kaizen-ctf 2018 — Reverse Engineer usb keystrok from pcap file

Feb 27, 2018 · 4 min read

yesterday was a great experience for me to attend all kind of joubert , one of the challenges i could not solve and understand in the reverse engineering section . this CTF challenge contain pcapng file and no hint provided only flag needed to earn the points ..

  • for people dont know what is pcap : (a packet capture) consists of an application programming interface (API) for capturing network traffic

opened the file with wireshark network analyser and noticed kind of new type of communication , to be honest i never knew it could happen untill i solved this challenge …

things noted :

1- the source and destination using two way of communication
2- protocol USB( universal serial block )

its apparent that i am not dealing with 802.3 Ethernet traffic which have not done before of analyzing these sort of activity

OK — its a USB traffic captured . My immediate thought (which turned out to be pretty spot-on) was that “this is probably a capture of USB keyboard traffic; the key was typed in and is subsequently buried in the traffic”. my assumption here the challenge designer has hidden the flag in sort of key stroke .

starting my disorganized research and came across http://wiki.wireshark.org/USB http://www.beyondlogic.org/usbnutshell/usb4.shtml#Interrupt
which came handy to understand the frame and few details of data input and output in USB protocol .

another good resource helped me later for developing the script to solve this challenge

reading about USB reveals that there are four basic modes of transfer for USB: The ‘transfer_type’ specifies if this transfer is isochronous (0), interrupt (1), control (2) or bulk (3).

looking again at the pcap file i see there is two way of communication only with 8 bytes difference

we note here its interrupt type ,frame length and captured data

the value highlighted keep changing and its the key stroke hex value “ the pdf file revealed 04 and its equivalent “a” letter

creating a wireshark filter to list all interrupt communication with 8 bytes since its our attention only to find the keystroke

usb.transfer_type == 0x01

((usb.transfer_type == 0x01) && (frame.len == 72)) && !(usb.capdata == 00:00:00:00:00:00:00:00)

add the capture data to the column

exporting the data as CSV file to get the column

cut with — delimiter

cat leftdata | cut -d “,” -f 7 | cut -d “\”” -f 2 | grep -vE “Leftover Capture Data” > hexoutput.txt

python code

newmap = {
2: “PostFail”,
4: “a”,
5: “b”,
6: “c”,
7: “d”,
8: “e”,
9: “f”,
10: “g”,
11: “h”,
12: “i”,
13: “j”,
14: “k”,
15: “l”,
16: “m”,
17: “n”,
18: “o”,
19: “p”,
20: “q”,
21: “r”,
22: “s”,
23: “t”,
24: “u”,
25: “v”,
26: “w”,
27: “x”,
28: “y”,
29: “z”,
30: “1”,
31: “2”,
32: “3”,
33: “4”,
34: “5”,
35: “6”,
36: “7”,
37: “8”,
38: “9”,
39: “0”,
40: “Enter”,
41: “esc”,
42: “del”,
43: “tab”,
44: “space”,
45: “-”,
47: “[“,
48: “]”,
56: “/”,
57: “CapsLock”,
79: “RightArrow”,
80: “LetfArrow”

myKeys = open(‘hexoutput.txt’)
i = 1
for line in myKeys:
bytesArray = bytearray.fromhex(line.strip())
#print “Line Number: “ + str(i)
for byte in bytesArray:
if byte != 0:
keyVal = int(byte)

if keyVal in newmap:
#print “Value map : “ + str(keyVal) + “ — -> “ + newmap[keyVal]
print newmap[keyVal]
print “No map found for this value: “ + str(keyVal)

#print format(byte, ‘02X’)


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store