Misc
ez_usb
1.键盘流量
USB协议数据部分在Leftover Capture Data域中,数据长度为八个字节
。其中键盘击键信息集中在第三个字节中。
如图,发现击键信息为0x06,即对应的按键为C
2.鼠标流量
USB协议鼠标数据部分在Leftover Capture Data域中,数据长度为四个字节
。
其中第一个字节代表按键,当取0x00时,代表没有按键、为0x01时,代表按左键,为0x02时,代表当前按键为右键。 第二个字节可以看成是一个signed byte类型,其最高位为符号位,当这个值为正时,代表鼠标水平右移多少像素,为负时,代表水平左移多少像素。 第三个字节与第二字节类似,代表垂直上下移动的偏移。
如图,数据信息为0x00002000,表示鼠标垂直向上移动20。
3.可以使用kali linux中的tshark 命令把cap data提取出来:
tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt tshark -r usb.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt #提取并去除空行
4.提取出来的数据可能会带冒号,也可能不带(有可能和wireshark的版本相关),但是一般的脚本都会按照有冒号的数据来识别
有冒号时提取数据的
[6:8]
无冒号时数据在[4:6]
可以用脚本来加上冒号
f=open('usbdata.txt','r') fi=open('out.txt','w') while 1: a=f.readline().strip() if a: if len(a)==16: # 鼠标流量的话len改为8 out='' for i in range(0,len(a),2): if i+2 != len(a): out+=a[i]+a[i+1]+":" else: out+=a[i]+a[i+1] fi.write(out) fi.write('\n') else: break
normalKeys = { "04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9", "27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t", "2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\", "32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".", "38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>", "3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>", "44":"<F11>","45":"<F12>"} shiftKeys = { "04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")", "28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>", "2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"", "34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>", "3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>", "41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"} output = [] keys = open('out1.txt') for line in keys: try: if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00": continue if line[6:8] in normalKeys.keys(): output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2'] else: output += ['[unknown]'] except: pass keys.close() flag=0 print("".join(output)) for i in range(len(output)): try: a=output.index('<DEL>') del output[a] del output[a-1] except: pass for i in range(len(output)): try: if output[i]=="<CAP>": flag+=1 output.pop(i) if flag==2: flag=0 if flag!=0: output[i]=output[i].upper() except: pass print ('output :' + "".join(output))
很明显的键盘流量,但是直接导出是错误的,这里也能发现版本有2.8.1和2.10.1两种,因此猜测需要分别导出
导出2.8.1:tshark -r ez_usb.pcapng -T fields -e usbhid.data -Y "usb.device_address == 8" | sed '/^\s*$/d'> 281.txt
导出2.10.1:tshark -r ez_usb.pcapng -T fields -e usbhid.data -Y "usb.device_address == 10" | sed '/^\s*$/d' > 2101.txt
得到一个rar压缩包和一个解密密码
everlasting_night
一个图片,010打开发现最后有一串东西,暂时不知道是啥
得到 f78dcd383f1b574b
根据rgb0通道都有LSB,但是解不出来,而且有上面得到的密码,猜测是ichunqiu最喜欢的cloacked-pixel
通过lsb.py,解出一个压缩包。
解压发现需要密码。
猜测应该是010打开的那最后东西,16字节,猜测是md5(唔各种在线解密都弄不出怀疑自己)
得到ohhWh04m1
010打开是png 但是一堆 应该是需要修复。改名为flag.data,导入gimp进行修复即可