kaizen-ctf 2018 — Reverse Engineer usb keystrok from pcap file


yesterday was a great experience for me to attend all kind of joubert , one of the challenges i could not solve and understand in the reverse engineering section . this CTF challenge contain pcapng file and no hint provided only flag needed to earn the points ..

  • for people dont know what is pcap : (a packet capture) consists of an application programming interface (API) for capturing network traffic

opened the file with wireshark network analyser and noticed kind of new type of communication , to be honest i never knew it could happen untill i solved this challenge …

things noted :

1- the source and destination using two way of communication 
2- protocol USB( universal serial block )

its apparent that i am not dealing with 802.3 Ethernet traffic which have not done before of analyzing these sort of activity

OK — its a USB traffic captured . My immediate thought (which turned out to be pretty spot-on) was that “this is probably a capture of USB keyboard traffic; the key was typed in and is subsequently buried in the traffic”. my assumption here the challenge designer has hidden the flag in sort of key stroke .

starting my disorganized research and came across http://wiki.wireshark.org/USB http://www.beyondlogic.org/usbnutshell/usb4.shtml#Interrupt
which came handy to understand the frame and few details of data input and output in USB protocol .

another good resource helped me later for developing the script to solve this challenge
http://www.usb.org/developers/hidpage/Hut1_12v2.pdf

reading about USB reveals that there are four basic modes of transfer for USB: The ‘transfer_type’ specifies if this transfer is isochronous (0), interrupt (1), control (2) or bulk (3).

looking again at the pcap file i see there is two way of communication only with 8 bytes difference

we note here its interrupt type ,frame length and captured data

the value highlighted keep changing and its the key stroke hex value “ the pdf file revealed 04 and its equivalent “a” letter

creating a wireshark filter to list all interrupt communication with 8 bytes since its our attention only to find the keystroke

usb.transfer_type == 0x01

((usb.transfer_type == 0x01) && (frame.len == 72)) && !(usb.capdata == 00:00:00:00:00:00:00:00)

add the capture data to the column

exporting the data as CSV file to get the column

cut with — delimiter

cat leftdata | cut -d “,” -f 7 | cut -d “\”” -f 2 | grep -vE “Leftover Capture Data” > hexoutput.txt


python code

newmap = {
 2: “PostFail”,
 4: “a”,
 5: “b”,
 6: “c”,
 7: “d”,
 8: “e”,
 9: “f”,
 10: “g”,
 11: “h”,
 12: “i”,
 13: “j”,
 14: “k”,
 15: “l”,
 16: “m”,
 17: “n”,
 18: “o”,
 19: “p”,
 20: “q”,
 21: “r”,
 22: “s”,
 23: “t”,
 24: “u”,
 25: “v”,
 26: “w”,
 27: “x”,
 28: “y”,
 29: “z”,
 30: “1”,
 31: “2”,
 32: “3”,
 33: “4”,
 34: “5”,
 35: “6”,
 36: “7”,
 37: “8”,
 38: “9”,
 39: “0”,
 40: “Enter”,
 41: “esc”,
 42: “del”,
 43: “tab”,
 44: “space”,
 45: “-”,
 47: “[“,
 48: “]”,
 56: “/”,
 57: “CapsLock”,
 79: “RightArrow”,
 80: “LetfArrow”
 }

myKeys = open(‘hexoutput.txt’)
i = 1
for line in myKeys:
 bytesArray = bytearray.fromhex(line.strip())
 #print “Line Number: “ + str(i)
 for byte in bytesArray:
 if byte != 0:
 keyVal = int(byte)
 
 if keyVal in newmap:
 #print “Value map : “ + str(keyVal) + “ — -> “ + newmap[keyVal]
 print newmap[keyVal]
 else:
 print “No map found for this value: “ + str(keyVal)
 
 #print format(byte, ‘02X’)
 i+=1

flag : IS THHIIS WHAT YOU ARREE LOOKIINNG FOR /
FLAG [PCAPS-ARENT-JUST-FOR-NETWORK-TRAFFIC]