0x0030:  0000 0000 0000 0000 ???? ??00 09f0 0792 
       0x0040:  0001 146d a451 0000 0000 d020 0300 0000  
       0x0050:  0000 2d4d 452e 4f52 4720 524f 4f54 2d4d  
       0x0060:  452e 4f52 4720 524f 4f54 2d4d 452e 4f52  
       0x0070:  4720 524f 4f54 2d4d 452e  

Patching the packet

We now have the tools to get the information from all the packets.

After running the script on them with he the following information.

# Packet 1 
SourceMac: 0050569e7bfb
DstMac: 0050569e7bf9
TPID: 8100
TCI: 0185
Type: 86dd

Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c000020300000000000000007331
Dst address : 2002c00002030000000000000000dead

Type= 80
Code= 00
Checksum= 0af0
mbody= 07920001

$ Packet 2 
SourceMac: 0050569e7bf9
DstMac: 0050569e7bf7
TPID: 8100
TCI: 0186
Type: 86dd

Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c00002030000000000000000b00b
Dst address : 2002c00002030000000000000000fada

Type= 80
Code= 00
Checksum= 0af0
mbody= 07920001

# Packet 3
SourceMac: 0050569e7bf7
DstMac: 0050569e7bfe
TPID: 8100
TCI: 0186
Type: 86dd

Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: 3a
Hop Limit: 40
Src address : 2002c000020300000000000000007331
Dst address : 2002c00002030000000000000000b00b

Type= 80
Code= 00
Checksum= c760
mbody= 07950001

# Packet 4

SourceMac: 0050569e7b??
DstMac: 0050569e7b??
TPID: ????
TCI: 0186
Type: 86dd

Version/Traffic_class/FlowLabel: 60000000
Payload Length: 0040
Next header: ??
Hop Limit: 40
Src address : 2002c00002030000000000000000????
Dst address : 2002c00002030000000000000000????

Type= ??
Code= 00
Checksum= 09f0
mbody= 07920001

So the fields that are missing the last 2 bytes of the source and destination mac. The TPIP (VLAN), the next header field, the last 4 bytes of src and dst addresses and the type.

We also know this is ipv6 using icmpv6. It looks like a ping request followed by a ping reply.

We can confirmed that by looking at the first packet and looking a the type field.

The type is 80 (this is hex). So 0x80 is 128 in decimal. The code 128 means Echo Request.

https://tools.ietf.org/html/rfc4443

We can guess that the first bytes that are missing are from the source mac replying.