[流量分析]USB流量分析-KeyboardUSB流

2020-07-10

Word count: 496 | Reading time≈ 2 min

Leftover Capture Data

USB设备，如鼠标、键盘等的命令指令啥的都在Leftover Capture Data里面

tshark可以在完整安装的wireshark路径下找到，用wireshark中的tshark工具可以帮助我们将其提取出来以便分析

大概句法为tshark -r usb.pcap -T fields -e usb.capdata > usb.txt

正常的情况下，里面肯定有空行，因为流量包里面有可能掺杂其他数据或者不存在Leftover Capture Data的数据流，可以用notepad++等方式吧，去除空行

导出的文件大概是这个样子，不知道为什么,有的导出来是带:的，换了好几个wireshark版本发现都是这样
tshark导出的文件
提取出来数据流，我们重点肯定在于他输入了什么，每一条的第三字节就是我们重点关注的，也就是第五第六列。大概的转换关系在脚本的字典中也有具体的体现。

LowB的第一次成功
键盘的抓取的USB流的转换脚本

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usb.txt')

for line in keys:
    nums.append(int(line[4:6],16))

output = ""
for n in nums:
    if n == 0:
             continue
    if n in mappings:
             output += mappings[n]
    else:
             output += '[unknown]'

print("output:"+output)

Donate

Copyright： Copyright is owned by the author. For commercial reprints, please contact the author for authorization. For non-commercial reprints, please indicate the source.