I have also figured that the keystrokes are stored in the 'leftover capture data' in hexadecimal. We are here interested in the interrupt type so we have to add this filter to wireshark : **usb.transfer_type=0x01** Īfter some researchs i figured that there's four types of "transfer type" : 0: isochronous, 1: interrupt, 2:control, 3:bulk , However extracting these keystrokes won't be that easy, we have to firstly read about this protocol. Maybe these keystrokes hide within them the beloved FLAG. My first thought was that this is probably traffic captured from a keyboard as you can see there's a lot of URB_INTERRUPT in , This task was one of the most challenging forensics task related to wireshark that i have played, we were givenĪ wireshark capture that showed packets using usb protocol ( universal serial block).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |