![]() ![]() Open the saved file in a image viewer and you see the flag!!Įnter your email address to follow this blog and receive notifications of new posts by email. Select the stream and press Ctrl + h or you can use File->Export Packet Bytes. ![]() Go down a bit and bingo, you can find the PNG image’s header! □ Load up the challenge file and try to find the packets having length greater than 1000 bytes. ![]() Let’s repeat the same steps to find what was transferred. Also I found the file names that were present inside the flash drive. So as a conclusion check for the packets having size greater than 1000 bytes with flags URB_BULK out/in. Most of the packet’s sizes were less than 100 bytes and the transferred text file was found in a packet having a length greater than 1000 bytes, check the URB_BULK out. To capture the USB traffic you must load the USB kernel module ( check here). Of course, wireshark was listening to the usb interface in the background. I plugged in a USB device and transferred a text file ( with contents “findme”*1000). ![]() I made a simple test to understand how a simple file is transferred via USB protocol. Wireshark doesn’t have an easy option to view the transferred files using USB protocol, on the contrary it’s easy to extract or view transferred files in TCP (using TCP stream). In the following paragraphs I will try to explain my approach to solve this problem but i f you just want to see the solution please check the last 2 paragraphs. The initial 4 packets had the information of the devices involved in the traffic. Using the Product ID and Vendor ID I did some research here to get the device details. In fact, this is my first attempt to recover USB traffic from a PCAP file. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |