USB流量分析
USB接口是目前最為通用的外設接口之一,通過監聽該接口的流量,可以得到很多有意思的東西,例如鍵盤擊鍵,鼠標移動與點擊,存儲設備的明文傳輸通信、USB無線網卡網絡傳輸內容等。
1、USB流量的捕獲
USB流量的捕獲可以使用wireshark自帶的工具usbpcap來進行
安裝wirshark時勾選上安裝usbpcap即可
1.鼠標流量
抓包
鼠標移動的軌跡,右鍵,左鍵的行為都能捕捉到
(這里有個坑,有的鼠標可能協議不標准、抓到的數據分析不了)
保存為pacp文件
USB協議的數據部分在Leftover Capture Data域之中,在Linux下可以用tshark命令可以將 leftover capture data單獨提取出來 命令如下:
tshark -r 7777.pcapng -T fields -e usb.capdata > usbdata.txt
運行命令並查看usbdata.txt 發現數據包長度為八個字節
寫出解密腳本
nums = []
keys = open('usb.txt','r')
posx = 0
posy = 0
for line in keys:
if len(line) != 12 :
continue
x = int(line[3:5],16)
y = int(line[6:8],16)
if x > 127 :
x -= 256
if y > 127 :
y -= 256
posx += x
posy += y
btn_flag = int(line[0:2],16) # 1 for left , 2 for right , 0 for nothing
if btn_flag == 1 :
print posx , posy
keys.close()
當btn_flag 取1時 對應鼠標左鍵、2對應鼠標右鍵
運行腳本可以得到一系列坐標點
得到這些點之后,需要將他們畫出來,因而需要輔以gnuplot 或者其他的繪圖工具,gnuplot的命令為"plot inputfile",運行如下:
使用一航大佬的工具
鍵盤流量
一樣的抓包方式
確定為鍵盤流量后
tshark -r 1111.pcapng -T fields -e usb.capdata > usbdata.txt
腳本
#!/usr/bin/env python
# -*- coding:utf-8 -*-
normalKeys = {"04":"a", "05":"b", "06":"c", "07":"d", "08":"e", "09":"f", "0a":"g", "0b":"h", "0c":"i", "0d":"j", "0e":"k", "0f":"l", "10":"m", "11":"n", "12":"o", "13":"p", "14":"q", "15":"r", "16":"s", "17":"t", "18":"u", "19":"v", "1a":"w", "1b":"x", "1c":"y", "1d":"z","1e":"1", "1f":"2", "20":"3", "21":"4", "22":"5", "23":"6","24":"7","25":"8","26":"9","27":"0","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"-","2e":"=","2f":"[","30":"]","31":"\\","32":"<NON>","33":";","34":"'","35":"<GA>","36":",","37":".","38":"/","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
shiftKeys = {"04":"A", "05":"B", "06":"C", "07":"D", "08":"E", "09":"F", "0a":"G", "0b":"H", "0c":"I", "0d":"J", "0e":"K", "0f":"L", "10":"M", "11":"N", "12":"O", "13":"P", "14":"Q", "15":"R", "16":"S", "17":"T", "18":"U", "19":"V", "1a":"W", "1b":"X", "1c":"Y", "1d":"Z","1e":"!", "1f":"@", "20":"#", "21":"$", "22":"%", "23":"^","24":"&","25":"*","26":"(","27":")","28":"<RET>","29":"<ESC>","2a":"<DEL>", "2b":"\t","2c":"<SPACE>","2d":"_","2e":"+","2f":"{","30":"}","31":"|","32":"<NON>","33":"\"","34":":","35":"<GA>","36":"<","37":">","38":"?","39":"<CAP>","3a":"<F1>","3b":"<F2>", "3c":"<F3>","3d":"<F4>","3e":"<F5>","3f":"<F6>","40":"<F7>","41":"<F8>","42":"<F9>","43":"<F10>","44":"<F11>","45":"<F12>"}
output = []
keys = open('usbdata.txt')
for line in keys:
try:
if line[0]!='0' or (line[1]!='0' and line[1]!='2') or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0' or line[6:8]=="00":
continue
if line[6:8] in normalKeys.keys():
output += [[normalKeys[line[6:8]]],[shiftKeys[line[6:8]]]][line[1]=='2']
else:
output += ['[unknown]']
except:
pass
keys.close()
flag=0
print("".join(output))
for i in range(len(output)):
try:
a=output.index('<DEL>')
del output[a]
del output[a-1]
except:
pass
for i in range(len(output)):
try:
if output[i]=="<CAP>":
flag+=1
output.pop(i)
if flag==2:
flag=0
if flag!=0:
output[i]=output[i].upper()
except:
pass
print ('output :' + "".join(output))
直接使用大佬的工具
參考鏈接:
https://www.jianshu.com/p/92064f2e9dcb
https://www.anquanke.com/post/id/85218
工具
https://ctf-wiki.github.io/ctf-wiki/misc/traffic/protocols/USB/