kaizen-ctf 2018 — Reverse Engineer usb keystrok from pcap file

AliBawazeEer
4 min readFeb 27, 2018

--

yesterday was a great experience for me to attend all kind of joubert , one of the challenges i could not solve and understand in the reverse engineering section . this CTF challenge contain pcapng file and no hint provided only flag needed to earn the points ..

  • for people dont know what is pcap : (a packet capture) consists of an application programming interface (API) for capturing network traffic

opened the file with wireshark network analyser and noticed kind of new type of communication , to be honest i never knew it could happen untill i solved this challenge …

things noted :

1- the source and destination using two way of communication
2- protocol USB( universal serial block )

its apparent that i am not dealing with 802.3 Ethernet traffic which have not done before of analyzing these sort of activity

OK — its a USB traffic captured . My immediate thought (which turned out to be pretty spot-on) was that “this is probably a capture of USB keyboard traffic; the key was typed in and is subsequently buried in the traffic”. my assumption here the challenge designer has hidden the flag in sort of key stroke .

starting my disorganized research and came across http://wiki.wireshark.org/USB http://www.beyondlogic.org/usbnutshell/usb4.shtml#Interrupt
which came handy to understand the frame and few details of data input and output in USB protocol .

another good resource helped me later for developing the script to solve this challenge
http://www.usb.org/developers/hidpage/Hut1_12v2.pdf

reading about USB reveals that there are four basic modes of transfer for USB: The ‘transfer_type’ specifies if this transfer is isochronous (0), interrupt (1), control (2) or bulk (3).

looking again at the pcap file i see there is two way of communication only with 8 bytes difference

we note here its interrupt type ,frame length and captured data

the value highlighted keep changing and its the key stroke hex value “ the pdf file revealed 04 and its equivalent “a” letter

creating a wireshark filter to list all interrupt communication with 8 bytes since its our attention only to find the keystroke

usb.transfer_type == 0x01

((usb.transfer_type == 0x01) && (frame.len == 72)) && !(usb.capdata == 00:00:00:00:00:00:00:00)

add the capture data to the column

exporting the data as CSV file to get the column

cut with — delimiter

cat leftdata | cut -d “,” -f 7 | cut -d “\”” -f 2 | grep -vE “Leftover Capture Data” > hexoutput.txt

python code

newmap = {
2: “PostFail”,
4: “a”,
5: “b”,
6: “c”,
7: “d”,
8: “e”,
9: “f”,
10: “g”,
11: “h”,
12: “i”,
13: “j”,
14: “k”,
15: “l”,
16: “m”,
17: “n”,
18: “o”,
19: “p”,
20: “q”,
21: “r”,
22: “s”,
23: “t”,
24: “u”,
25: “v”,
26: “w”,
27: “x”,
28: “y”,
29: “z”,
30: “1”,
31: “2”,
32: “3”,
33: “4”,
34: “5”,
35: “6”,
36: “7”,
37: “8”,
38: “9”,
39: “0”,
40: “Enter”,
41: “esc”,
42: “del”,
43: “tab”,
44: “space”,
45: “-”,
47: “[“,
48: “]”,
56: “/”,
57: “CapsLock”,
79: “RightArrow”,
80: “LetfArrow”
}

myKeys = open(‘hexoutput.txt’)
i = 1
for line in myKeys:
bytesArray = bytearray.fromhex(line.strip())
#print “Line Number: “ + str(i)
for byte in bytesArray:
if byte != 0:
keyVal = int(byte)

if keyVal in newmap:
#print “Value map : “ + str(keyVal) + “ — -> “ + newmap[keyVal]
print newmap[keyVal]
else:
print “No map found for this value: “ + str(keyVal)

#print format(byte, ‘02X’)
i+=1

flag : IS THHIIS WHAT YOU ARREE LOOKIINNG FOR /
FLAG [PCAPS-ARENT-JUST-FOR-NETWORK-TRAFFIC]

--

--