当前位置:网站首页>CTF flow analysis common questions (II) -usb flow
CTF flow analysis common questions (II) -usb flow
2022-06-30 19:12:00 【Full stack programmer webmaster】
Hello everyone , I meet you again , I'm your friend, Quan Jun .
0x00 Preface
I'm learning Wireshark Common use , For common CTF Traffic Some problems of the analysis questions and triathlon flow analysis questions are briefly summarized . Because the length is too long , So another summary USB Flow packet analysis , Include Keyboard traffic and Mouse traffic .
0x01 USB Flow packet analysis
USB Flow refers to USB Flow of equipment interface , An attacker can listen usb Interface traffic access keyboard keystrokes 、 Mouse movement and click 、 Transmission communication of inscriptions on storage devices 、USB Wireless network card network transmission content, etc . stay CTF in ,USB Traffic analysis mainly focuses on keyboard and mouse traffic .
1、 Keyboard traffic
USB The protocol data section is in Leftover Capture Data domain , The data length is Eight bytes . The keyboard keystroke information is concentrated in the third byte .
Pictured , The keystroke information found is 0x06, That is, the corresponding key is C Key mapping relation reference :《USB Key code in keyboard protocol 》 Medium HID Usage ID
1. Question type :
flag Hidden in usb In the flow , adopt USB The keyboard key codes in the protocol data are converted into key positions .
2. Their thinking :
1. Use kali linux Medium tshark The command cap data extracted :
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt
tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt # Extract and remove empty lines 2. according to 《USB Key code in keyboard protocol 》 Medium HID Usage ID Restore data to key position , Can write one Python Script for quick conversion .
3. Title Example :
【NSCTF】 Security evaluation personnel are conducting penetration test on a bank card password input system , Intercepted a passage USB Keyboard entry 6 Traffic of bit digital password , It also contains some other extraneous USB Flow of equipment , You can recover from it 6 A digital password ? Finally submitted flag The format is flag Extraction code :q6ro (1) Use tshark The command pcap Data extraction and removal of blank lines to usbdata.txt
tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(2) The extracted data may have a colon , Or not ( It's possible and wireshark The version of ), But the general script will identify by the data with colon
Extracting data when there is a colon
[6:8]When there is no colon, the data is[4:6]
You can use scripts to add colons
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # Mouse flow of words len Change it to 8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close() At this time, the corresponding third byte , That is to say [6:8] It represents the keystroke information (3) After extracting the keyboard traffic, you need to restore the information corresponding to the data with a script . Find two scripts to restore information at the same time (python2): keyboard1.py
mappings = {
0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." }
nums = []
keys = open('out.txt')
for line in keys:
if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
continue
nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
if n == 0 :
continue
if n in mappings:
output += mappings[n]
else:
output += '[unknown]'
print 'output :\n' + outputkeyboard2.py
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))Run the first script to get
BCFGIJGFEDCABACFEDCA7200[DEL]53[DEL]93
because [DEL] Delete key , Recover 6 Digit number . therefore flag: 7205932、 Mouse traffic
USB The protocol mouse data section is in Leftover Capture Data domain , The data length is Four bytes .
The first byte represents the key , When taking 0x00 when , It means there are no buttons 、 by 0x01 when , Means to press the left key , by 0x02 when , Represents the right button of the current key . The second byte can be regarded as a signed byte type , Its highest bit is the sign bit , When this value is positive , Represents how many pixels the mouse moves horizontally to the right , When it is negative , Represents how many pixels are moved horizontally to the left . The third byte is similar to the second byte , Represents the offset of vertical up and down movement .
Pictured , The data information is 0x00002000, Indicates that the mouse moves vertically upwards 20.
1. Question type :
flag Hidden in usb In the flow , adopt USB The mouse movement track in the protocol data is converted into flag.
2. Their thinking :
1. Use kali linux Medium tshark The command cap data extracted , And remove empty lines
tshark -r usb2.pcap -T fields -e usb.capdata > usbdata.txt
tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt # Extract and remove empty lines 2. according to usb Protocol mouse data restore mouse movement track , Can write one Python Script for quick restore .
3. Title Example :
【NSCTF】 This is a mouse traffic analysis problem . Extraction code :q6ro (1) Use tshark The command pcap Data extraction and removal of blank lines to usbdata.txt
tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(2) Use the colon script mentioned above , And the script mentioned 16 Change it to 8, obtain
python3 maohao.py(3) Use mouse.py Test information hiding places
nums = []
keys = open('out.txt','r')
f = open('xy.txt','w')
posx = 0
posy = 0
for line in keys:
if len(line) != 12 :
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 2 : # 1 For the left button
f.write(str(posx))
f.write(' ')
f.write(str(posy))
f.write('\n')
f.close()Tests found flag The information is hidden in the right button , That is, when the script btn_flag take 2 You can get a series of coordinates
(4) use gnuplot take xy.txt The coordinates in are converted into images
gnuplot
gnuplot>plot "xy.txt"I found that the direction was reversed , Use windows Upper ” drawing ” Just flip it vertically .
The resulting flag
0x02 Postscript
This time summarizes USB Traffic analysis of traffic packets , Have a simple understanding of keyboard traffic and mouse traffic .
Reference blog : USB Summary of flow knowledge points CTF In depth analysis of flow analysis
Publisher : Full stack programmer stack length , Reprint please indicate the source :https://javaforall.cn/132254.html Link to the original text :https://javaforall.cn
边栏推荐
猜你喜欢
浏览器窗口切换激活事件 visibilitychange
Swin-transformer --relative positional Bias
云上“视界” 创新无限 | 2022阿里云直播峰会正式上线
【合集- 行业解决方案】如何搭建高性能的数据加速与数据编排平台
Reading notes of "high EQ means being able to talk"
sqlserver SQL Server Management Studio和Transact-SQL创建账户、创建访问指定数据库的只读用户
Swin-Transformer(2021-08)
简述机器学习中的特征工程
Construction and practice of full stack code test coverage and use case discovery system
Ansi/ul 94 class 5-V vertical combustion test
随机推荐
正则表达式(正则匹配)
slice
3.10 haas506 2.0 development tutorial example TFT
Solution of enterprise supply chain system in medical industry: realize collaborative visualization of medical digital intelligent supply chain
slice
拓維信息使用 Rainbond 的雲原生落地實踐
Dlib library for face key point detection (openCV Implementation)
Regular expressions (regular matching)
Hospital online consultation applet source code Internet hospital source code smart hospital source code
Practical application of "experience" crawler in work
不同制造工艺对PCB上的焊盘的影响和要求
com.alibaba.fastjson.JSONObject # toJSONString 消除循环引用
opencv数据类型代码表 dtype
Detailed single case mode
熵-条件熵-联合熵-互信息-交叉熵
DTD modeling
VS 常用的快捷键指令
基于UDP协议设计的大文件传输软件
How to seamlessly transition from traditional microservice framework to service grid ASM
Cloud Native Landing Practice Using rainbond for extension dimension information