Shulou(Shulou.com)05/31 Report--

Editor to share with you how to read the hidden data of USB keyboard traffic, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

0 × 00 preparation

Wireshark is a tool that can be used to grab traffic. It can be used to analyze traffic and find the records and changes made by hackers. It is very helpful for us to analyze the situation of being attacked and defend. Usbkeyboard can hide some information. In general, we can use the above tools and methods to find some hidden information.

0 × 01 data preparation

Suppose there is a certain amount of traffic, and the protocol is usb. When I open this package with wiresharp, I can see the fields and contents inside:

You can see that the content is mainly Leftover Capture Data. First, you need to analyze the usb protocol, right-click the option, and then click apply as column to display the value of this field on the main panel. The length of the data packet of usbkeyborad is 8 bytes, each two bits is one byte, while the data of the key is at the third byte, that is, 00, 01, 02, 03. 11, 12, 13, 14. The corresponding relationship between keys and HEX values is shown in the following figure:

To extract this data for analysis, you need to use tools and scripts to process the data. Here is how to do it.

0 × 02 implementation

First of all, we need to use the tool tshark in wireshark, which is the command line program of the wireshark tool, which is more efficient. If it is a linux system, you need to install the tshark package, and then execute the tshark command after installation. If it is windows, you can directly install wireshark, which contains tshark programs that can be executed directly. Then execute:

"tshark.exe"-r usb.Pcap-T fields-e usb.capdata > usb.data

In this way, a usb.data file is generated, which is the interception of data in the usb.pcap traffic package by tshark. It is actually a txt document that can be viewed directly.

When we open it with a text document:

Found that the data inside is the original Leftover Capture Data column data, this data is the usb keyboard key code, you can deal with this data, filter out useless traffic, retain the key-related traffic, that is, the third byte of data, simplify.

Save the above python script as a file and execute:

Open the txt file and find that there is a field made up of numbers, which is very long, and this is the data we need:

Copy this field and throw it into 010editor:

It is found that this field is very similar to a file format, that is, the zip format, because it begins with 504B, that is, competition, and the header of the competition is the header of the package, so we can save this field in zip format:

After saving, open the zip file directly and see a file called flag.txt:

Then click to open, found that there is no password, directly opened, inside is hidden data.

0 × 03 END

Sometimes not only in the key coding, but also in the usb mouse coordinates, it is necessary to use tshark to extract the mouse coordinate data information, and then use the powerful drawing function of python to draw the coordinate data to get the graphical hidden data.

The above is all the contents of the article "how to read the hidden data of USB keyboard traffic". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.