zoukankan      html  css  js  c++  java
  • CTF—MISC—USB键盘流量分析

    题目

    题目名称:键盘流量

    题目类型:MISC

    解题思路

    题目下载解压发现是55.pcapng、miwen.txt两个文件

    miwen.txt

    miwen.txt内容为base64编码假flag,文件大小与实际内容不符,发现txt隐写了零宽字符
    如何发现零宽字符,vim打开文件,如下图:

    python脚本解密

    python3 -m pip install zwsp-steg-py
    
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    import zwsp_steg
    
    decoded = zwsp_steg.decode('Z​​​​‎‍​​​​​‍​​​​​​‍‏​​​​​‏‎​​​​​‏​​​​​​‍‏‌​​​​‎‍‌​​​​‏‌‍​​​​‎‍‎​​​​‌‏‏​​​​‍‌‍​​​​‏‌‌​​​​‍​‍​​​​‏​‍​​​​‎​‏​​​​‎‎​​​​​‍‏‏​​​​‎‌‌​​​​‏​​​​​​‍​​​​​​‏‌‎​​​​‍​‌​​​​‍‎‎​​​​‍‎‍​​​​‏​‌​​​​‍‎‎​​​​‍‎‌​​​​‏‎‌​​​​‍‏‏​​​​‏‍‎​​​​‍​‎​​​​‎‌‏​​​​‍‌‌​​​​‌‎‎​​​​‎‍‎​​​​‏​​​​​​‏​‍​​​​‍‎‍​​​​‏‎​​​​​‍‏‏​​​​‍‌‍​​​​‎‍‍​​​​‍‏‏​​​​‎‌‎​​​​‎‌​​​​​‍‎‌​​​​‍‏​​​​​‏‎‍​​​​‎​‎​​​​‏‏‌​​​​‍​‏​​​​‎‌‌​​​​‏‎‍​​​​‎‌​​​​​‌‏‍​​​​‏​‌​​​​‏​​​​​​‎‌‍​​​​‍‏‍​​​​‏‎‏​​​​‏‏​​​​​‌‏‍​​​​‏​‌​​​​‏‏​​​​​‍​‎​​​​‏​​​​​​‏‎‍​​​​‏‎‎​​​​‏‏‍​​​​‍​‏​​​​‎‎​​​​​‍‏​​​​​‎‍‎​​​​‍​​​​​​‍‎‍​​​​‎​‎​​​​‍​‍​​​​‏​‎​​​​‏‌‏​​​​‏‌‏​​​​‍‏‏​​​​‏​‎​​​​‎‍‍​​​​‏​‍​​​​‌‏‏​​​​‎‌‌​​​​‍‍‌​​​​‍‍‌mxhZ3toYWhhfmZha2VmbGFnIX0=',zwsp_steg.MODE_FULL)
    print (decoded)
    
    output:
    U2FsdGVkX19j4fOZJQd2l3DCeDBtJq5T8+XdfCsJ9WJSPBFuNy6QuP/edRHwx/ex5duvz6ZFX2CN4gmmJgWf1Q==
    

    55.pcapng

    打开pcap包,发现是usb的键盘流量,键盘流量的数据记录在Data中,需要把所有Data数据提取出来,进行十六进制键位转换得出数据包记录的键盘敲击内容
    1、利用wireshark tshark.exe命令提取流量数据,详情如下:

    tshark.exe -T json -r 55.pcapng > test.json
    //用法 tshark.exe -T json -r 数据包名称 > 要导出的文件
    

    导出的文件如下,键盘数据存储在usbhid.data中,将所有的usbhid.data值提取出来


    2、利用python编写的脚本对提取出来的所有usbhid.data转化生成敲击内容,脚本原理

    #!/usr/bin/env python
    # -*- coding:utf-8 -*-
    
    normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"	","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
    shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"	","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":""","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
    output = []
    keys = open('usbdata.txt')
    for line in keys:
        try:
            if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
                 continue
            if line[6:8] in normalKeys.keys():
                output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
            else:
                output += ['[unknown]']
        except:
            pass
    keys.close()
    
    flag=0
    print("".join(output))
    for i in range(len(output)):
        try:
            a=output.index('<DEL>')
            del output[a]
            del output[a-1]
        except:
            pass
    for i in range(len(output)):
        try:
            if output[i]=="<CAP>":
                flag+=1
                output.pop(i)
                if flag==2:
                    flag=0
            if flag!=0:
                output[i]=output[i].upper()
        except:
            pass
    print ('output :' + "".join(output))
    


    内容为

    plk<DEL>eae<DEL>sey<DEL>fii<DEL>ndts<DEL>hery<DEL>ealy<DEL>keyd<DEL>words<DEL>
    output :pleasefindtherealkeyword
    

    解密

    发现miwen是AES加密的密文,需要密钥进行解密
    解密工具
    用pleasefindtherealkeyword没有解密成功
    用del删除的字节发现"keyisyyds"实际密钥为yyds,解出flag

    tshark.exe使用参考

  • 相关阅读:
    MVC 学习(二)之Linq to Sql 简单Demo
    MVC 学习(一)Linq to Entities 简单Demo
    MVC学习(三)Code-First Demo
    pickle 模块
    json 模块
    sys 模块
    os 模块
    random(随机)模块
    time 模块
    python之函数基础
  • 原文地址:https://www.cnblogs.com/renhaoblog/p/15148455.html
Copyright © 2011-2022 走看看