Usb data packet traffic analysis questions of the 2020 Tianjin ctf competition

1. Mouse flow analysis

1. Commonly used commands

tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt

If the extracted data has blank lines, you can change the command to the following form:

tshark -r usb2.pcap -T fields -e usb.capdata | sed '/^\s*$/d' > usbdata.txt

If the extracted data does not have a colon, you can use a script to add a colon (because the general script will be identified according to the data with a colon, when there is a colon, the data is extracted [6:8], "If there is no colon, the data is in [5: 7]"—but I read on another blog {see USB traffic forensic analysis } that the data is in [4:6] when there is no colon, I used [5:7])

parameter:

-r:设置tshark分析的输入文件
-T:设置解码结果输出的格式,包括fileds,text,ps,psml和pdml,默认为text


Basic knowledge of byte analysis for mouse traffic

鼠标移动时表现为连续性,与键盘击键的离散性不一样,但实际上鼠标动作所产生的数据包也是离散的。不同的鼠标抓到的流量不一样,一般的鼠标流量都是四个字节

每一个数据包的数据区有四个字节。
第一个字节代表按键:

When the value is 0x00, it means that there is no button; when it is 0x01, it means that the left button is pressed; when it is 0x02, it means that the current button is the right button.

第二个字节可以看成是一个signed byte类型,其最高位为符号位:

When this value is positive, it represents how many pixels the mouse moves horizontally to the right.
When this value is negative, it represents how many pixels the mouse moves horizontally to the left.
The third byte is similar to the second byte and represents the offset of the vertical up and down movement.
Mouse traffic packet analysis

This means that the mouse moves 01 pixels to the right and ff vertically upwards.

Problem solving

Use the tshark command to extract the data

tshark -r usbx.pcap -T fields -e usb.capdata > usbdata.txt

Separate the usbdata.txt file as shown in the figure:
Use tshark to separateThis .txt was sorted out by me. There were a lot of blank lines in front of 0001fe00. I deleted it
after exporting because I don’t know whether the operator uses the left button or the right button to move the mouse. Move and drag the trajectory, so you need to try it yourself. After testing, it was found that the question was drawn with the left button. Just change the btn_flag in the general script to 1

#sniffer.py
nums = []
keys = open('usbdata.txt','r')
result=open('result.txt','w')
posx = 0
posy = 0
for line in keys:
    x = int(line[2:4],16)
    y = int(line[5:7],16)
    if x > 127 :
        x -= 256
    if y >115 :
        y -=256
    posx += x
    posy += y
    btn_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing
    if btn_flag == 1 : # 1 代表左键,2代表右键
        result.write(str(posx)+' '+str(-posy)+'\n')
keys.close()
result.close()

Run the sniffer.py script

python3 sniffer.py

Get the coordinate content of result.txt
Coordinate content
Next use gnuplot software to draw the image generated by the mouse

gnuplot -e "plot 'result.txt' " -p

Get the final flag.
flag
Note: The data in the usbdata.txt file here does not have a colon. If you need to add: then use the following script (because the general script will be identified according to the data with a colon, and the data will be extracted when there is a colon [6 :8], when there is no colon, the data is in [5:7])

f=open('usbdata.txt','r')
fi=open('out.txt','w')
while 1:
    a=f.readline().strip()
    if a:
        if len(a)==8: # 键盘流量的话len改为16
            out=''
            for i in range(0,len(a),2):
                if i+2 != len(a):
                    out+=a[i]+a[i+1]+":"
                else:
                    out+=a[i]+a[i+1]
            fi.write(out)
            fi.write('\n')
    else:
        break

fi.close()

As shown in the figure after conversion:
: Convert

The usbdata.txt data contains: Later, use the new sniffer.py script to run

#sniffer.py
nums = []
keys = open('usbdata.txt','r')
result=open('result.txt','w')
posx = 0
posy = 0
for line in keys:
    x = int(line[2:4],16)
    y = int(line[5:7],16)
    if x > 127 :
        x -= 256
    if y >115 :
        y -=256
    posx += x
    posy += y
    btn_flag = int(line[0:2],16)  # 1 for left , 2 for right , 0 for nothing
    if btn_flag == 1 : # 1 代表左键,2代表右键
        result.write(str(posx)+' '+str(-posy)+'\n')
keys.close()
result.close()

Get result.txt and finally use

gnuplot -e "plot 'result.txt' " -p

Get the results and everything is fine.
Article reference: USB traffic forensic analysis
notes a USB traffic analysis CTF question and
a USB traffic analysis CTF question

The format of the content of the blog for the first time is inadequate, please correct me! If the content of the blog is wrong or there is something you don’t understand, please comment below

Guess you like

Origin blog.csdn.net/weixin_44145452/article/details/108926046