Description:
omg tha NSA hacked my super secret login, I caught them exfillin this pcap, am I t3h fuxxed? : 200
And they provide a pcap file.
Viewing the file with pcap, you quickly discover that its a recording of USB traffic. Who knew? 🙂 A little googling revealed some info about that, and a nice set of scripts to work with USB pcaps.
The pcap just contains traffic for a mouse. The protocol is pretty simple, and I’ll leave it to you to research it. But the main thing to know is that in this case the mouse is being polled and in the data it sends to the host there are 4 bytes: 8 bits of button data (button one on/off, button two on/off etc), 1 byte each for x, y and wheel delta (2’s complement). Sometimes button 1 has been pressed, but mostly not.
I thought that maybe I could use the scripts I found to replay or view the traffic – that might be possible, but probably isn’t a good way to solve the problem. I tried that for far too long before I gave up to pursue simpler ways to visualize the traffic.
I first wanted to see what the mouse motion was all about – maybe they were drawing a picture? I exported the data from the pcap to a text file (pcap-data.txt) and wrote a script to convert that into a simple Postscript file to display the mouse motion. What’s that look like to you? Its a sideways keyboard – you can see that there are these “foci” at regular spaces, 10 in one row, then 9, then 7 and a wider area at the right which would be the space bar. This is a recording of someone typing on a virtual keyboard.
To get the message, I rewrote my script to keep track of the current x, y coordinates and to output a data record with the coordinates and a incrementing sequence number whenever we see a button press in the data (only button one ever gets pressed). Then I plotted the results with gnuplot, which is incredibly useful, btw.
Plot of button press locations
Sorry, everything is upside-down, but that’s OK.
Some parts of the keyboard are too busy with overlapping numbers to be able to read them. So I split the data file into pieces and only viewed 15-20 at a time. But then you have the problem that its hard to make out exactly where the keys are. So I scaled everything to the same scale, viewed the diagram above, and marked the key locations with a whiteboard marker on my screen. Then I could view the data sets with 15-20 key presses and transcribe what letters were being typed. The message I got was “THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG THEKEYISIHEARDYOULIKEDSKETCHYETCHINGGLASTYEAR”. There was a problem in last year’s BKP named “Sketchy”, and “Etchy-Sketchy” is slang for “dodgy or uncertain”, so this all makes sense. The double-G doesn’t make sense, but after examining the data that appears to be a case where the mouse button had been held down for a long time and appears in two polling periods so shows up twice. But I couldn’t get the site to accept the key.
I hate using the shift key. I frequently type text lowercase and then have to go back and painstakingly upper case characters as needed. I don’t know why I chose to enter the text as uppercase, but I did. The key was lower case – John was the one who figured that out.
hi, nice way to find the message 🙂
I’m curious about your script which converts pcap-data.txt to generate postcript file. Is there a chance to see it ?
Thanks 🙂
The file that I got from Wireshark looked like this:
—-
No. Time Source Destination Protocol Length Info
101 2015/053 22:07:43.381330000 12.1 host USB 68 URB_INTERRUPT in
Frame 101: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 1
USB URB
Leftover Capture Data: 00010000
No. Time Source Destination Protocol Length Info
103 2015/053 22:07:43.421331000 12.1 host USB 68 URB_INTERRUPT in
Frame 103: 68 bytes on wire (544 bits), 68 bytes captured (544 bits) on interface 1
USB URB
Leftover Capture Data: 00010000
…
—-
The interesting part is the “Leftover Capture Data” lines, which I extracted with something like “awk ‘/Leftover/ { print $4}’ pcap-data.txt”.
The first script (to show the mouse motion in general) is this:
—-
#! /usr/bin/perl
my $debug = 0;
print “%!PS\n”;
print “0.1 setlinewidth\n”;
# arbitrary start chosen to try to center the image
print “500 -100 newpath moveto\n”;
while () {
# mouse data is 4 bytes: 2 are for an 8 bit “button vector”,
# the rest are one byte each for x, y and wheel deltas….
my $buttons = hex(substr($_, 0, 2));
my $x = unpack(‘c’, pack(‘C’, hex(substr($_, 2, 2))));
my $y = unpack(‘c’, pack(‘C’, hex(substr($_, 4, 2))));
my $w = unpack(‘c’, pack(‘C’, hex(substr($_, 6, 2))));
# we’re ignoring the button presses for now…
# if the x or y delta are non-zero, draw a relative line
if ($x != 0 || $y != 0) {
printf(“%d %d rlineto\n”, $y, $x);
}
}
print “0 setgray\n”;
print “stroke\n”;
print “showpage\n”;
—-
This produces a postscript file which you can view directly.
Once I realized that these were button presses on a keyboard layout, I wrote a second script to display the x,y coordinates of each button press:
—-
#! /usr/bin/perl
# keep track of the button presses…
my $button_count = 0;
# current x, y coordinates – arbitrary start to try to center the results on the page
my $current_x = 500;
my $current_y = -100;
# when there’s a button press, emit a data point with the location and button count
sub button {
my($num) = @_;
print “$current_x $current_y $num\n”
}
while () {
my $buttons = hex(substr($_, 0, 2));
my $x = unpack(‘c’, pack(‘C’, hex(substr($_, 2, 2))));
my $y = unpack(‘c’, pack(‘C’, hex(substr($_, 4, 2))));
my $w = unpack(‘c’, pack(‘C’, hex(substr($_, 6, 2))));
# if there’s a button press…
if ($buttons != 0) {
button($button_count++);
}
# update the current position by the x, y deltas from the mouse data
$current_x += $x if ($x != 0);
$current_y += $y if ($y != 0);
}
—-
That just outputs lines showing “x y number” where “number” is the sequence number for the key press. I displayed this with gnuplot. That’s a little busy to read, so I marked the button locations on my monitor with a whiteboard marker and labeled them “Q”, “W”, “E” and so on then displayed 10-15 key presses at a time (just divide the data file into pieces) so that I could read them more easily in the correct sequence…