USB PCAP Forensics: Barcode Scanner (NSEC CTF 2021 Writeup, Part 1/3)

Exploring the data

Don’t forget to create a separate profile (bottom right)for USB packets, as interesting columns and settings will differ from network-based PCAP
Two identical “handshakes”
Page 11

Extracting and understanding the data

Easy way to filter when you don’t remember the exact filter name
Create a new display column easily with this one weird trick
Export as CSV
The “fork” operation splits the input into multiple inputs, so each subsequent operation is done on the subset of the input. The “Merge delimiter” dictate what is to be appended between each input when they are merged together in the output box.

Recovering what was scanned

# The data from Cyberchef
chars = [("00", "16"), ("00", "0c"), ... ("00", "04"), ("00", "28")]

# Association between code and char
map = {
"04": "a",
"05": "b",
"06": "c",
"07": "d",
"08": "e",
"09": "f",
"0A": "g",
"0B": "h",
"0C": "i",
"0D": "j",
"0E": "k",
"0F": "l",
"10": "m",
"11": "n",
"12": "o",
"13": "p",
"14": "q",
"15": "r",
"16": "s",
"17": "t",
"18": "u",
"19": "v",
"1A": "w",
"1B": "x",
"1C": "y",
"1D": "z",
"1E": "1",
"1F": "2",
"20": "3",
"21": "4",
"22": "5",
"23": "6",
"24": "7",
"25": "8",
"26": "9",
"27": "0",
"2C": " ",
"28": "\n",
"2D": "-",
"34": "'",
"36": ",",
"2E": "=",
"33": ";",
}

phrase = ""
for char in chars:
if char[1].upper() in map:
# If LShift is not pressed
if char[0] == "00":
phrase += map[char[1].upper()]
# If LShift is pressed
else:
actual_char = map[char[1].upper()]
upper_map = {
"-": "_",
"0": ")",
"9": "(",
}
# For debug purposes
if char not in upper_map:
print(f"skip {char}")
else:
# Add a char to be printed
actual_char = upper_map[char]
phrase += actual_char.upper()
else:
# For debug purposes
print(f"skip {char}")
print(phrase)

--

--

--

Blue team analyst in Quebec, Canada. Passionate about most aspects of cybersecurity, and very curious in general.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How IAM Prepares You for Brexit — Deal or No-deal

{UPDATE} 洛克人X Hack Free Resources Generator

Hoo 2022 Lunar New Year Carnival is Coming, $40,000 To Be Won!

{UPDATE} Tuber Trouble Hack Free Resources Generator

SSH: More than secure shell

6 Predictions For 2021 Data Security — Part 2

Building a secure website on your Handshake TLD

How to create a secure password the easy way

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Émilio Gonzalez

Émilio Gonzalez

Blue team analyst in Quebec, Canada. Passionate about most aspects of cybersecurity, and very curious in general.

More from Medium

Walkthrough —Hacktoria: Geolocation 01

Patch diffing CVE-2022–21907

HTB: Driver

Honeypot Using Cowrie and Adbhoney