📘
Hacktricks
  • GitHub: Welcome to the page where you will find each trick/technique/whatev
  • About the author
  • Getting Started in Hacking
  • Pentesting Methodology
  • External Recon Methodology
  • Phishing Methodology
  • Exfiltration
  • Tunneling and Port Forwarding
  • Brute Force - CheatSheet
  • Search Exploits
  • shells
    • Shells (Linux, Windows, MSFVenom)
  • linux-unix
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
    • Useful Linux Commands
    • Linux Environment Variables
  • macos
    • MacOS Security & Privilege Escalation
  • windows
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
    • Active Directory Methodology
    • NTLM
    • Stealing Credentials
    • Authentication, Credentials, UAC and EFS
    • Basic CMD for Pentesters
    • Basic PowerShell for Pentesters
    • AV Bypass
  • mobile-apps-pentesting
    • Android APK Checklist
    • Android Applications Pentesting
    • iOS Pentesting Checklist
    • iOS Pentesting
  • pentesting
    • Pentesting Network
  • Stargazers
  • blob
    • master
      • hacktricks/LICENSE.md at master
  • network
    • Forks
  • Issues
  • Pull requests
  • Actions
  • Projects
  • GitHub: Welcome to the page where you will find each trick/technique/whatev
  • Build software better, together
  • Pulse
  • tree
    • Build software better, together
    • GitHub at 1e46f267c2ce5c79bb9a8a146f468f214419f708
    • master
      • .gitbook
        • hacktricks/.gitbook/assets at master
      • hacktricks/.github at master
      • a.i.-exploiting
        • hacktricks/a.i.-exploiting/bra.i.nsmasher-presentation at master
      • hacktricks/backdoors at master
      • hacktricks/blockchain at master
      • hacktricks/cloud-security at master
  • Branches
  • Releases
  • Commits
    • Commits
  • Commits
  • commit
    • GitBook: [master] one page modified@1e46f26
    • GitBook: [master] 3 pages and 6 assets modified@e741d40
    • Update FUNDING.yml@c7e5a37
    • GitBook: [master] one page modified@5b5b28a
    • GitBook: [master] 511 pages and one asset modified@73a4b96
Powered by GitBook
On this page

Was this helpful?

  1. commit

GitBook: [master] 511 pages and one asset modified@73a4b96

PreviousGitBook: [master] one page modified@5b5b28a

Last updated 3 years ago

Was this helpful?

GitBook: [master] 511 pages and one asset modified

  • Loading branch information

@@ -450,7 +450,7 @@

* [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)

* [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)

* [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)

* [USB Keyboard pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md)

* [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)

* [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)

* [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)

* [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)

@@ -179,6 +179,9 @@ This offers a new level of privacy, however, **some** **transactions** where som

Examples of \(likely\) CoinJoin transactions IDs on bitcoin's blockchain are `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.

[**https://coinjoin.io/en**](https://coinjoin.io/en)

**Similar to coinjoin but better and for ethereum you have** [**Tornado Cash**](https://tornado.cash/) **\(the money is given from miners, so it jus appear in your waller\).**

### PayJoin

The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value.

@@ -1,7 +1,7 @@

# Pcap Inspection

{% hint style="info" %}

A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; P**CAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.

A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.

{% endhint %}

## Online tools for pcaps

@@ -212,7 +212,9 @@ rita show-exploded-dns -H --limit 10 zeek_logs

{% page-ref page="dnscat-exfiltration.md" %}

{% page-ref page="usb-keyboard-pcap-analysis.md" %}

{% page-ref page="wifi-pcap-analysis.md" %}

{% page-ref page="usb-keystrokes.md" %}

@@ -0,0 +1,20 @@

# USB Keystrokes

If you have a pcap containing the communication via USB of a keyboard like the following one:

![](../../../.gitbook/assets/image%20%28567%29.png)

You can use the tool [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) to get what was written in the communication:

```bash

tshark -r ./usb.pcap -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > keystrokes.txt

python3 usbkeyboard.py ./keystrokes.txt

```

You can read more information and find some scripts about how to analyse this in:

* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)

* [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)

Permalink
Browse files