CTF—MISC—USB鍵盤流量分析

阿新 • • 發佈：2021-08-24

題目

題目名稱：鍵盤流量
題目型別：MISC

解題思路

題目下載解壓發現是55.pcapng、miwen.txt兩個檔案

55.pcapng

開啟pcap包，發現是usb的鍵盤流量，鍵盤流量的資料記錄在Data中，需要把所有Data資料提取出來，進行十六進位制鍵位轉換得出資料包記錄的鍵盤敲擊內容
1、利用wireshark tshark.exe命令提取流量資料，詳情如下：

tshark.exe -T json -r 55.pcapng > test.json
//用法 tshark.exe -T json -r 資料包名稱 > 要匯出的檔案

匯出的檔案如下，鍵盤資料儲存在usbhid.data中，將所有的usbhid.data值提取出來

2、利用python編寫的指令碼對提取出來的所有usbhid.data轉化生成敲擊內容,指令碼原理

#!/usr/bin/env python
# -*- coding:utf-8 -*-

normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('usbdata.txt')
for line in keys:
    try:
        if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
             continue
        if line[6:8] in normalKeys.keys():
            output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
        else:
            output += ['[unknown]']
    except:
        pass
keys.close()

flag=0
print("".join(output))
for i in range(len(output)):
    try:
        a=output.index('<DEL>')
        del output[a]
        del output[a-1]
    except:
        pass
for i in range(len(output)):
    try:
        if output[i]=="<CAP>":
            flag+=1
            output.pop(i)
            if flag==2:
                flag=0
        if flag!=0:
            output[i]=output[i].upper()
    except:
        pass
print ('output :' + "".join(output))

內容為

plk<DEL>eae<DEL>sey<DEL>fii<DEL>ndts<DEL>hery<DEL>ealy<DEL>keyd<DEL>words<DEL>
output :pleasefindtherealkeyword

key

tshark.exe使用參考

CTF—MISC—USB鍵盤流量分析

題目題目名稱：鍵盤流量題目型別：MISC 解題思路題目下載解壓發現是55.pcapng、miwen.txt兩個檔案

鍵盤流量分析UsbKeyboardDataHacker指令碼

這是python3的指令碼 1 #!/usr/bin/env python 2 3 import sys 4 import os 5 6 DataFileName = \"usb.dat\"

BUUCTF Misc [DDCTF2018]流量分析

[DDCTF2018]流量分析 Quoted-printable編碼追蹤TCP流，找到這樣一串編碼 =E4=BD=A0=E5=A5=BD=EF=BC=8C=E8=AF=B7=E4=BD=A0=E5=B0=86=E5=AF=86=E9=92=A5=E5=AE=89=E8=A3=85=E5=88=B0=E6=9C=8D=E5=8A=A1=E5=99=A8=E4=B