https://itsmonish.pages.dev/tags/wireshark/ Recent content in Wireshark on Monish Kumar's Blog Hugo -- gohugo.io en-us Sat, 26 Apr 2025 17:51:33 +0530 https://itsmonish.pages.dev/blog/huntress-ctf-2024/forensics-keyboard-junkie/ Sat, 26 Apr 2025 17:51:33 +0530 https://itsmonish.pages.dev/blog/huntress-ctf-2024/forensics-keyboard-junkie/ <h1 id="keyboard-junkie">Keyboard Junkie </h1><h2 id="challenge-statement">Challenge Statement </h2><p>Author: @JohnHammond</p> <p>My friend wouldn&rsquo;t shut up about his new keyboard, so&hellip;</p> <p>Attachment: <a class="link" href="https://itsmonish.pages.dev/others/huntressctf-2024/keyboard-junkie/keyboard_junkie" >keyboard_junkie</a></p> <h2 id="solution">Solution </h2><p>Running file command on the attachment reveals it to be a PCAP file. Opening it with a wireshark, a packet analyzer, we can observe USB capture data.</p> <p><img src="https://itsmonish.pages.dev/images/huntressctf-2024/keyboard-junkie/1.png" loading="lazy" alt="usb descriptor" ></p> <p>On top of the capture we can even see the request and response of USB device descriptor. This is what happens when you connect a USB input device to a host. The host requests the descriptor for what type of device it is and the device responds. Based on the response we can conclude that, the device is a Keyboard.</p> <p><img src="https://itsmonish.pages.dev/images/huntressctf-2024/keyboard-junkie/2.png" loading="lazy" alt="urb in" ></p> <p>We can also observe a lot of URB (USB Request Block) interrupts in the capture. These are keystrokes recorded by the keyboard. We can&rsquo;t directly see what was typed in as it is not that simple with keyboard. Keystrokes maybe a simple keypress, or a combination of control keys and others. So they have a representation format of their own. This has been explained to good detail in <a class="link" href="https://05t3.github.io/posts/Dissecting-USB-Traffic/#decoding-hid-data" target="_blank" rel="noopener" >this</a> blog.</p> <p>To extract the keystroke data, I used <code>tshark</code> to extract the captured data. This is how the data actually looks like:</p> <p><img src="https://itsmonish.pages.dev/images/huntressctf-2024/keyboard-junkie/3.png" loading="lazy" alt="usb capdata" ></p> <p>Now we need to decode this data. We can do it ourselves but I thought someone might have already put together a script for this. A quick internet search later, I found a page on <a class="link" href="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/usb-keystrokes" target="_blank" rel="noopener" >hacktricks.xyz</a> about usb pcap inspection and and how we can decode it using <a class="link" href="https://github.com/TeamRocketIst/ctf-usb-keyboard-parser" target="_blank" rel="noopener" >ctf-usb-keyboard-parser</a>.</p> <p>I then just cloned the repo, put the commands for extraction and execution in <a class="link" href="https://itsmonish.pages.dev/others/huntressctf-2024/keyboard-junkie/solve.sh" >solve.sh</a>. Executing them yielded the flag.</p> <p><img src="https://itsmonish.pages.dev/images/huntressctf-2024/keyboard-junkie/4.png" loading="lazy" alt="flag" ></p>