Hello, welcome to the Friday, August 17th, 2018 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

In today's diary, Xavier points to a little script that helps you anonymize PCAP files.

Now, simplistically, you could just change

the IP addresses in a PCAP file. There is, for example, a tool TCP rewrite that does that

for you quite nicely. If you do this, don't forget to also change the checksums. If you don't

fix the checksums and you only change the first two bytes

of the IP address, which is often done, then of course you may be able to reconstruct the IP

address by working out a check sum that actually matches. Now TCP rewrite has a feature to at least fix the IP checksums. In my experience,

it's sometimes at issues with TCP checksums. The script that Xavi shows actually goes a step

further, because in many protocols, you find the IP addresses as power for the payload. So,

for example, in SIP traffic, I've seen

this quite a bit sometimes in FTP and the like. So what this script allows you to do then is

to cut down the payload so you only see the first few bytes or however many bytes you feel

comfortable showing.

Now, with that, of course, you lose a lot of the value of having a P-CAP.

I think a nice challenge here, if anybody's interested, would be to write a Skapie script that does the IP address change, which is pretty easy in the IP header, of course, with

Scapey, but also searches the easy in the IP header of course with Skapy but also

searches the payload for the IP address and then replaces it with the replacement

IP address that the user picked and then we got an interesting vulnerability in OpenSH.

Qualis founded originally by looking at some recent patches made to OpenSH.

Now, it's not a super serious vulnerability, but apparently it goes back in the early days of OpenSH

...