Logger
2 minutes to read
We are given a PCAP file called keystrokes.pcapng
with some USB events:
Identifying the device
The second event shows that the USB device is a keyboard:
Therefore, we will need to analyze key strokes. Hardware devices use a protocol known as Human Interface Device (HID). More information can be found at Wikipedia. In fact, there is a documentation manual attached: www.usb.org, where some HID tables are found (Section 10: “Keyboard/Keypad Page (0x07)”):
This table can also be found in this GitHub Gist.
Filtering events
Now we need to find out which events have the key stroke information. It seems that packets with length 35 bytes are interesting:
So, let’s filter them:
Let’s remove the ones that have zero data (0000000000000000
):
And also the ones that start with 2
and the rest is all zero (2000000000000000
):
Alright, know we are left with all the key stroke codes. The only thing we need to do is decode them.
Use of tshark
The above filtering can also be done with tshark
from the command line:
$ tshark -r keystrokes.pcapng | grep 1.16.1 | grep 35 | grep -v .000000000000000 | awk '{ print $7 }'
0000390000000000
00000b0000000000
0000170000000000
0000050000000000
20002f0000000000
0000390000000000
00000c0000000000
20002d0000000000
0000390000000000
0000060000000000
0000210000000000
0000110000000000
20002d0000000000
0000220000000000
0000200000000000
0000200000000000
20002d0000000000
0000390000000000
00001c0000000000
0000390000000000
0000120000000000
0000180000000000
0000390000000000
0000150000000000
20002d0000000000
0000390000000000
00000e0000000000
0000200000000000
00001c0000000000
00001f0000000000
0000390000000000
2000300000000000
Decoding process
This time, I did the decoding manually, since there were some CAPS
keys involved:
CAPS - 0000390000000000
h - 00000b0000000000
t - 0000170000000000
b - 0000050000000000
{ - 20002f0000000000
CAPS - 0000390000000000
i - 00000c0000000000
_ - 20002d0000000000
CAPS - 0000390000000000
c - 0000060000000000
4 - 0000210000000000
n - 0000110000000000
_ - 20002d0000000000
5 - 0000220000000000
3 - 0000200000000000
3 - 0000200000000000
_ - 20002d0000000000
CAPS - 0000390000000000
y - 00001c0000000000
CAPS - 0000390000000000
0 - 0000120000000000
u - 0000180000000000
CAPS - 0000390000000000
r - 0000150000000000
_ - 20002d0000000000
CAPS - 0000390000000000
k - 00000e0000000000
3 - 0000200000000000
y - 00001c0000000000
2 - 00001f0000000000
CAPS - 0000390000000000
} - 2000300000000000
Flag
So, after applying all the CAPS
accordingly, we find the flag: HTB{i_C4N_533_yOUr_K3Y2}
.