Switch branches/tags
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
solve.py Added Python Script for solution, README fix coming soon Aug 26, 2016


IceCTF 2016

Intercepted Part One

Solution By: duck

Solution (copied from solve.py)

The pcap is a capture of a USB keyboard.

The proper way to tell is by finding the VID/PID combination during enumeration then looking up the device from that.

The easy way is just to have looked at enough USB stuffs to recognize that it's a keyboard. :)

The keyboard data exists in the USB Leftover section. tshark is our friend for extracting this.

tshark -r ./intercept.pcapng -T fields -e usb.capdata -Y usb.capdata 2>/dev/null

This has some trailing data that we don't care about it, so use tail to skip the beginning 6 lines.

tshark -r ./intercept.pcapng -T fields -e usb.capdata -Y usb.capdata 2>/dev/null | tail -n +6

The output looks like:


The first byte is a bit field of modifier keys (shift, ctrl, alt, etc.). 0x20 means shift

The third byte is a keycode. More keycodes can be in the later bytes, but this isn't the case this time.

A line of all 00's means that all keys have been released.

The keycodes can be found here

Except, it's not actually a QWERTY keyboard. It's (mostly) Dvorak. Luckily for me, I actually use Dvorak.

Treating it as pure Dvorak doesn't work either because some of the symbols aren't actually changed as expected. Truthfully, I didn't save the key, and I did some unswapping by hand, so I don't know if this final script is fully correct. It's at least really close. (may need to swap ':' with 'Z')

tshark -r ./intercept.pcapng -T fields -e usb.capdata -Y usb.capdata 2>/dev/null | tail -n +6 | python usbcap_to_ascii.py