821 B
821 B
Wireshark
Extracting USB Keystrokes
- Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
- A lookup table is needed to convert the USBHID data to ASCII values
python keystrokedecoder.py output.txt
Extracting Payload sent in DNS Request
Search for the DNS requests containing the specific top level domain.
tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out