2025平航杯电子数据取证竞赛 流量分析部分Official WP
USBPcap(确实是根据现实事件改编哈哈)简短来说,就是一个爱而不得的技术宅男生起早王,喜欢上了一个叫做倩倩的女生,想要采取一些特殊手段以获得倩倩的关注具体手段:通过Flipper Zero内置的更改蓝牙设备名称和设备MAC地址的功能,伪装成倩倩的蓝牙耳机(名称为QQ_WF_SP8OON)以诱导倩倩进行连接,从而执行后续USB抓包设备所记录到的shell命令。
2025平航杯流量分析Official WP
写在前面
本次平航杯也是本人首次出和蓝牙协议相关的流量题目,题目质量由于抓包设备受限(经费不足),并未达到本人预期水平,原本是想让大家尝试去拿Legacy Passkey来解mesh包
(不过要是能够给之后的取证比赛抛砖引玉一下也是极好的)
本题出自真实环境抓包,所以其中存在部分外界广播蓝牙设备的干扰,因此放出相关hint以帮助选手排除无关设备
如有疑问和未尽事宜,欢迎探讨、交流和拷打出题人
剧情烂 请各位选手不要自我带入(那咋啦)
出题设备介绍
nRF 52840 Sniffer
USBPcap
Flipper Zero
(确实是根据现实事件改编哈哈)
题目案情介绍
简短来说,就是一个爱而不得的技术宅男生起早王,喜欢上了一个叫做倩倩的女生,想要采取一些特殊手段以获得倩倩的关注
具体手段:通过Flipper Zero内置的更改蓝牙设备名称和设备MAC地址的功能,伪装成倩倩的蓝牙耳机(名称为QQ_WF_SP8OON)以诱导倩倩进行连接,从而执行后续USB抓包设备所记录到的shell命令
蓝牙流量部分
请问侦查人员是用哪个接口进行抓到蓝牙数据包的(格式:DVI1-2.1)
首先坏B出题人把后缀名删了,应该不会有人直接卡在这里了吧(
很简单的一题,打开流量包看Frame层即可看到接口信息,COM3-3.6
起早王有一个用于伪装成倩倩耳机的蓝牙设备,该设备的原始设备名称为什么(格式:XXX_xxx 具体大小写按照原始内容)
这题主要考察选手对流量综合分析的能力,当然聪明的选手可以结合后面几道题目一起去研究,也算是变相降低题目难度了
选手既可以选择将流量导出为json形式进行查看,也可以选择一个个用wireshark翻
这边推荐使用tshark导出json
tshark -r BLE.pcapng -T json > finalble.json
大致长这样
因为提及了蓝牙设备,所以各位作为解题人而言肯定是要去找蓝牙设备相关的信息
这里推荐回到wireshark看并且参考相关协议https://www.wireshark.org/docs/dfref/b/btcommon.html
可以关注到重点字段btcommon.eir_ad.entry.device_name
写个正则表达式脚本导出一下btcommon.eir_ad.entry.device_name
import re
def extract_device_names(file_path):
# 设备名称的集合(自动去重)
device_names = set()
# 正则表达式模式,用于匹配设备名称
pattern = re.compile(r'"btcommon\.eir_ad\.entry\.device_name":\s*"([^"]+)"')
with open(file_path, 'r', encoding='utf-8') as file:
for line in file:
# 在每一行中查找所有匹配项
matches = pattern.findall(line)
for match in matches:
# 将找到的设备名称添加到集合中(自动处理重复)
device_names.add(match)
# 输出结果
print("提取的设备名称列表:")
for name in sorted(device_names): # 按字母顺序排序输出
print(name)
# 文件路径
file_path = r"D:\phbwp\finalble.json"
extract_device_names(file_path)
没过滤的结果如下:
提取的设备名称列表:
&
&�k�)\u0001�@\b̋�|}M���\u001d
4
5Ư��#�=�\u001c%J���Ț��I\u001c�IFG�\
:
:�
B\u0016�
Cracked
Fli0�\u0006��N�G��`
Flipper 123all
Flipper$123all
Flippe��+Fta�d
L
LA-�A�� qC�5 Iu
LE-QqNG QC75 II
LE-YANG QC35 II
LE-YANG QC3�\u0007\u0003\f
LE-YANG QS35 II
LE-YANG`QC\u00135 Ei
LE-YM.G QC35 II
LE-_ANG QC35 II
Nlipper 123al
PE-YQ\u000eG\
QQG�~ïB�OON
QQWWF_SP8LON
QQ_WF+�y�/��
QQ_WF_SP8OM~
QQ_WF_SP8OOF
QQ_WF_SP8OON
QQ_WF_SP8O_�
QQ_WF_SP8OoH
QQ_WF_SP8O�O
QQ_WF_SP8\u000foh
QQ_WF_SP8_Gh
QQ_WF_SP8~�h
QQ_WF_SP8�s{
QQ_WF_SP:W�\u0004
QQ_WF_SP>��X
QQ_WF_SPE�<�
QQ_WF_SP�N\r�
QQ_WF_SP�\b�)
QQ_WF_S�F\
QQ_WF_�V�\u0002W
QQ_WF_�V��ma
QQ_WF_�gXN�h
QQ_WF_�j/�d
QQ_WF�\u001fP:oIB
QQ_WV?%�^N�|
QQ_Wf_SP8OON
QQ_W���\u0003hN�O
QQ_\u0017^��-yN�N
QQ_\u0017����Q)�u
QQg�6��?��\u0006�
QQoOJ^\u000bF8OON
QU\u001fVo�P8O�H
Q�l�Q��\u00028OON
RAP
RAPOO 5.0MS
\f
\u0006
\u0006\u0019
\u0006\u0019\u0012
\u0006\u0019\u0016w�\u00017���N��(�
\u0006\u001a
\u0006\u001b
\u0007
\u000e|.
\u0013��\u001c\u0017�+X
\u0013��\u001c\u0017�\u001bX
\u0013��\u001c\u0017�\u001bX\u0016\b
\u0016
\u0018
\u0018Ȃ�p�I
\u0019�8?���p�\n��h�w��~?��6#&�Ǥr�\u0016s^:\nGy\u0006-)�nO\u0011����l�B��+`��
\u001a
\u001b
w
�
�APOO 5.0
�L�
�\u0010\f\u0001 \u0004\u000f
�\u001b
��� <�ϴ�\u001a��+
之后根据HINT:侦查人员自己使用的蓝牙设备有QC35 II耳机和RAPOO键盘来排除相关设备和其他字符的干扰
可以得到最终所有蓝牙广播包中存在的有效设备名称如下
Cracked
Flipper 123all
QQ_WF_SP8OON
使用搜索引擎检索一下即可发现Flipper Zero是一款可以伪装别人蓝牙设备的黑客玩具
再根据名字fuzz一下即可得到QQ_WF_SP8OON为伪装成倩倩耳机的名字
当然不fuzz的正确做法也有,由于Flipper在伪装他人蓝牙设备时会先修改名字再修改MAC地址,所以我们可以通过检索MAC地址相似(注意这里是相似,因为我手动设置使得Flipper MAC Randomize)但名字不同的蓝牙设备来判断,这里就不附上脚本了,具体情况可以看下图中的"_index": "packets-2025-04-09"流
因此答案为 Flipper_123all
起早王有一个用于伪装成倩倩耳机的蓝牙设备,该设备修改成耳机前后的大写MAC地址分别为多少(格式:32位小写md5(原MAC地址_修改后的MAC地址) ,例如md5(11:22:33:44:55:66_77:88:99:AA:BB:CC)=a29ca3983de0bdd739c97d1ce072a392 )
很简单的一题,直接遍历QQ_WF_SP8OON所有的MAC地址即可
可以找出分别为80:e1:26:33:32:31和52:00:52:10:13:14
这边一开始题目描述欠佳,原MAC地址应该为最原始设备的MAC地址80:e1:26:33:32:31,而不是之后改名时Flipper自动地址随机化更改的80:e1:26:35:32:31
这里我挨打(
答案为 md5(80:E1:26:33:32:31_52:00:52:10:13:14)=97d79a5f219e6231f7456d307c8cac68
流量包中首次捕获到该伪装设备修改自身名称的UTC+0时间为?(格式:2024/03/07 01:02:03.123)
这里修改自身名称很简单 爆搜一下QQ_WF_SP8OON最开始出现的时间
{
"_index": "packets-2025-04-09",
"_type": "doc",
"_score": null,
"_source": {
"layers": {
"frame": {
"frame.interface_id": "0",
"frame.interface_id_tree": {
"frame.interface_name": "COM3-3.6",
"frame.interface_description": "nRF Sniffer for Bluetooth LE COM3"
},
"frame.encap_type": "186",
"frame.time": "Apr 9, 2025 10:31:26.710747000 CST",
"frame.offset_shift": "0.000000000",
"frame.time_epoch": "1744165886.710747000",
"frame.time_delta": "0.010946000",
"frame.time_delta_displayed": "0.010946000",
"frame.time_relative": "232.380567000",
"frame.number": "33244",
"frame.len": "56",
"frame.cap_len": "56",
"frame.marked": "0",
"frame.ignored": "0",
"frame.protocols": "nordic_ble:btle:btcommon"
},
"nordic_ble": {
"nordic_ble.board_id": "3",
"nordic_ble.header": {
"nordic_ble.plen": "49",
"nordic_ble.protover": "3",
"nordic_ble.packet_counter": "35944",
"nordic_ble.packet_id": "2"
},
"nordic_ble.len": "10",
"nordic_ble.flags": "0x01",
"nordic_ble.flags_tree": {
"nordic_ble.crcok": "1",
"nordic_ble.flag_reserved1": "0",
"nordic_ble.flag_reserved2": "0",
"nordic_ble.address_resolved": "0",
"nordic_ble.phy": "0",
"nordic_ble.flag_reserved7": "0"
},
"nordic_ble.channel": "37",
"nordic_ble.rssi": "-41",
"nordic_ble.event_counter": "0",
"nordic_ble.time": "2785913974",
"nordic_ble.packet_time": "320",
"nordic_ble.delta_time": "10642",
"nordic_ble.delta_time_ss": "10946"
},
"btle": {
"btle.access_address": "0x8e89bed6",
"btle.advertising_header": "0x1e20",
"btle.advertising_header_tree": {
"btle.advertising_header.pdu_type": "0x00",
"btle.advertising_header.rfu.1": "0",
"btle.advertising_header.ch_sel": "1",
"btle.advertising_header.randomized_tx": "0",
"btle.advertising_header.rfu.4": "0",
"btle.advertising_header.length": "30"
},
"btle.length": "30",
"btle.advertising_address": "80:e1:26:35:32:31",
"btcommon.eir_ad.advertising_data": {
"btcommon.eir_ad.entry": {
"btcommon.eir_ad.entry.length": "2",
"btcommon.eir_ad.entry.type": "0x01",
"btcommon.eir_ad.entry.flags.reserved": "0x00",
"btcommon.eir_ad.entry.flags.le_bredr_support_host": "0x00",
"btcommon.eir_ad.entry.flags.le_bredr_support_controller": "0x00",
"btcommon.eir_ad.entry.flags.bredr_not_supported": "0x01",
"btcommon.eir_ad.entry.flags.le_general_discoverable_mode": "0x01",
"btcommon.eir_ad.entry.flags.le_limited_discoverable_mode": "0x00"
},
"btcommon.eir_ad.entry": {
"btcommon.eir_ad.entry.length": "13",
"btcommon.eir_ad.entry.type": "0x09",
"btcommon.eir_ad.entry.device_name": "QQ_WF_SP8OON"
},
"btcommon.eir_ad.entry": {
"btcommon.eir_ad.entry.length": "3",
"btcommon.eir_ad.entry.type": "0x02",
"btcommon.eir_ad.entry.uuid_16": "0x1812"
},
"btcommon.eir_ad.entry": {
"btcommon.eir_ad.entry.length": "2",
"btcommon.eir_ad.entry.type": "0x0a",
"btcommon.eir_ad.entry.power_level": "0"
}
},
"btle.crc": "0x9f5135"
}
}
}
}
由于是UTC+0时间 所以更改后为2025/04/09 02:31:26.710
起早王中途还不断尝试使用自己的手机向倩倩电脑进行广播发包,请你找出起早王手机蓝牙的制造商数据(格式:0x0102030405060708)
前面的蓝牙设备基本都用完了,就剩下一个Cracked,很自然会联系到这一题
这里借一下aliyun的文档 https://help.aliyun.com/document_detail/173315.html
因此答案为 0x0701434839313430
USB流量部分
这部分的题目较为简单,为模拟起早王Flipper黑入倩倩电脑后所产生的USB流量
先提前将模拟键盘敲击的内容给放出来
bao bao,zui jin you ge nan sheng xiang zhui wo,ta jiao wang qi zhao[删除]qi zao wang
ta shuo ta ai wo,dan shi cong bu bang wo na kuai di,hao fan a
WIN+R
cmd
whoami
net user
net user qianqianwoaini$ abcdefghijkImn /add
net localgroup administrators qianqianwoaini$ /add
net user qianqianwoaini$ /dels
net localgroup administrators qianqianwoaini$ /add
rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html
翻译过后内容如下(前面为模拟倩倩在和自己的男神聊天)
宝宝,最近有个男生想追我,他叫起早王
他说他爱我,但是从不帮我拿快递,好烦啊
之后打开了cmd创建影子账户并且实施了令倩倩电脑蓝屏的恶趣味(真下头啊起早王)
whoami
net user
net user qianqianwoaini$ abcdefghijkImn /add
net localgroup administrators qianqianwoaini$ /add
net user qianqianwoaini$ /dels
net localgroup administrators qianqianwoaini$ /add
rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html
友情提示:本部分题目可以使用CTF NetA工具一把梭
打开流量包 分析一下发现有键盘流量的特征
这边由于USB设备较多,需要先对流量的地址进行过滤,但是其实也可以直接硬写一个脚本然后直接将键盘所反映的内容给提取出来
首先还是要通过导出wireshark流量为json文件,这里不多赘述相关操作
EXP如下:
'''
bao bao,zui jin you ge nan sheng xiang zhui wo,ta jiao wang qi zhao/qi zao wang
ta shuo ta ai wo,dan shi cong bu bang wo na kuai di,hao fan a
WIN+R
cmd
whoami
net user
net user qianqianwoaini$ abcdefghijkImn /add
net localgroup administrators qianqianwoaini$ /add
net user qianqianwoaini$ /dels
net localgroup administrators qianqianwoaini$ /add
rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html
'''
import json
# 定义正常按键映射表
normalKeys = {
"04": "a", "05": "b", "06": "c", "07": "d", "08": "e", "09": "f", "0a": "g", "0b": "h", "0c": "i",
"0d": "j", "0e": "k", "0f": "l", "10": "m", "11": "n", "12": "o", "13": "p", "14": "q", "15": "r",
"16": "s", "17": "t", "18": "u", "19": "v", "1a": "w", "1b": "x", "1c": "y", "1d": "z", "1e": "1",
"1f": "2", "20": "3", "21": "4", "22": "5", "23": "6", "24": "7", "25": "8", "26": "9", "27": "0",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "-", "2e": "=", "2f": "[",
"30": "]", "31": "\\", "32": "<NON>", "33": ";", "34": "'", "35": "`", "36": ",", "37": ".", "38": "/",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"
}
# 定义Shift键按下时的按键映射表
shiftKeys = {
"04": "A", "05": "B", "06": "C", "07": "D", "08": "E", "09": "F", "0a": "G", "0b": "H", "0c": "I",
"0d": "J", "0e": "K", "0f": "L", "10": "M", "11": "N", "12": "O", "13": "P", "14": "Q", "15": "R",
"16": "S", "17": "T", "18": "U", "19": "V", "1a": "W", "1b": "X", "1c": "Y", "1d": "Z", "1e": "!",
"1f": "@", "20": "#", "21": "$", "22": "%", "23": "^", "24": "&", "25": "*", "26": "(", "27": ")",
"28": "<RET>", "29": "<ESC>", "2a": "<DEL>", "2b": "\t", "2c": "<SPACE>", "2d": "_", "2e": "+", "2f": "{",
"30": "}", "31": "|", "32": "~", "33": ":", "34": "\"", "35": "~", "36": "<", "37": ">", "38": "?",
"39": "<CAP>", "3a": "<F1>", "3b": "<F2>", "3c": "<F3>", "3d": "<F4>", "3e": "<F5>", "3f": "<F6>",
"40": "<F7>", "41": "<F8>", "42": "<F9>", "43": "<F10>", "44": "<F11>", "45": "<F12>"
}
def extract_usbhid_data(json_file):
with open(json_file, 'r') as file:
data = json.load(file)
result_string = ""
for packet in data:
layers = packet['_source']['layers']
if 'usbhid.data' in layers:
usbhid_data = layers['usbhid.data'].split(':')
# 提取第二个字节(用于判断是否使用shiftKeys)
second_byte = usbhid_data[1]
# 根据第二个字节选择合适的映射表
key_map = shiftKeys if second_byte != "00" else normalKeys
# 遍历所有可能的按键数据(从第三个字节开始)
for byte_index in range(2, len(usbhid_data)):
key_code = usbhid_data[byte_index]
if key_code == "00":
continue # 忽略空值
key_char = key_map.get(key_code, '')
result_string += key_char
return result_string
if __name__ == "__main__":
extracted_string = extract_usbhid_data(r'c:\Users\25722\Downloads\phbwp\usb.json')
print("Extracted String:", extracted_string)
'''
Extracted String: m]<F6>[2m[m33[]3333mmmbao<SPACE>bao,zui<SPACE>jin<SPACE>you<SPACE>ge<SPACE>nan<SPACE>sheng<SPACE>xiang<SPACE>zhui<SPACE>wo,ta<SPACE>jiaaoo<SPACE>wwaang<SPACE>qi<SPACE>zhao<DEL><DEL><DEL><DEL>qi<SPACE>zao<SPACE>wang<SPACE>ta<SPACE>shuo<SPACE>ta<SPACE>ai<SPACE>wo,dan<SPACE>shi<SPACE>cong<SPACE>bu<SPACE>baanng<SPACE>wo<SPACE>na<SPACE>kuai<SPACE>di,hao<SPACE>fan<SPACE>aRcmd<RET>L]bdfgghiiklnnoomljji]i<F7>h]i]i3j]k3lmlmkmhigmgfmemedmbcaaabbb[22[<F6>[<F6>[2222[2[2[<F6>[2llllllllm2m[][3<F6>[mm2mmmmmm]abcedeemdme]eefeggif3fcbba]3mmaccmcmf3f]h]g3f]e3d3c]c3b]b]]3mmmmm[[<F6><F6><F6><F6>[l2llabeeegffdca<SPACE>whoami<RET>net<SPACE>user<RET>net<SPACE>user<SPACE>qianqianwoaini$<SPACE>abcdefghijk<CAP>i<CAP>mn<SPACE>/add<RET>net<SPACE>localgroup<SPACE>administrators<SPACE>qianqianwoaini$<SPACE>/add<RET>net<SPACE>user<SPACE>qianqianwoaini$<SPACE>/del[ll22<F6><F6><F6><F6>[[[22lmll222l2llllllllcgikllmmlljjhhhfecb<F7><F7>]]<F6><F6><F6><F6><F6><F6>[22[2[[[[<F6>[<F6><F6><F6>[<F6>[[2[22lmlm<RET>net<SPACE>localgroup<SPACE>administrators<SPACE>qianqianwoaini$<SPACE>/add<RET>rundll32<SPACE>url.dll,<CAP>f<CAP>ile<CAP>p<CAP>rotocol<CAP>h<CAP>andler<SPACE>https://fakeupdate.net/win10ue/bsod.htmlgmjmk3gecmcmaa3mmmamm<RET>ceghkm<F7>m<F7>n<F7>n<F7>l<F7>l]j<F7>h]fdb<F7><F7>lllllllll
'''
起早王的真名是什么(格式:Cai_Xu_Kun 每个首字母均需大写 )
这里我们看流量解析内容即可
wang qi zhao[删除]qi zao wang
反映出来倩倩想直接打出起早王的真名,但是出于某种顾虑没有打出真名
可以得到起早王的真名为Wang_Qi_Zhao
起早王对倩倩的电脑执行了几条cmd里的命令(格式:1 )
直接数数就行 7条
倩倩电脑中影子账户的账户名和密码为什么(格式:32位小写md5(账号名称_密码) ,例如md5(zhangsan_123456)=9dcaac0e4787b213fed42e5d78affc75 )
这里直接看下面这条命令
net user qianqianwoaini$ abcdefghijkImn /add
这里设置了一个坑点 其中小写l的是大写的i
因此答案为 md5(qianqianwoaini$_abcdefghijkImn)=53af9cd5e53e237020bea0932a1cbdaa
起早王对倩倩的电脑执行的最后一条命令是什么(格式:32位小写md5(完整命令),例如md5(echo “qianqianwoaini” > woshiqizaowang.txt)=1bdb83cfbdf29d8c2177cc7a6e75bae2 )
最后一条命令为rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html
答案为 md5(rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html)=0566c1d6dd49db699d422db31fd1be8f
参考文档
https://www.yuque.com/hxfqg9/iot/pet5rg
http://www.willhsu.com/zb_users/upload/2021/06/202106241624549419156181.pdf
https://blog.csdn.net/u012388993/article/details/116395497?spm=wolai.workspace.0.0.10732a58lpRxAZ
iqizaowang.txt)=1bdb83cfbdf29d8c2177cc7a6e75bae2 )
最后一条命令为rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html
答案为 md5(rundll32 url.dll,FileProtocolHandler https://fakeupdate.net/win10ue/bsod.html)=0566c1d6dd49db699d422db31fd1be8f
参考文档
https://www.yuque.com/hxfqg9/iot/pet5rg
http://www.willhsu.com/zb_users/upload/2021/06/202106241624549419156181.pdf
https://blog.csdn.net/u012388993/article/details/116395497?spm=wolai.workspace.0.0.10732a58lpRxAZ
https://www.wireshark.org/docs/dfref/b/btcommon.html
助力广东及东莞地区开发者,代码托管、在线学习与竞赛、技术交流与分享、资源共享、职业发展,成为松山湖开发者首选的工作与学习平台
更多推荐
28
0- 0
已为社区贡献1条内容
所有评论(0)