USB Keyboard packet capture analysis
I managed to solve a challenge during the HackIT CTF 2017. It was a forensic challenge for 100 points intitled Foren100
Here is the description of the challenge : USB ducker foren100 Description: This file was captured from one of the computers at the Internet cafe. We think that the hacker was using this computer at that time. Try to get his secret documents. ( flag format is flag{…} ) You can download the pcap file here: Pcap
We have a USB packet capture of a keyboard. If you look at the pcap with wireshark or tshark you will see that the keyboard type is a :
The event that allow us to see that is frame 287
By looking at all type of request you can see lots of request of type :
On this request you will find an interesting field called “Leftover CatpureData”
Example :
If you look at the official USB keyboard keymap on page 53 you can see a table of correspondance between hexadecimal value and character. USB.ORG
In our example below 02 mean SHIFT key and 2F mean character [ or { As SHIFT + KEY = CAPS – Here it’s the { character.
There is a little trick you can see that the arrow keys are used, and they are used to write on different line of a file so we need to handle them.
So we take all the “Leftover Capture Data” contaigned in the USB_INTERRUPT after the GET DESCRIPTOR frames (that tell us that the USB keyboard has been plugged and reconized.)
I’ve then coded a little script to automaticaly translate the value. As mine was not really great and that i made it a long time ago i will “stole” the write up of 0xd13a that made a great script for this :) 0xd13a blog
If you run the script flag will be there :)