USB流量分析

昨天帮别人看一道USB流量分析的题

打开是这样的

JA(]_1X3.png

安全客上有一篇从CTF中学USB流量捕获与解析

USB协议的数据部分在Leftover Capture Data域中

这是一张值与键位的对应关系

使用wireshark的tshark工具,可以将 leftover capture data提取出来

tshark -r usb.pcapng -T fields -e usb.capdata > usbdata.txt

编写脚本从得出的usbdata.txt文件中过滤出键盘击键相关的流量,并根据上述映射表,将键盘按键按照对应关系输出出来

`mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }`
`nums = []`
`keys = open('usbdata.txt')`
`for line in keys:`
`if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':`
`continue`
`nums.append(int(line[6:8],16))`
`keys.close()`
`output = ""`
`for n in nums:`
`if n == 0 :`
`continue`
`if n in mappings:`
`output += mappings[n]`
`else:`
`output += '[unknown]'`
`print 'output :\n' + output`

运行该脚本,得到输出结果

┌─[[email protected]][~/Desktop/output]
└──╼ $python usb.py 
output :
KEY[unknown]A2D4C5E6B8AEDA


*转载请注明来自AresX’s Blog

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.转载请注明出处
本文链接:https://ares-x.com/2017/11/20/USB流量分析/