"It turns out that robots, like humans, are cheap and do not like paying for their movies and music. We were able to intercept some torrent downloads but are unsure what the file being downloaded was. Can you figure it out?"

We get a pcap file with the P2P part of a BitTorrent exchange between 2 peers.

Hopefully Wireshark has a fairly complete BitTorrent dissector which we will use to get the "pieces" of data.

According to the protocol specification, data is transferred in pieces that have an index and an offset. We need to extract each pieces with its index and offset and a Python script will reorder them.

tshark -r torrent.pcap -R 'bittorrent.piece.data' -T fields -e bittorrent.piece.index -e bittorrent.piece.begin -e bittorrent.piece.data -E separator=\| > torrents.dump

#!/usr/bin/python



import sys

import struct



if len(sys.argv) ==2:

print "Parsing "+str(sys.argv[1])

else:

print "Usage: python "+sys.argv[0]+" file.pcap"

exit(10)



pcap=file(sys.argv[1],"r")

out=file(sys.argv[1]+".hex","w")



data = {}

for p in pcap:

a = p.split("|")



index = int(a[0], 16)

offset = int(a[1], 16)



print 'Index', index, 'Offset', offset



order = "%08x" % index + "_" + "%08x" % offset

data[order] = a[2].split(":")



for key in sorted(data.iterkeys()):

print key + "

"

for b in data[key]:

out.write(chr(int(b,16)))



pcap.close()

out.close()

$ file torrents.dump.hex

torrents.dump.hex: bzip2 compressed data, block size = 900k

$ mkdir key ; cd key ; tar xvfj ../torrents.dump.hex

key.mp3

key.txt

$ cat key.txt

t0renz0_v0n_m4tt3rh0rn

The key is: t0renz0_v0n_m4tt3rh0rn

PS: notice the useless MP3 file just to make the archive and so the bittorrent transfer bigger 😉