proof of concept pcap reader for nas heuristic

tools/nasparse.py

@@ -9,8 +9,13 @@ from enum import Enum
 
 import pycrate_mobile.TS24301_EMM
 
+EPS_IMSI_ATTACH = 2
+
 def parse_nas_message(buffer, uplink=None):
-    bin = binascii.unhexlify(buffer)
+    if isinstance(buffer, str): #handle string argument or raw bytes
+        bin = binascii.unhexlify(buffer)
+    else:
+        bin = buffer
     if uplink:
         parsed = NASLTE.parse_NASLTE_MO(bin)
     elif uplink == None: #We don't know if its an up or downlink
@@ -33,7 +38,7 @@ def heur_ue_imsi_sent(msg):
         except pycrate_core.elt.EltErr:
             return (False, None)
 
-    if msg['EPSAttachType']['V'].to_int() == 2:
+    if msg['EPSAttachType']['V'].to_int() == EPS_IMSI_ATTACH: #EPSAttachType Value is 'Combined EPS/IMSI Attach (2)'
         return (True, output)
     return (False, None)
 
@@ -46,7 +51,7 @@ if __name__ == "__main__":
     buffer = sys.argv[1]
     msg = parse_nas_message(buffer)
     pprint.pprint(msg)
-    res = heur_ue_imsi_sent(msg)
-    if(res[0]): 
-        print(res[1])
+    (triggered, message)= heur_ue_imsi_sent(msg)
+    if(triggered): 
+        print(message)
         exit(1)