Tuesday, October 2, 2012

CSAW CTF Quals: Networking 300

In this challenge all they gave was a pcap file called dongle.pcap that was a network capture of usb traffic. It took us a while to figure out what was happening until we found a packet where the device sending all the traffic identified itself by vendor and device ID. From here we did a simple google search and found that the device was a Teensyduino Keyboard. We downloaded the code that goes along with this device and were able to make a mapping of bytes to keystrokes. The tshark command used was:

tshark -r dongle.pcap -R "usb.transfer_type == 1 && usb.endpoint_number.direction == 1 && usb.device_address == 26" -T fields -e usb.capdata > usbdata

This command put all of the usb traffic data into a file called usbdata. Then we made a python script which parsed the data and converted it into keystrokes.
import binascii

data = open('bob', 'r').read().split('\n')

keys = {"4":"A","5":"B","6":"C","7":"D","8":"E","9":"F","10":"G","11":"H","12":"I","13":"J","14":"K","15":"L","16":"M","17":"N","18":"O","19":"P","20":"Q","21":"R","22":"S","23":"T","24":"U","25":"V","26":"W","27":"X","28":"Y","29":"Z","30":"1","31":"2","32":"3","33":"4","34":"5","35":"6","36":"7","37":"8","38":"9","39":"0","40":"ENTER","41":"ESC","42":"BACKSPACE","43":"TAB","44":"SPACE","45":"MINUS","46":"EQUAL","47":"LEFT_BRACE","48":"RIGHT_BRACE","49":"BACKSLASH","50":"NUMBER","51":"SEMICOLON","52":"QUOTE","53":"TILDE","54":"COMMA","55":"PERIOD","56":"SLASH","57":"CAPS_LOCK","58":"F1","59":"F2","60":"F3","61":"F4","62":"F5","63":"F6","64":"F7","65":"F8","66":"F9","67":"F10","68":"F11","69":"F12","70":"PRINTSCREEN","71":"SCROLL_LOCK","72":"PAUSE","73":"INSERT","74":"HOME","75":"PAGE_UP","76":"DELETE","77":"END","78":"PAGE_DOWN","79":"RIGHT","80":"LEFT","81":"DOWN","82":"UP","83":"NUM_LOCK","84":"EYPAD_SLASH","85":"EYPAD_ASTERIX","86":"EYPAD_MINUS","87":"EYPAD_PLUS","88":"EYPAD_ENTER","89":"EYPAD_1","90":"EYPAD_2","91":"EYPAD_3","92":"EYPAD_4","93":"EYPAD_5","94":"EYPAD_6","95":"EYPAD_7","96":"EYPAD_8","97":"EYPAD_9","98":"EYPAD_0","99":"EYPAD_PERIOD",}

bob = ''
counter = 0
for line in data:
 if ':' in line:
  counter += 1
  l_bytes = line.split(':')
  breakout = True
  for i in l_bytes:
   if not i == '00':
    breakout = False
  if not breakout: 
   #print l_bytes
   if l_bytes[0] == '02':
    print 'SHIFT',
   val = int(l_bytes[2],16)
   print keys[str(val)],

When we run this program, it outputs the following file. (It has been prettified).

rxterm -geometry 12x1+0+0 ENTER echo K ENTER 
rxterm -geometry 12x1+75+0 ENTER echo E ENTER 
rxterm -geometry 12x1+150+0 ENTER echo Y ENTER 
rxterm -geometry 12x1+225+0 ENTER echo { ENTER 
rxterm -geometry 12x1+300+0 ENTER echo C ENTER 
rxterm -geometry 12x1+375+0 ENTER echo 4 ENTER 
rxterm -geometry 12x1+450+0 ENTER echo 8 ENTER 
rxterm -geometry 12x1+525+0 ENTER echo B ENTER 
rxterm -geometry 12x1+600+0 ENTER echo A ENTER 
rxterm -geometry 12x1+675+0 ENTER echo 9 ENTER 
rxterm -geometry 12x1+0+40 ENTER echo 9 ENTER 
rxterm -geometry 12x1+75+40 ENTER echo 3 ENTER 
rxterm -geometry 12x1+150+40 ENTER echo D ENTER 
rxterm -geometry 12x1+225+40 ENTER echo 3 ENTER 
rxterm -geometry 12x1+300+40 ENTER echo 5 ENTER 
rxterm -geometry 12x1+450+40 ENTER echo C ENTER 
rxterm -geometry 12x1+375+40 ENTER echo 3 ENTER 
rxterm -geometry 12x1+525+40 ENTER echo A ENTER 
rxterm -geometry 12x1+600+40 ENTER echo } ENTER

We got stuck here for a while because this key did not work. Eventually, we got a fresh pair of eyes that noticed the 'C' and the '3' needed to be switch because of where the window appears with the geometry offsets of the xterm commands. The final key was: key{c48ba993d353ca}.

  -- suntzu_II

No comments:

Post a Comment