当前位置:网站首页>CTF flow analysis common questions (II) -usb flow
CTF flow analysis common questions (II) -usb flow
2022-06-30 19:12:00 【Full stack programmer webmaster】
Hello everyone , I meet you again , I'm your friend, Quan Jun .
0x00 Preface
I'm learning Wireshark Common use , For common CTF Traffic Some problems of the analysis questions and triathlon flow analysis questions are briefly summarized . Because the length is too long , So another summary USB Flow packet analysis , Include Keyboard traffic and Mouse traffic .
0x01 USB Flow packet analysis
USB Flow refers to USB Flow of equipment interface , An attacker can listen usb Interface traffic access keyboard keystrokes 、 Mouse movement and click 、 Transmission communication of inscriptions on storage devices 、USB Wireless network card network transmission content, etc . stay CTF in ,USB Traffic analysis mainly focuses on keyboard and mouse traffic .
1、 Keyboard traffic
USB The protocol data section is in Leftover Capture Data domain , The data length is Eight bytes . The keyboard keystroke information is concentrated in the third byte .
Pictured , The keystroke information found is 0x06, That is, the corresponding key is C Key mapping relation reference :《USB Key code in keyboard protocol 》 Medium HID Usage ID
1. Question type :
flag Hidden in usb In the flow , adopt USB The keyboard key codes in the protocol data are converted into key positions .
2. Their thinking :
1. Use kali linux Medium tshark The command cap data extracted :
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt
tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt # Extract and remove empty lines 2. according to 《USB Key code in keyboard protocol 》 Medium HID Usage ID Restore data to key position , Can write one Python Script for quick conversion .
3. Title Example :
【NSCTF】 Security evaluation personnel are conducting penetration test on a bank card password input system , Intercepted a passage USB Keyboard entry 6 Traffic of bit digital password , It also contains some other extraneous USB Flow of equipment , You can recover from it 6 A digital password ? Finally submitted flag The format is flag Extraction code :q6ro (1) Use tshark The command pcap Data extraction and removal of blank lines to usbdata.txt
tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(2) The extracted data may have a colon , Or not ( It's possible and wireshark The version of ), But the general script will identify by the data with colon
Extracting data when there is a colon
[6:8]When there is no colon, the data is[4:6]
You can use scripts to add colons
f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
a=f.readline().strip()
if a:
if len(a)==16: # Mouse flow of words len Change it to 8
out=''
for i in range(0,len(a),2):
if i+2 != len(a):
out+=a[i]+a[i+1]+":"
else:
out+=a[i]+a[i+1]
fi.write(out)
fi.write('\n')
else:
break
fi.close() At this time, the corresponding third byte , That is to say [6:8] It represents the keystroke information (3) After extracting the keyboard traffic, you need to restore the information corresponding to the data with a script . Find two scripts to restore information at the same time (python2): keyboard1.py
mappings = {
0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." }
nums = []
keys = open('out.txt')
for line in keys:
if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
continue
nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
if n == 0 :
continue
if n in mappings:
output += mappings[n]
else:
output += '[unknown]'
print 'output :\n' + outputkeyboard2.py
normalKeys = {
"04":"a", "05":"b", "06":"c", "07":"d", "08":"e",
"09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j",
"0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o",
"13":"p", "14":"q", "15":"r", "16":"s", "17":"t",
"18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y",
"1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4",
"22":"5", "23":"6","24":"7","25":"8","26":"9",
"27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t",
"2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\",
"32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".",
"38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>",
"3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>",
"44":"<F11>","45":"<F12>"}
shiftKeys = {
"04":"A", "05":"B", "06":"C", "07":"D", "08":"E",
"09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J",
"0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O",
"13":"P", "14":"Q", "15":"R", "16":"S", "17":"T",
"18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y",
"1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$",
"22":"%", "23":"^","24":"&","25":"*","26":"(","27":")",
"28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>",
"2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"",
"34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>",
"3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>",
"41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('out.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))Run the first script to get
BCFGIJGFEDCABACFEDCA7200[DEL]53[DEL]93
because [DEL] Delete key , Recover 6 Digit number . therefore flag: 7205932、 Mouse traffic
USB The protocol mouse data section is in Leftover Capture Data domain , The data length is Four bytes .
The first byte represents the key , When taking 0x00 when , It means there are no buttons 、 by 0x01 when , Means to press the left key , by 0x02 when , Represents the right button of the current key . The second byte can be regarded as a signed byte type , Its highest bit is the sign bit , When this value is positive , Represents how many pixels the mouse moves horizontally to the right , When it is negative , Represents how many pixels are moved horizontally to the left . The third byte is similar to the second byte , Represents the offset of vertical up and down movement .
Pictured , The data information is 0x00002000, Indicates that the mouse moves vertically upwards 20.
1. Question type :
flag Hidden in usb In the flow , adopt USB The mouse movement track in the protocol data is converted into flag.
2. Their thinking :
1. Use kali linux Medium tshark The command cap data extracted , And remove empty lines
tshark -r usb2.pcap -T fields -e usb.capdata > usbdata.txt
tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt # Extract and remove empty lines 2. according to usb Protocol mouse data restore mouse movement track , Can write one Python Script for quick restore .
3. Title Example :
【NSCTF】 This is a mouse traffic analysis problem . Extraction code :q6ro (1) Use tshark The command pcap Data extraction and removal of blank lines to usbdata.txt
tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt(2) Use the colon script mentioned above , And the script mentioned 16 Change it to 8, obtain
python3 maohao.py(3) Use mouse.py Test information hiding places
nums = []
keys = open('out.txt','r')
f = open('xy.txt','w')
posx = 0
posy = 0
for line in keys:
if len(line) != 12 :
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 2 : # 1 For the left button
f.write(str(posx))
f.write(' ')
f.write(str(posy))
f.write('\n')
f.close()Tests found flag The information is hidden in the right button , That is, when the script btn_flag take 2 You can get a series of coordinates
(4) use gnuplot take xy.txt The coordinates in are converted into images
gnuplot
gnuplot>plot "xy.txt"I found that the direction was reversed , Use windows Upper ” drawing ” Just flip it vertically .
The resulting flag
0x02 Postscript
This time summarizes USB Traffic analysis of traffic packets , Have a simple understanding of keyboard traffic and mouse traffic .
Reference blog : USB Summary of flow knowledge points CTF In depth analysis of flow analysis
Publisher : Full stack programmer stack length , Reprint please indicate the source :https://javaforall.cn/132254.html Link to the original text :https://javaforall.cn
边栏推荐
- Reading notes of "high EQ means being able to talk"
- 20200525-生物技术-四川师范大学自考生物技术(本科)考试计划.txt
- 10 statistical methods commonly used for "dry goods" data analysis, with key application scenarios attached
- PyTorch学习(三)
- go之web框架 iris
- opencv数据类型代码表 dtype
- AI chief architect 10-aica-lanxiang, propeller frame design and core technology
- Nodejs 安装与介绍
- How to use AI technology to optimize the independent station customer service system? Listen to the experts!
- 20220607跌破建议零售价,GPU市场正全面走向供过于求...
猜你喜欢
TCP packet sticking problem
拓維信息使用 Rainbond 的雲原生落地實踐
【合集- 行业解决方案】如何搭建高性能的数据加速与数据编排平台
德国AgBB VoC有害物质测试
Personally test the size of flutter after packaging APK, quite satisfied
Huaxing Securities: kitex practice under the original hybrid Cloud Architecture
Construction and practice of full stack code test coverage and use case discovery system
屏幕显示技术进化史
Four tips tell you how to use SMS to promote business sales?
SaaS project management system solution for the financial service industry helps enterprises tap a broader growth service space
随机推荐
Geoffrey Hinton: my 50 years of in-depth study and Research on mental skills
PC端微信多开
AI chief architect 10-aica-lanxiang, propeller frame design and core technology
亲测flutter打包apk后大小,比较满意
NEON优化2:ARM优化高频指令总结
sqlserver SQL Server Management Studio和Transact-SQL创建账户、创建访问指定数据库的只读用户
Lenovo Yoga 27 2022, full upgrade of super configuration
《客从何处来》
《Go题库·15》go struct 能不能比较?
PyTorch学习(三)
Teach you to quickly set up a live studio in 30 minutes
Go redis connection pool
torch. roll
传统微服务框架如何无缝过渡到服务网格 ASM
手机股票账号开户安全吗?是靠谱的吗?
How to improve the three passive situations in data analysis
Leader: who can use redis expired monitoring to close orders and get out of here!
Adhering to the concept of 'home in China', 2022 BMW children's traffic safety training camp was launched
Four tips tell you how to use SMS to promote business sales?
Kalman滤波器--从高斯融合推导