GitBook: [master] 511 pages and one asset modified@73a4b96

Permalink

Browse files

GitBook: [master] 511 pages and one asset modified

• Loading branch information

	@@ -450,7 +450,7 @@
		* [NTFS](forensics/basic-forensic-methodology/partitions-file-systems-carving/ntfs.md)
		* [Pcap Inspection](forensics/basic-forensic-methodology/pcap-inspection/README.md)
		* [DNSCat pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/dnscat-exfiltration.md)
		* [USB Keyboard pcap analysis](forensics/basic-forensic-methodology/pcap-inspection/usb-keyboard-pcap-analysis.md)
		* [USB Keystrokes](forensics/basic-forensic-methodology/pcap-inspection/usb-keystrokes.md)
		* [Wifi Pcap Analysis](forensics/basic-forensic-methodology/pcap-inspection/wifi-pcap-analysis.md)
		* [Wireshark tricks](forensics/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md)
		* [Specific Software/File-Type Tricks](forensics/basic-forensic-methodology/specific-software-file-type-tricks/README.md)

	@@ -179,6 +179,9 @@ This offers a new level of privacy, however, **some** **transactions** where som
		Examples of \(likely\) CoinJoin transactions IDs on bitcoin's blockchain are `402d3e1df685d1fdf82f36b220079c1bf44db227df2d676625ebcbee3f6cb22a` and `85378815f6ee170aa8c26694ee2df42b99cff7fa9357f073c1192fff1f540238`.
		[**https://coinjoin.io/en**](https://coinjoin.io/en)
		**Similar to coinjoin but better and for ethereum you have** [**Tornado Cash**](https://tornado.cash/) **\(the money is given from miners, so it jus appear in your waller\).**
		### PayJoin
		The type of CoinJoin discussed in the previous section can be easily identified as such by checking for the multiple outputs with the same value.

		@@ -1,7 +1,7 @@
		# Pcap Inspection
		{% hint style="info" %}
		A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; P**CAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
		A note about **PCAP** vs **PCAPNG**: there are two versions of the PCAP file format; **PCAPNG is newer and not supported by all tools**. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools.
		{% endhint %}
		## Online tools for pcaps
	@@ -212,7 +212,9 @@ rita show-exploded-dns -H --limit 10 zeek_logs
		{% page-ref page="dnscat-exfiltration.md" %}
		{% page-ref page="usb-keyboard-pcap-analysis.md" %}
		{% page-ref page="wifi-pcap-analysis.md" %}
		{% page-ref page="usb-keystrokes.md" %}

		@@ -0,0 +1,20 @@
		# USB Keystrokes
		If you have a pcap containing the communication via USB of a keyboard like the following one:
		
		You can use the tool [**ctf-usb-keyboard-parser**](https://github.com/carlospolop-forks/ctf-usb-keyboard-parser) to get what was written in the communication:
		```bash
		tshark -r ./usb.pcap -Y 'usb.capdata && usb.data_len == 8' -T fields -e usb.capdata | sed 's/../:&/g2' > keystrokes.txt
		python3 usbkeyboard.py ./keystrokes.txt
		```
		You can read more information and find some scripts about how to analyse this in:
		* [https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4](https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4)
		* [https://github.com/tanc7/HacktheBox\_Deadly\_Arthropod\_Writeup](https://github.com/tanc7/HacktheBox_Deadly_Arthropod_Writeup)