2020-02-02

【Misc 笔记】流量分析篇

总结一下流量分析

tshark

提取 ICMP 信息

使用命令：

1	tshark -r key.pcap -T fields -e data > out.txt

时间隐写

在此基础上获取提取出来的 gif 信息，使用命令：

1	identify -format "%T" flag.gif

提取 USB 信息

使用命令：

1	tshark -r key.pcap -T fields -e usb.capdata > usbdata.txt

之后利用该脚本获得真正的信息：

mappings = { 0x04:"A",  0x05:"B",  0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G",  0x0B:"H", 0x0C:"I",  0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O",  0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5",  0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]",  0X2B:"    ", 0x2C:" ",  0x2D:"-", 0x2E:"=", 0x2F:"[",  0x30:"]",  0x31:"\\", 0x32:"~", 0x33:";",  0x34:"'", 0x36:",",  0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
    if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
         continue
    nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
    if n == 0 :
        continue
    if n in mappings:
        output += mappings[n]
    else:
        output += '[unknown]'
print 'output :\n' + output

本文标题:【Misc 笔记】流量分析篇

文章作者:binLep

发布时间:2020-02-02, 12:52:00

最后更新:2020-02-02, 12:53:03

原始链接:https://binlep.github.io/old_blog_01/2020/02/02/【Misc 笔记】流量分析篇/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。