当前位置:网站首页>CTF flow analysis common questions (II) -usb flow
CTF flow analysis common questions (II) -usb flow
2022-06-30 19:12:00 【Full stack programmer webmaster】
Hello everyone , I meet you again , I'm your friend, Quan Jun .
0x00 Preface
I'm learning Wireshark Common use , For common CTF Traffic Some problems of the analysis questions and triathlon flow analysis questions are briefly summarized . Because the length is too long , So another summary USB Flow packet analysis , Include Keyboard traffic and Mouse traffic .
0x01 USB Flow packet analysis
USB Flow refers to USB Flow of equipment interface , An attacker can listen usb Interface traffic access keyboard keystrokes 、 Mouse movement and click 、 Transmission communication of inscriptions on storage devices 、USB Wireless network card network transmission content, etc . stay CTF in ,USB Traffic analysis mainly focuses on keyboard and mouse traffic .
1、 Keyboard traffic
USB The protocol data section is in Leftover Capture Data domain , The data length is Eight bytes . The keyboard keystroke information is concentrated in the third byte .
Pictured , The keystroke information found is 0x06, That is, the corresponding key is C Key mapping relation reference :《USB Key code in keyboard protocol 》 Medium HID Usage ID
1. Question type :
flag Hidden in usb In the flow , adopt USB The keyboard key codes in the protocol data are converted into key positions .
2. Their thinking :
1. Use kali linux Medium tshark The command cap data extracted :
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt
tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt # Extract and remove empty lines 2. according to 《USB Key code in keyboard protocol 》 Medium HID Usage ID Restore data to key position , Can write one Python Script for quick conversion .
3. Title Example :
【NSCTF】 Security evaluation personnel are conducting penetration test on a bank card password input system , Intercepted a passage USB Keyboard entry 6 Traffic of bit digital password , It also contains some other extraneous USB Flow of equipment , You can recover from it 6 A digital password ? Finally submitted flag The format is flag Extraction code :q6ro (1) Use tshark The command pcap Data extraction and removal of blank lines to usbdata.txt
tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(2) The extracted data may have a colon , Or not ( It's possible and wireshark The version of ), But the general script will identify by the data with colon
Extracting data when there is a colon
[6:8]When there is no colon, the data is[4:6]
You can use scripts to add colons
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # Mouse flow of words len Change it to 8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close() At this time, the corresponding third byte , That is to say [6:8] It represents the keystroke information (3) After extracting the keyboard traffic, you need to restore the information corresponding to the data with a script . Find two scripts to restore information at the same time (python2): keyboard1.py
mappings = {
0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." }
nums = []
keys = open('out.txt')
for line in keys:
if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
continue
nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
if n == 0 :
continue
if n in mappings:
output += mappings[n]
else:
output += '[unknown]'
print 'output :\n' + outputkeyboard2.py
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))Run the first script to get
BCFGIJGFEDCABACFEDCA7200[DEL]53[DEL]93
because [DEL] Delete key , Recover 6 Digit number . therefore flag: 7205932、 Mouse traffic
USB The protocol mouse data section is in Leftover Capture Data domain , The data length is Four bytes .
The first byte represents the key , When taking 0x00 when , It means there are no buttons 、 by 0x01 when , Means to press the left key , by 0x02 when , Represents the right button of the current key . The second byte can be regarded as a signed byte type , Its highest bit is the sign bit , When this value is positive , Represents how many pixels the mouse moves horizontally to the right , When it is negative , Represents how many pixels are moved horizontally to the left . The third byte is similar to the second byte , Represents the offset of vertical up and down movement .
Pictured , The data information is 0x00002000, Indicates that the mouse moves vertically upwards 20.
1. Question type :
flag Hidden in usb In the flow , adopt USB The mouse movement track in the protocol data is converted into flag.
2. Their thinking :
1. Use kali linux Medium tshark The command cap data extracted , And remove empty lines
tshark -r usb2.pcap -T fields -e usb.capdata > usbdata.txt
tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt # Extract and remove empty lines 2. according to usb Protocol mouse data restore mouse movement track , Can write one Python Script for quick restore .
3. Title Example :
【NSCTF】 This is a mouse traffic analysis problem . Extraction code :q6ro (1) Use tshark The command pcap Data extraction and removal of blank lines to usbdata.txt
tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(2) Use the colon script mentioned above , And the script mentioned 16 Change it to 8, obtain
python3 maohao.py(3) Use mouse.py Test information hiding places
nums = []
keys = open('out.txt','r')
f = open('xy.txt','w')
posx = 0
posy = 0
for line in keys:
if len(line) != 12 :
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 2 : # 1 For the left button
f.write(str(posx))
f.write(' ')
f.write(str(posy))
f.write('\n')
f.close()Tests found flag The information is hidden in the right button , That is, when the script btn_flag take 2 You can get a series of coordinates
(4) use gnuplot take xy.txt The coordinates in are converted into images
gnuplot
gnuplot>plot "xy.txt"I found that the direction was reversed , Use windows Upper ” drawing ” Just flip it vertically .
The resulting flag
0x02 Postscript
This time summarizes USB Traffic analysis of traffic packets , Have a simple understanding of keyboard traffic and mouse traffic .
Reference blog : USB Summary of flow knowledge points CTF In depth analysis of flow analysis
Publisher : Full stack programmer stack length , Reprint please indicate the source :https://javaforall.cn/132254.html Link to the original text :https://javaforall.cn
边栏推荐
猜你喜欢
浏览器窗口切换激活事件 visibilitychange
German agbb VOC hazardous substances test
When selecting smart speakers, do you prefer "smart" or "sound quality"? This article gives you the answer
![Delete duplicate elements in the sorting linked list ii[unified operation of linked list nodes --dummyhead]](/img/dd/7df8f11333125290b4b30183cfff64.png)
Delete duplicate elements in the sorting linked list ii[unified operation of linked list nodes --dummyhead]
PyTorch学习(三)
How to seamlessly transition from traditional microservice framework to service grid ASM
Four tips tell you how to use SMS to promote business sales?
3.10 haas506 2.0 development tutorial example TFT
一套十万级TPS的IM综合消息系统的架构实践与思考
PC wechat multi open
随机推荐
华兴证券:混合云原生架构下的 Kitex 实践
《Go题库·15》go struct 能不能比较?
Digital intelligent supplier management system solution for coal industry: data driven, supplier intelligent platform helps enterprises reduce costs and increase efficiency
MySQL recursion
Regular expressions (regular matching)
Huaxing Securities: kitex practice under the original hybrid Cloud Architecture
mysql下载和安装详细教程
Build graphql service based on Actix, async graphql, rbatis, pgsql/mysql (4) - change service
TCP packet sticking problem
NFT technology for gamefi chain game system development
[Collection - industry solutions] how to build a high-performance data acceleration and data editing platform
Practice and Thinking on the architecture of a set of 100000 TPS im integrated message system
SaaS project management system solution for the financial service industry helps enterprises tap a broader growth service space
Compare the audio librosa library with the Mel spectrogram in the torchaudio library
[community star selection] the 23rd issue of the July revision plan | bit by bit creation, converging into a tower! Huawei freebuses 4E and other cool gifts
浏览器窗口切换激活事件 visibilitychange
一点比较有意思的模块
Leader: who can use redis expired monitoring to close orders and get out of here!
不同制造工艺对PCB上的焊盘的影响和要求
Detailed single case mode