Description
“I just got this new keyboard from Vodaphone Portugal, but it looks like something fishy is going on. Could you help me?”
Solving
- Opening the pcap file It turns out to be a USB communication capture
The file was small and had USB_INTERRUPT events that encode key presses
After a little bit of google fu, I found that the
Leftover Capture Datafield has a series of 8 bytes strung together (the third byte is theUsage ID for the key pressed)So one way to decode this was to look at
Leftover Capture Dataand convert the key presses to human readable outputKnowing this I extracted all
Leftover Capture Datafrom the pcap file (tshark -r dump.pcapng -T fields -e usb.capdata | grep .) and created a python script to help me decode the dumped dataOutput from the
tsharkcommand
01000900
01000000
01000f00
01000000
01000400
01000000
01000a00
01000000
01202f00
...
01000000
01203000
01200000
01002800
01000000
#!/usr/bin/python3
import sys
lower_case_key = {
1:None, 2:None, 3:None, 4:"a", 5:"b", 6:"c",
7:"d", 8:"e", 9:"f", 10:"g", 11:"h", 12:"i",
13:"j", 14:"k", 15:"l", 16:"m", 17:"n", 18:"o",
19:"p", 20:"q", 21:"r", 22:"s", 23:"t", 24:"u",
25:"v", 26:"w", 27:"x", 28:"y", 29:"z", 30:"1",
31:"2", 32:"3", 33:"4", 34:"5", 35:"6", 36:"7",
37:"8", 38:"9", 39:"0", 40:"Enter", 41:"esc",42:"del",
43:"tab", 44:"space", 45:"-",
46:":", 47:"[", 48:"]", 49:"\\",50:" ", 51:",",
52:"'", 53:"`", 54:",", 55:".", 56:"/", 57:"CapsLock",
79:"RightArrow",80:"LeftArrow", 84:"/", 85:"*", 86:"-",
87:"+", 88:"Enter", 89:"1", 90:"2", 91:"3", 92:"4", 93:"5",
94:"6", 95:"7", 96:"8", 97:"9", 98:"0", 99:"."
}
upper_case_key = {
1:None, 2:None, 3:None,5:"B", 6:"C",7:"D",8:"E",
9:"F",10:"G",11:"H",12:"I",13:"J",14:"K",
15:"L", 16:"M", 17:"N", 18:"O", 19:"P", 20:"Q",
21:"R", 22:"S", 23:"T", 24:"U", 25:"V", 26:"W",
27:"X", 28:"Y", 29:"Z", 30:"!", 31:"@", 32:"#",
33:"$", 34:"%", 35:"^", 36:"&", 37:"*", 38:"(",
39:")", 40:"Enter",41:"esc",42:"del",43:"tab",44:"space",
45:"_", 46:"+", 47:"{", 48:"}", 49:"|", 50:" ",
51:":", 52:"\"",53:"~",54:"<",55:">", 56:"?",
57:"CapsLock",79:"RightArrow",80:"LeftArrow",
84:"/", 85:"*", 86:"-", 87:"+", 88:"Enter", 89:"1",
90:"2", 91:"3", 92:"4", 93:"5", 94:"6", 95:"7",
96:"8", 97:"9", 98:"0",99:"."
}
def replace(res : str)-> str:
return res.replace("[","{").replace("]","}").replace("-","_")
def main() -> str:
res = ""
if len(sys.argv) == 2:
# open file with "Leftover Capture Data" field from pcap
with open(sys.argv[1]) as keycodes:
for line in keycodes:
# convert string to bytearray
bytesArray = bytearray.fromhex(line.strip())
# see if a key was pressed(range goes from 4 to 99)
key_press = int(bytesArray[2])
if key_press > 3 and key_press < 100:
# see if left shift or right shift was presses
if bytesArray[0] == 0x02 or bytesArray[0] == 0x20 :
res += upper_case_key[key_press]
else:
res += lower_case_key[key_press]
else:
print("python3 exploit.py file")
return replace(res)
if __name__ == "__main__":
print(main())
flag{usb_sniff_sniff}