Boston Key Party: Riverside write-up

Description:

omg tha NSA hacked my super secret login, I caught them exfillin this pcap, am I t3h fuxxed? : 200

And they provide a pcap file.

Viewing the file with pcap, you quickly discover that its a recording of USB traffic.  Who knew? 🙂  A little googling revealed some info about that, and a nice set of scripts to work with USB pcaps.

The pcap just contains traffic for a mouse.  The protocol is pretty simple, and I’ll leave it to you to research it.  But the main thing to know is that in this case the mouse is being polled and in the data it sends to the host there are 4 bytes: 8 bits of button data (button one on/off, button two on/off etc), 1 byte each for x, y and wheel delta (2’s complement).  Sometimes button 1 has been pressed, but mostly not.

I thought that maybe I could use the scripts I found to replay or view the traffic – that might be possible, but probably isn’t a good way to solve the problem.  I tried that for far too long before I gave up to pursue simpler ways to visualize the traffic.

I first wanted to see what the mouse motion was all about – maybe they were drawing a picture?  I exported the data from the pcap to a text file (pcap-data.txt) and wrote a script to convert that into a simple Postscript file to display the mouse motion.  What’s that look like to you?  Its a sideways keyboard – you can see that there are these “foci” at regular spaces, 10 in one row, then 9, then 7 and a wider area at the right which would be the space bar.  This is a recording of someone typing on a virtual keyboard.

To get the message, I rewrote my script to keep track of the current x, y coordinates and to output a data record with the coordinates and a incrementing sequence number whenever we see a button press in the data (only button one ever gets pressed).  Then I plotted the results with gnuplot, which is incredibly useful, btw.  

Plot of button press locations

Plot of button press locations

Sorry, everything is upside-down, but that’s OK.

Some parts of the keyboard are too busy with overlapping numbers to be able to read them.  So I split the data file into pieces and only viewed 15-20 at a time.  But then you have the problem that its hard to make out exactly where the keys are.  So I scaled everything to the same scale, viewed the diagram above, and marked the key locations with a whiteboard marker on my screen.  Then I could view the data sets with 15-20 key presses and transcribe what letters were being typed.  The message I got was “THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG THEKEYISIHEARDYOULIKEDSKETCHYETCHINGGLASTYEAR”.  There was a problem in last year’s BKP named “Sketchy”, and “Etchy-Sketchy” is slang for “dodgy or uncertain”, so this all makes sense.  The double-G doesn’t make sense, but after examining the data that appears to be a case where the mouse button had been held down for a long time and appears in two polling periods so shows up twice.  But I couldn’t get the site to accept the key.

I hate using the shift key.  I frequently type text lowercase and then have to go back and painstakingly upper case characters as needed.  I don’t know why I chose to enter the text as uppercase, but I did.  The key was lower case – John was the one who figured that out.