A tool to parse corrupted recordings of satellite internet traffic in the GSE over DVB-S format into .pcaps
Project description
GSExtract
GSExtract is a tool for converting imperfect satellite radio captures of internet traffic transmitted using Generic Stream Encapsulation (GSE) over DVB-S into usable *.pcap files.
You can learn more about the tool and its capabilites by watching the corresponding Black Hat USA 2020 / DEFCON 28 briefings.
The tool was first presented at IEEE S&P 2020 in this paper.
:warning: Disclaimer: This tool is provided as a research proof of concept and it is the user's responsibility to ensure that they have appropriate permissions and authority for its use. Take care to adhere to regulations regarding radio communications interception if evaluating this tool in real-world systems.
Installation
You can install from PyPI as follows:
pip install gsextract
You can also install directly from github as follows:
git clone https://github.com/ssloxford/gsextract
pip install ./gsextract
This will add the command gsextract
to your python path.
Usage
Basic usage of GSExtract requires a binary file containing continuous DVB-S BBFrames as input and a file to output the resulting pcap into.
gsextract [satellite_recording.ts] [output.pcap]
You can also stream from a live recording of satellite traffic continuously using the --stream
option. This will cause gsextract to watch the input file for new BBFrames and process them as they arrive.
gsextract --stream [satellite_recording.ts] [output.pcap]
Caveats and Additional Features
Header Extensions
Some service providers use proprietary header extensions for GSE. Generally, parsing traffic with such extensions will require modifying the kaitai struct used for GSE data extraction (you can find it in gsextract/parsers/pure_gse.ksy
and gsextract/parsers/pure_gse.py
).
A simple feature to try and force the addition of semi-valid IP headers can be enabled with the --no-reliable
flag. This can increase the number of packets extracted with unusual GSE header extensions but can also result in false IP headers.
gsextract --no-reliable [satellite_recording.ts] [output.pcap]
Mod Codes and Multiple Input Streams
As written, GSExtract works best with streams that use the modcode 0x4200. This is by far the most common format for GSE-based services that we have encountered. However, it can also be manually overwritten in gsextract/parsers/pure_bb.ksy
and gsextract/parsers/pure_bb.py
. Multiple input streams are not supported in this release as GSExtract requires a "crutch" Mod Code to resync with corrupt feeds. You will need to choose a single code to synchronize to at a time but can, of course, run gsextract multiple times on a given file as a workaround. Pull requests adding multiple input stream support in a smoother way are very much welcome.
TCP Hijacking
The command line version of the tool does not include support for TCP hijacking by default as many of the implementation details are scenario and network specific. However, you can find an example of TCP hijacking using GSExtract at the bottom of the gsextract/gse_parser.py
file as a starting model.
Sample Data
For privacy reasons, I cannot provide sample recordings of real-world GSE streams. For testing purposes a small sanitized GSE recording is provided as sample.ts
. IP addresses and payloads have been overwritten. Running gsextract in normal mode should recover a pcap with two packets from this file. Running it with the --no-reliable
flag should recover two additional packets.
Logistics
Authors
This tool was developed by James Pavur. It is part of a larger research initiative on satellite communications security conducted in partnership between the University of Oxford's Systems Secuirty Lab and armasuisse's Cyber-Defense Campus.
Contributing
Pull requests are always welcome. Some particularly desirable additions include:
- Support for more GSE header extensions in the kaitai struct
- Mod Code flexibility in the CLI tool
- Support for multiple input streams in a single run
Citing This Tool
If you happen to use GSExtract for academic research, we would greatly appreciate a citation to the paper where it originally appeared:
J. Pavur, D. Moser, M. Strohmeier, V. Lenders and I. Martinovic, "A Tale of Sea and Sky On the Security of Maritime VSAT Communications," in 2020 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, US, 2020 pp. 1384-1400. doi: 10.1109/SP40000.2020.00056
Acknowledgements
This tool would have been a million times more complex and difficult to build if not for the awesome Katiai Struct langauge. Check it out at kaitai.io.
This tool also contains a modified version of Salah Gherdaoui's pcaplib. It makes it easy for GSExtract to dump IP packets to *.pcap files in real-time. For more deep (but slower) traffic parsing, we also use the venerable scapy.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file gsextract-1.0.tar.gz
.
File metadata
- Download URL: gsextract-1.0.tar.gz
- Upload date:
- Size: 16.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | ebce6477cf2a3ed3a774e2c85a06243ea2e480778f7b6e7ea6b65071577ef4a6 |
|
MD5 | 1859820b90332d4ea3a582142c81924d |
|
BLAKE2b-256 | faaf534aeced43028139dcd45da8732d4d031441f0fb671e1ef777a4b56d1e48 |
File details
Details for the file gsextract-1.0-py3-none-any.whl
.
File metadata
- Download URL: gsextract-1.0-py3-none-any.whl
- Upload date:
- Size: 18.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/50.3.0 requests-toolbelt/0.9.1 tqdm/4.50.0 CPython/3.7.3
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | bba4d71c73efb0b262798fae6ad353928909d530323ca6ff297651c7dd2aa7fe |
|
MD5 | cde01f4428bcff2072b165f186c1a175 |
|
BLAKE2b-256 | d7a53f6ef436e53447a55a23c04c05d4bf36af4a79b53c6642cb087e269ab81c |