CTF入门Misc之流量分析系列——USB流量

0x00

声明：为了方便查找题目类型和基本做题思路，所以本人作文章为笔记，必然有不足之处，请指正。

0x01 基本概念

USB流量分析主要包括键盘和鼠标流量。指的是获得键盘敲击键、鼠标移动和点击等等。键盘流量中数据包的数据长度一般为 8 个字节，鼠标流量中数据包的数据长度一般为 4个字节。然后再查看HID Data(或Leftover Capture Data)的数据，就是传输的USB信息。

0x02 键盘流量

题目1链接: https://pan.baidu.com/s/1DM6CB5qovJpTC--oG_Pigw 提取码: xxdh

拿到流量，在Info看到有URB_INTERRUPT in，表示USB传输数据的中断，继而就找到HID Data

用tshark命令提取出所有的HID Data中数据。

tshark -r a.pcapng -T fields -e usbhid.data > usbdata.txt

 -r <包名>: 指定要分析的数据包文件。
 -e ：选项用于指定要提取的字段。
 -T fields: 指定输出的格式为字段格式，即只输出指定的字段。

需要去除零行和空行，方法很多，这里我均选择用脚本

# 打开原始数据文件和用于存储处理后数据的文件
with open('usbdata.txt', 'r') as infile, open('usbdata_cleaned.txt', 'w') as outfile:
    # 逐行读取数据
    for line in infile:
        # 去除行尾的换行符并检查是否为空行或全0字串
        stripped_line = line.strip()
        if stripped_line and not all(char == '0' for char in stripped_line):
            # 如果不是空行或全0字串，则写入新文件
            outfile.write(line)

print('全0字串和空行已被删除，处理后的数据已保存到usbdata_cleaned.txt文件中。')

再加上冒号

#将上面的文件用脚本分隔，加上冒号；
f=open('usbdata_cleaned.txt','r')
fi=open('out.txt','w')
while 1:
  a=f.readline().strip()
  if a:
    if len(a)==16:#键盘流量的话len为16鼠标为8
      out=''
      for i in range(0,len(a),2):
        if i+2 != len(a):
          out+=a[i]+a[i+1]+":"
        else:
          out+=a[i]+a[i+1]
      fi.write(out)
      fi.write('\n')
  else:
    break
fi.close()

即可对按键进行提取，即一一对应的是一个字符，具体对应关系可以查看http://www.willhsu.com/zb_users/upload/2021/06/202106241624549419156181.pdf

# -*- coding: cp936 -*-
# -*- coding: utf-8 -*-
# 定义USB HID扫描码到字符的映射
normal_keys = {
    0x04: "a", 0x05: "b", 0x06: "c", 0x07: "d", 0x08: "e", 0x09: "f",
    0x0A: "g", 0x0B: "h", 0x0C: "i", 0x0D: "j", 0x0E: "k", 0x0F: "l",
    0x10: "m", 0x11: "n", 0x12: "o", 0x13: "p", 0x14: "q", 0x15: "r",
    0x16: "s", 0x17: "t", 0x18: "u", 0x19: "v", 0x1A: "w", 0x1B: "x",
    0x1C: "y", 0x1D: "z", 0x1E: "1", 0x1F: "2", 0x20: "3", 0x21: "4",
    0x22: "5", 0x23: "6", 0x24: "7", 0x25: "8", 0x26: "9", 0x27: "0",
    0x28: "\n", 0x2C: " ", 0x2D: "-", 0x2E: "=", 0x2F: "[", 0x30: "]",
    0x31: "\\", 0x32: "|", 0x33: ";", 0x34: "'", 0x35: "/", 0x36: ",", 0x37: "."
}

shift_keys = {
    0x04: "A", 0x05: "B", 0x06: "C", 0x07: "D", 0x08: "E", 0x09: "F",
    0x0A: "G", 0x0B: "H", 0x0C: "I", 0x0D: "J", 0x0E: "K", 0x0F: "L",
    0x10: "M", 0x11: "N", 0x12: "O", 0x13: "P", 0x14: "Q", 0x15: "R",
    0x16: "S", 0x17: "T", 0x18: "U", 0x19: "V", 0x1A: "W", 0x1B: "X",
    0x1C: "Y", 0x1D: "Z", 0x1E: "!", 0x1F: "@", 0x20: "#", 0x21: "$",
    0x22: "%", 0x23: "^", 0x24: "&", 0x25: "*", 0x26: "(", 0x27: ")",
    0x2D: "_", 0x2F: "{", 0x30: "}", 0x31: "~", 0x33: ":", 0x34: '"',
    0x35: "?", 0x36: "<", 0x37: ">", 0xE0: 'Left Shift', 0xE1: 'Right Shift'
}

shift_pressed = False  # 用于存储Shift键的状态

# 读取文件并提取按键值
nums = []
with open('out.txt', 'r') as keys:
    for line in keys:
        if line.strip():  # 确保行不为空
            key_code = int(line[6:8], 16)
            if key_code in (0xE0, 0xE1):  # 检测Shift键
                shift_pressed = not shift_pressed
            elif key_code == 0:
                continue
            else:
                nums.append((key_code, shift_pressed))

# 根据按键值生成输出字符串
output = ""
for key_code, shift in nums:
    if shift:
        if key_code in shift_keys:
            output += shift_keys[key_code]
    else:
        if key_code in normal_keys:
            output += normal_keys[key_code]

# 打印输出结果
print('output:\n' + output)

输出结果为"helloworld1"。正确答案应该是“helloworld!” ，其区别就在于shift键的按与否

仔细看out.txt，不难发现在最后这几行都多了02，它的shift键按下

0x03 疑似usb流量

题目链接: https://pan.baidu.com/s/1QLEJm3ZIofP7EIHTFCNVgQ 提取码: cvy2

题目拿到看是usb流量，用以上usb流量的分析思路过程做了一遍，发现得到的东西解不出来，又回归到流量本身去，Ctrl+F搜索flag，发现里边有个7z压缩包，此题就变成了正常的流量分析了

压缩包有密码，一开始直接爆破的，后来发现里边写着有密码123456。解出就可

附一道比赛真题:
链接: https://pan.baidu.com/s/1Sw2-qt0m4hvb9sPl9U8aJA 提取码: 6vr5