0x01 A problem is raised
In a walkthrough, we used Wireshark to capture a packet as follows. How do we analyze it?
0x02 Fault Analysis
How are traffic packets captured?
First of all, we can know from the above packet analysis that this is a USB packet. We can first try to analyze how the USB packet is captured.
Before we get started, let’s cover some USB basics. USB comes in different specifications. Here are three ways to use USB:
l USB UART
l USB HID
l USB Memory
Copy the codeUART or Universal Asynchronous Receiver/Transmitter In this way, the device simply uses the USB to receive and transmit data, and there is no other communication function.
HID is a humanized interface. This type of communication is intended for interaction, and devices with this capability include keyboards, mice, gamepads and digital displays.
Finally, USB Memory, or data storage. External HDD, Thumb Drive/Flash Drive, etc.
The most widely used is either USB HID or USB Memory.
Every USB device (especially HID or Memory) has a Vendor ID and a Product ID. Vendor Id is used to mark which Vendor made the USB device. The Product Id is used to mark different products. It is not a special number, but it should be different. The following figure
Above is a list of USB devices that I have connected to my computer in a virtual machine environment, viewing commands through LSUSB.
For example, I have a wireless mouse under VMware. It belongs to HID devices. The device works fine, and the command lsusb is used to view all USB devices, now can you find out which one is the mouse? No, it’s the fourth one, which is the following:
Bus 002 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Copy the codeWhere ID 0e0f:0003 is vendor-product ID pair, the value of Vendor ID is 0e0f, and the value of Product ID is 0003. Bus 002 Device 002 indicates that the USB Device is properly connected. Note this.
We ran Wireshark with root permission to capture USB data streams. But in general we don’t recommend doing that. We need to give users enough access to usb data streams in Linux. We can use udev for our purposes. We need to create a user group usbmon and add our accounts to this group.
addgroup usbmon
gpasswd -a $USER usbmon
echo 'SUBSYSTEM=="usbmon", GROUP="usbmon", MODE="640"' > /etc/udev/rules.d/99-usbmon.rules
Copy the codeNext, we need the USbmon kernel module. If the module is not loaded, we can load the module with the following command:
modprobe usbmon
Copy the codeOpen Wireshark and you will see usbmonX where X stands for number. Here are our results (I used root) :
If an interface is active or data traffic is passing through it, the Wireshark displays the active interface in waveform form. So, which one should we pick? That’s right, that’s what I just asked you to write down, that this X number corresponds to this USB Bus. In this case, usbmon0. Turn it on and you can look at the packets.
Through these, we can understand the communication process and working principle between USB device and host, we can analyze the flow packet.
How to analyze a USB traffic packet?
According to the previous knowledge, we roughly grab a USB flow packet outline, the following we introduce how to analyze a USB flow packet.
For details about the USB protocol, see wireshark’s wiki: wiki.wireshark.org/USB
Let’s start with a simple example from GitHub:
Tshark (” Leftover Capture Data “); tshark (” Leftover Capture Data “);
Tshark -r example.pcap -t fields -e usb.capdata // If you want to import the usbdata. TXT file, add parameters >usbdata. TXTCopy the codeExe in the Wireshark directory in Windows, for example, D: Program Files\Wireshark\tshark.exe
Call CMD to locate the current directory and enter the following command:
Tshark. exe -r example.pcap -t fields -e usb.capdata // If you want to import usbdata. TXT, add parameters >usbdata. TXTCopy the codeDetailed reference using wireshark on tshark commands the official document: www.wireshark.org/docs/man-pa…
Run the command and check the usbdata. TXT to find that the packet length is eight bytes
I have found a chart about the features of USB applications, which clearly reflects this problem:
Here we focus only on keyboard traffic and mouse traffic in USB traffic.
The data length of keyboard packet is 8 bytes, and the keystroke information is concentrated in the third byte. Each key stroke will generate a Keyboard Event USB packet.
The data length of the mouse packet is 4 bytes. The first byte represents the button. 0x00 indicates that there is no button; 0x01 indicates that the left button is pressed; 0x02 indicates that the current button is right-clicked. The second byte can be thought of as a signed byte type, with the highest bit being the symbol bit, which, when positive, represents the number of pixels moved horizontally to the right and, when negative, represents the number of pixels moved horizontally to the left. The third byte is similar to the second byte and represents the offset of vertical up and down movement.
I went through a lot of USB protocol documentation, and here we can find the relationship between this value and the specific keys: www.usb.org/developers/…
The third byte is extracted according to this mapping table, and the corresponding mapping table is decoded:
We write the following script:
mappings = { 0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";" , 0x34:"'", 0x36:",", 0x37:"." } nums = [] keys = open('usbdata.txt') for line in keys: if line[0]! ='0' or line[1]! ='0' or line[3]! ='0' or line[4]! ='0' or line[9]! ='0' or line[10]! ='0' or line[12]! ='0' or line[13]! ='0' or line[15]! ='0' or line[16]! ='0' or line[18]! ='0' or line[19]! ='0' or line[21]! ='0' or line[22]! ='0': continue nums.append(int(line[6:8],16)) # 00:00:xx:.... keys.close() output = "" for n in nums: if n == 0 : continue if n in mappings: output += mappings[n] else: output += '[unknown]' print('output :n' + output)Copy the codeThe results are as follows:
We integrate the above into the script and get:
#! /usr/bin/env python import sys import os DataFileName = "usb.dat" presses = [] normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";" ,"34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12 >"} shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!" , "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":" 37 ":" < "and" > ", "38" : "?" ,"39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12 >"} def main(): # check argv if len(sys.argv) ! = 2: print "Usage : " print " python UsbKeyboardHacker.py data.pcap" print "Tips : " print " To use this python script , you must install the tshark first." print " You can use `sudo apt-get install tshark` to install it" print "Author : " print " Angel_Kitty <[email protected]>" print " If you have any questions , please contact me by email." print " Thank you for using." exit(1) # get argv pcapFilePath = sys.argv[1] # get data of pcap os.system("tshark -r %s -T fields -e usb.capdata > %s" % (pcapFilePath, DataFileName)) # read data with open(DataFileName, "r") as f: for line in f: presses.append(line[0:-1]) # handle result = "" for press in presses: Bytes = press.split(":") if Bytes[0] == "00": if Bytes[2] ! = "00": result += normalKeys[Bytes[2]] elif Bytes[0] == "20": # shift key is pressed. if Bytes[2] ! = "00": result += shiftKeys[Bytes[2]] else: print "[-] Unknow Key : %s" % (Bytes[0]) print "[+] Found : %s" % (result) # clean the temp data os.system("rm ./%s" % (DataFileName)) if __name__ == "__main__": main()Copy the codeThe effect is as follows:
Also attached with a mouse traffic packet conversion script:
nums = [] keys = open('usbdata.txt','r') posx = 0 posy = 0 for line in keys: if len(line) ! = 12 : continue x = int(line[3:5],16) y = int(line[6:8],16) if x > 127 : x -= 256 if y > 127 : y -= 256 posx += x posy += y btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing if btn_flag == 1 : print posx , posy keys.close()Copy the codeThe keyboard traffic packet conversion script is as follows:
X66 nums = [0, 0 x30, 0 x39, 0 x65, 0 x35, 0 x34, 0 x63, 0 x31, 0 x62, 0 x61, x64, 0 0 x32, 0 x78, 0 x33, 0 x38, 0 x6d, 0 x76, 0 x79, 0 x67, 0 x37, 0 x77, 0 x7a, 0 x6c X68 x73, 0, 0 x75, 0, 0 x6b, 0 x69, 0 x6a, 0 x6e, 0 x6f, s = 0 x70] ' 'for x nums in: s+=chr(x) print s mappings = { 0x41:"A", 0x42:"B", 0x43:"C", 0x44:"D", 0x45:"E", 0x46:"F", 0x47:"G", 0x48:"H", 0x49:"I", 0x4a:"J", 0x4b:"K", 0x4c:"L", 0x4d:"M", 0x4e:"N",0x4f:"O", 0x50:"P", 0x51:"Q", 0x52:"R", 0x53:"S", 0x54:"T", 0x55:"U",0x56:"V", 0x57:"W", 0x58:"X", 0x59:"Y", 0x5a:"Z", 0x60:"0", 0x61:"1", 0x62:"2", 0x63:"3", 0x64:"4", 0x65:"5", 0x66:"6", 0x67:"7", 0x68:"8", 0x69:"9", 0x6a:"*", 0x6b:"+", 0X6c:"separator", 0x6d:"-", 0x6e:".", 0x6f:"/" } output = "" for n in nums: if n == 0 : continue if n in mappings: output += mappings[n] else: output += '[unknown]' print 'output :\n' + outputCopy the codeThe above example project link is as follows: files.cnblogs.com/files/ECJTU…
So for the problem we mentioned at the beginning, we can try the example above:
First, we can export usB. capdata using tshark:
Tshark -r task_autokey. pcapng -t fields -e usb.capdata // If you want to import the usbdata. TXT file, add parameters >usbdata. TXTCopy the code
We use the python script above to extract the third byte and decode the corresponding table:
mappings = { 0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";" , 0x34:"'", 0x36:",", 0x37:"." } nums = [] keys = open('usbdata.txt') for line in keys: if line[0]! ='0' or line[1]! ='0' or line[3]! ='0' or line[4]! ='0' or line[9]! ='0' or line[10]! ='0' or line[12]! ='0' or line[13]! ='0' or line[15]! ='0' or line[16]! ='0' or line[18]! ='0' or line[19]! ='0' or line[21]! ='0' or line[22]! ='0': continue nums.append(int(line[6:8],16)) # 00:00:xx:.... keys.close() output = "" for n in nums: if n == 0 : continue if n in mappings: output += mappings[n] else: output += '[unknown]' print('output :n' + output)Copy the codeThe running results are as follows:
output :n[unknown]A[unknown]UTOKEY''.DECIPHER'[unknown]MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTY HZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXO[DEL]PZE[DEL]IZ'Copy the codeWe can see that this is automatic key decoding, so the question is how do we do it when we don’t know the key?
I found the following this article about how the blasting key: www.practicalcryptography.com/cryptanalys…
The blasting script is as follows:
from ngram_score import ngram_score from pycipher import Autokey import re from itertools import permutations qgram = ngram_score('quadgrams.txt') trigram = ngram_score('trigrams.txt') ctext = 'MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXPZIZ' ctext = re.sub(r'[^A-Z]','',ctext.upper()) # keep a list of the N best things we have seen, discard anything else class nbest(object): def __init__(self,N=1000): self.store = [] self.N = N def add(self,item): self.store.append(item) self.store.sort(reverse=True) self.store = self.store[:self.N] def __getitem__(self,k): Return self.store[k] def len__(self): return len(self.store) #init N=100 for KLEN in range(3,20): rec = nbest(N) for i in permutations('ABCDEFGHIJKLMNOPQRSTUVWXYZ',3): key = ''.join(i) + 'A'*(KLEN-len(i)) pt = Autokey(key).decipher(ctext) score = 0 for j in range(0,len(ctext),KLEN): score += trigram.score(pt[j:j+3]) rec.add((score,''.join(i),pt[:30])) next_rec = nbest(N) for i in range(0,KLEN-3): for k in xrange(N): for c in 'ABCDEFGHIJKLMNOPQRSTUVWXYZ': key = rec[k][1] + c fullkey = key + 'A'*(KLEN-len(key)) pt = Autokey(fullkey).decipher(ctext) score = 0 for j in range(0,len(ctext),KLEN): score += qgram.score(pt[j:j+len(key)]) next_rec.add((score,key,pt[:30])) rec = next_rec next_rec = nbest(N) bestkey = rec[0][1] pt = Autokey(bestkey).decipher(ctext) bestscore = qgram.score(pt) for i in range(N): pt = Autokey(rec[i][1]).decipher(ctext) score = qgram.score(pt) if score > bestscore: bestkey = rec[i][1] bestscore = score print bestscore,'autokey, klen',KLEN,':"'+bestkey+'",',Autokey(bestkey).decipher(ctext)Copy the codeThe results are as follows:
We see the words “Flag”, which can be arranged as follows:
-674.914569565 autokey, klen 8: FLAGHERE HELLOBOYSANDGIRLSYOUARESOSMARTTHATYOUCANFINDTHEFLAGTHATIHIDEINTHEKEYBOARDPACKAGEFLAGISJHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPFCopy the codeLet’s split the fields and see:
HELLO
BOYS
AND
GIRLS
YOU
ARE
SO
SMART
THAT
YOU
CAN
FIND
THE
FLAG
THAT
IH
IDE
IN
THE
KEY
BOARD
PACKAGE
FLAG
IS
JHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF
Copy the codeThe flag is the flag {JHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF}
0x03 Resource Download
All links to projects covered in this article are on Github:
- Github.com/AngelKitty/…
0x04 Extended Reading
- Blog.csdn.net/songze_lee/…
- wiki.wireshark.org/USB
- www.usb.org/developers/…
- www.wireshark.org/docs/man-pa…
- www.practicalcryptography.com/cryptanalys…
- Hackfun.org/2017/02/22/…