added details about -z
This commit is contained in:
parent
2e1d63eab1
commit
54ecb707e6
|
@ -18,6 +18,17 @@ Autostop `-a` and ringbuffer `-b` arguments may be set to stop or split files
|
||||||
at defined duration `duration:10`, sizes `filesize:100`, and count of files
|
at defined duration `duration:10`, sizes `filesize:100`, and count of files
|
||||||
`files:5`.
|
`files:5`.
|
||||||
|
|
||||||
|
Use `-z help` to see options of possible statistics, use `-q` to suppress
|
||||||
|
packet details.
|
||||||
|
|
||||||
|
## Find Credentials
|
||||||
|
|
||||||
|
Tshark can list all found credentials via the following command
|
||||||
|
|
||||||
|
```sh
|
||||||
|
tshark -r file.pcap -z credentials -q
|
||||||
|
```
|
||||||
|
|
||||||
## Extracting USB Keystrokes
|
## Extracting USB Keystrokes
|
||||||
|
|
||||||
Data between USB devices and the host can be filtered via tshark in order to
|
Data between USB devices and the host can be filtered via tshark in order to
|
||||||
|
@ -27,7 +38,8 @@ display just the payload, e.g. keystrokes in the following way
|
||||||
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
|
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
|
A lookup table is needed to [convert the USBHID data to ASCII
|
||||||
|
values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
python keystrokedecoder.py output.txt
|
python keystrokedecoder.py output.txt
|
||||||
|
|
Loading…
Reference in New Issue