21 lines
821 B
Markdown
21 lines
821 B
Markdown
# Wireshark
|
|
|
|
## Extracting USB Keystrokes
|
|
|
|
* Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way
|
|
```sh
|
|
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
|
|
```
|
|
|
|
* A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
|
|
```
|
|
python keystrokedecoder.py output.txt
|
|
```
|
|
|
|
## Extracting Payload sent in DNS Request
|
|
|
|
Search for the DNS requests containing the specific top level domain.
|
|
```sh
|
|
tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
|
|
```
|