记一道usb流量处理。

给出了Usb的流量包。
一顿搞无果。

网上查询到使用tshark来分析整个流量包。导出类似usb keyboard之类的东西。
kali下一句话导出。

tshark -r a.pcap -T fields -e usb.capdata >a.txt
>后面接上想导出的位置。

导出之后用脚本解密;
附上脚本。

#!usr/bin/env python
#-*- coding:utf-8 -*-

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print 'output :\n' + output

之后得到

[unknown]A[unknown]UTOKEY''.DECIPHER'[unknown]MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXO[DEL]PZE[DEL]IZ'

[del]是删除前面字符,进行autokey解密
密钥不知道,所以只能爆破。

#!/usr/bin/python

from ngram_score import ngram_score

from pycipher import Autokey

import re

from itertools import permutations

qgram = ngram_score('quadgrams.txt')

trigram = ngram_score('trigrams.txt')

ctext = 'MPLRVFFCZEYOUJFJKYBXGZVDGQAURKXZOLKOLVTUFBLRNJESQITWAHXNSIJXPNMPLSHCJBTYHZEALOGVIAAISSPLFHLFSWFEHJNCRWHTINSMAMBVEXPZIZ'

ctext = re.sub(r'[zxsq-anti-bbcode-^A-Z]','',ctext.upper())

# keep a list of the N best things we have seen, discard anything else

class nbest(object):

    def __init__(self,N=1000):

        self.store = []

        self.N = N

    def add(self,item):

        self.store.append(item)

        self.store.sort(reverse=True)

        self.store = self.store[zxsq-anti-bbcode-:self.N]

    def __getitem__(self,k):

        return self.store[zxsq-anti-bbcode-k]

    def __len__(self):

        return len(self.store)

#init

N=100

for KLEN in range(3,20):

    rec = nbest(N)

    for i in permutations('ABCDEFGHIJKLMNOPQRSTUVWXYZ',3):

        key = ''.join(i) + 'A'*(KLEN-len(i))

        pt = Autokey(key).decipher(ctext)

        score = 0

        for j in range(0,len(ctext),KLEN):

            score += trigram.score(pt[zxsq-anti-bbcode-j:j+3])

        rec.add((score,''.join(i),pt[zxsq-anti-bbcode-:30]))

但是有些奇怪问题23333.
最后可以得到flag

-674.914569565 autokey, klen 8 :"FLAGHERE", HELLOBOYSANDGIRLSYOUARESOSMARTTHATYOUCANFINDTHEFLAGTHATIHIDEINTHEKEYBOARDPACKAGEFLAGISJHAWLZKEWXHNCDHSLWBAQJTUQZDXZQPF

推荐文章