mirror of https://github.com/dirtbags/fluffy.git
Add some examples
This commit is contained in:
parent
0d2b592f08
commit
ee069446c0
84
README.md
84
README.md
|
@ -18,9 +18,9 @@ please let me know if you make one.
|
|||
|
||||
|
||||
How To Build
|
||||
------------
|
||||
============
|
||||
|
||||
### From Source
|
||||
## From Source
|
||||
|
||||
curl -L https://github.com/dirtbags/fluffy/archive/master.tar.gz | tar xzvf -
|
||||
cd fluffy-master
|
||||
|
@ -34,7 +34,7 @@ On a non-Ubuntu system,
|
|||
you may need to edit your `.bashrc` to add `$HOME/bin` to your `PATH`
|
||||
environment variable.
|
||||
|
||||
### Arch Linux
|
||||
## Arch Linux
|
||||
|
||||
The AUR package [`fluffy-git`](https://aur.archlinux.org/packages/fluffy-git/)
|
||||
builds against the latest revision and installs it to `/usr/bin`:
|
||||
|
@ -44,9 +44,9 @@ builds against the latest revision and installs it to `/usr/bin`:
|
|||
makepkg -sri
|
||||
|
||||
Programs
|
||||
--------
|
||||
========
|
||||
|
||||
### hd: Hex Dump
|
||||
## hd: Hex Dump
|
||||
|
||||
Like the normal hd,
|
||||
but with unicode characters to represent all 256 octets,
|
||||
|
@ -57,7 +57,7 @@ instead of using "." for unprintable characters.
|
|||
00000007
|
||||
|
||||
|
||||
### unhex: unescape hex
|
||||
## unhex: unescape hex
|
||||
|
||||
Reads ASCII hex codes on stdin,
|
||||
writes those octets to stdout.
|
||||
|
@ -66,7 +66,7 @@ writes those octets to stdout.
|
|||
hello
|
||||
|
||||
|
||||
### xor: xor octets
|
||||
## xor: xor octets
|
||||
|
||||
Applies the given mask as an xor to input.
|
||||
The mask will be repeated,
|
||||
|
@ -85,7 +85,7 @@ The "-x" option treats values as hex.
|
|||
cbcbcb
|
||||
|
||||
|
||||
### slice: slice octet stream
|
||||
## slice: slice octet stream
|
||||
|
||||
Slices up input octet stream,
|
||||
similar to Python's slice operation.
|
||||
|
@ -100,7 +100,7 @@ similar to Python's slice operation.
|
|||
234589
|
||||
|
||||
|
||||
### pcat: print text representation of pcap file
|
||||
## pcat: print text representation of pcap file
|
||||
|
||||
Prints a (lossy) text representation of a pcap file to stdout.
|
||||
|
||||
|
@ -123,20 +123,20 @@ which will convert payloads to an octet stream,
|
|||
after you have done any maniuplations you want.
|
||||
|
||||
|
||||
### pmerge: merge pcap files
|
||||
## pmerge: merge pcap files
|
||||
|
||||
Takes a list of pcap files, assuming they are sorted by time
|
||||
(you would have to work hard to create any other kind),
|
||||
and merges them into a single sorted output.
|
||||
|
||||
|
||||
### puniq: omit repeated frames
|
||||
## puniq: omit repeated frames
|
||||
|
||||
Removes duplicate frames from input,
|
||||
writing to output.
|
||||
|
||||
|
||||
### hex: hex-encode input
|
||||
## hex: hex-encode input
|
||||
|
||||
The opposite of `unhex`:
|
||||
encoding all input into a single output line.
|
||||
|
@ -155,7 +155,7 @@ In other words: you can feed `hex` output into `unhex` with no manipulations.
|
|||
41
|
||||
|
||||
|
||||
### entropy: compute shannon entropy
|
||||
## entropy: compute shannon entropy
|
||||
|
||||
Displays the Shannon entropy of the input.
|
||||
|
||||
|
@ -169,7 +169,7 @@ Displays the Shannon entropy of the input.
|
|||
0.865857
|
||||
|
||||
|
||||
### pyesc: python escape input
|
||||
## pyesc: python escape input
|
||||
|
||||
Escapes input octets for pasting into a python "print" statement.
|
||||
Also suitable for use as a C string,
|
||||
|
@ -180,7 +180,7 @@ and many other languages' string literals.
|
|||
hello\nworld\n
|
||||
|
||||
|
||||
### octets: display all octets
|
||||
## octets: display all octets
|
||||
|
||||
Shows all octets from `00` to `ff` in a hex dump.
|
||||
This is occasionally more helpful than `man ascii`.
|
||||
|
@ -203,3 +203,57 @@ This is occasionally more helpful than `man ascii`.
|
|||
000000e0 e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 ea eb ec ed ee ef ┆αßΓπΣσµτΦΘΩδ∞φε∩┆
|
||||
000000f0 f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd fe ff ┆⁰¹²³⁴⁵⁶⁷⁸⁹ⁱⁿ⁽⁼⁾¤┆
|
||||
00000100
|
||||
|
||||
|
||||
Example Recipes
|
||||
===============
|
||||
|
||||
|
||||
## Brute force single-byte xor
|
||||
|
||||
for i in $(seq 255); do cat data | xor $i; done
|
||||
|
||||
|
||||
## Pretty xor brute force
|
||||
|
||||
For each attempt, display the value used in the xor, and hexdump the result
|
||||
|
||||
for i in $(seq 255); do printf "=== %02x\n" $i; cat data | xor $i | hd; done
|
||||
|
||||
|
||||
## Brute force xor of base64-encoded data
|
||||
|
||||
Same pretty-print as before, and also pipe to `less` so we can page through it.
|
||||
|
||||
for i in $(seq 255); do
|
||||
printf "=== %02x\n" $i; cat data.txt | base64 -d | xor $i | hd
|
||||
done | less
|
||||
|
||||
|
||||
## Protocol manipulation
|
||||
|
||||
For each ICMP packet, drop the first 5 octets, and base64-decode the remainder, preserving conversation chunks
|
||||
|
||||
cat input.pcap | pcat | grep ICMP | while read ts proto src dst payload; do
|
||||
printf "%s -> %s (%s)\n" $src $dst $ts
|
||||
echo $payload | unhex | slice 5 | base64 -d | hd
|
||||
done
|
||||
|
||||
|
||||
## Elementary protocol analysis framework
|
||||
|
||||
This merges (by time) `file1.pcap` and `file2.pcap`,
|
||||
decoding payloads from each one,
|
||||
hex dumping payloads,
|
||||
and displaying meta information about each.
|
||||
It displays information conversationally,
|
||||
sort of like wireshark's "Follow TCP Stream",
|
||||
but with more details about meta-information.
|
||||
|
||||
./pmerge file1.pcap file2.pcap | ./pcat | while read ts proto src dst payload; do
|
||||
when=$(TZ=Z date -d @${ts%.*} "+%Y-%m-%d %H:%M:%S")
|
||||
printf "Packet %s None: None\n" $proto
|
||||
printf " %s -> %s (%s)\n" ${src%,*} ${dst%,*} "$when"
|
||||
echo $payload | ./unhex | ./hd
|
||||
echo
|
||||
done
|
||||
|
|
|
@ -8,9 +8,10 @@
|
|||
# * grep the cache, use sed, awk, whatever
|
||||
|
||||
./pmerge "$@" | ./pcat | while read ts proto src dst payload; do
|
||||
#when=$(TZ=Z date --rfc-3339=ns -d @$ts)
|
||||
when=$(TZ=Z date -d @${ts%.*} "+%Y-%m-%d %H:%M:%S")
|
||||
printf "Packet %s None: None\n" $proto
|
||||
printf " %s -> %s (%s)\n" ${src%,*} ${dst%,*} "$ts"
|
||||
printf " %s -> %s (%s)\n" ${src%,*} ${dst%,*} "$when"
|
||||
echo $payload | ./unhex | ./hd
|
||||
echo
|
||||
done
|
||||
done
|
||||
|
||||
|
|
Loading…
Reference in New Issue