MISC1

reference

CTF Wiki MISC

Introduction

It is mainly divided into several sections: Recon, Forensic, Stego, Crypto (classical password)...
- Recon: information collection
  - It mainly introduces some channels for obtaining information and some techniques for using search engines such as Baidu and Google
- Encode (encoding conversion)
  - It mainly introduces some common coding forms and conversion techniques and common methods in CTF competitions
- Forensic && Stego (Digital Forensics && Steganalysis)
  - Steganographic forensics is the most important part of Misc, including file analysis, steganography, memory mirroring analysis, and traffic capture analysis, etc., involving ingenious coding, hidden data, files in nested files, and flexible use of search The engine gets the information it needs and so on.
a sketch

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-Ny2mh6d0-1646818112876)( MISC.assets\all.png)]$

information collection technology

network collection

public channel
Destination Web page, geographic location, organization of interest
Organizational structure and personnel, personal data, telephone, email
Policies and technical details of network configuration, security protection mechanism
Ways to Find Specific Security Vulnerabilities or Private Information Using Search Engines
Google Hacking Database
science online

GoogleHacking

site 指定域名
Intext 正文存在关键字的网页
Intitle 标题存在关键字的网页
Info 一些基本信息
Inurl URL存在关键字的网页
Filetype 搜索指定文件类型
+ 强制包含某个字符进行查询
- 忽略某个字符
""精准匹配某个字符
.匹配单个字符进行查询
*匹配任意字符进行查询
|或者

basic search

Google Basic Search and Digging Skills
Keep Your Keywords Simple and Straightforward
Use terms most likely to appear on the page you're looking for
Describe what you're looking for as concisely as possible
Choose unique descriptors
Social public information database query
Personal Information: Census Bureau
Enterprises and other entities: YellowPage, Enterprise Credit Information Network
Website, domain name, IP: whois, etc.

map street view

Overseas: Google Map, Google Earth, Google Street View
Domestic: Baidu map, satellite map, street view
From the online world to the physical world: IP2Location
whois database
GeoIP
Innocence database (QQ IP query)

coding technology

Morse

See Morse coding - Wikipedia

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-FwSU4tkQ-1646818112877)( MISC.assets\morse.png)]$

features
- only .and -;
- Up to 6 digits;
- It can also be expressed as 01a string .
tool
- Morse code online conversion

Manchester encoding

Manchester encoding

ASCII

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-H2GM4u9r-1646818112877)( MISC.assets\ascii.jpg)]$

out of shape
- Binary coded ASCII
- hexadecimal

Base coding series

basexx: represents how many character encodings are used
base64
- Every 6 bits is a unit, corresponding to a certain printing character
- Including 26 uppercase and lowercase letters / 10 numbers / ± / use = at the end
base32
- Uppercase AZ plus the number 234567, may have up to 3 equal signs at the end
base16
- Include 0123456789ABCDEF

XXencoding

XXencode encodes the input text in units of three bytes. If the last remaining data is less than three bytes, the insufficient part will be filled with zeros. These three bytes have a total of 24 Bits, which are
divided into 4 groups in units of 6 bits. Each group is expressed in decimal and the value that appears will only fall between 0 and 63. Replaced by the positional characters of the corresponding values.
For details, see XXencoding

URL encoding (Unicode)

See URL encoding .
Features: a lot of %

Manifestations

original textThe

&#x [Hex]: &#x0054;&#x0068;&#x0065;

&# [Decimal]: &#00084;&#00104;&#00101;

\U [Hex]: \U0054\U0068\U0065

\U+ [Hex]: \U+0054\U+0068\U+0065

bar code

A plurality of black bars and spaces of different widths, arranged according to certain coding rules, used to express a set of graphic identifiers for information
international standard
EAN-13 commodity standard, 13 digits
Code-39: 39 characters
Code-128: 128 characters
Barcode online recognition

QR code

Use a specific geometric figure to record data symbol information in black and white graphics step by step on the plane according to certain rules
Stacked/lined QR codes: Code 16 k, Code 49, PDF417
Matrix QR code: QR CODE

Forensic steganography

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-ehpg6Q9u-1646818112877)( MISC.assets\7.jpg)]$

Ask to inspect a static data file for hidden information

Require

Learn about common encodings

It can decode some encodings that appear in the file, and has certain sensitivity to some special encodings (Base64, hexadecimal, binary, etc.), convert them and get the final flag.
Ability to use scripting languages (Python, etc.) to manipulate binary data
Familiar with the file formats of common files, especially various file headers , protocols, structures, etc.
Flexible use of common tools

Python Manipulates Binary Data¶

struct module¶

Sometimes it is necessary to use Python to process binary data, for example, when accessing files and socket operations. At this time, you can use Python's struct module to complete.

The three most important functions in the struct module are pack(), unpack()andcalcsize()

pack(fmt, v1, v2, ...)According to the given format (fmt), encapsulate the data into a string (actually a byte stream similar to a c structure)
unpack(fmt, string)Parse the byte stream string according to the given format (fmt), and return the parsed tuple
calcsize(fmt)Calculate how many bytes of memory a given format (fmt) takes

The packing format here fmtdetermines how variables are packed into a byte stream, which includes a series of format strings. The meaning of different format strings will not be given here. For details, please refer to Python Doc

>>> import struct
>>> struct.pack('>I',16)
'\x00\x00\x00\x10'

packThe first parameter of is the processing instruction, '>I'which means: >indicates that the byte order is Big-Endian, that is, the network order, and Iindicates a 4-byte unsigned integer.

The number of the following parameters should be consistent with the processing instruction.

Read in the first 30 bytes of a BMP file, the structure of the file header is as follows in order

Two bytes: BMmeans Windows bitmap, BAmeans OS/2 bitmap
A 4-byte integer: indicates the size of the bitmap
A 4-byte integer: reserved bits, always 0
A 4-byte integer: the offset of the actual image
A 4-byte integer: the number of bytes in the Header
A 4-byte integer: image width
A 4-byte integer: image height
A 2-byte integer: always 1
A 2-byte integer: number of colors

>>> import struct
>>> bmp = '\x42\x4d\x38\x8c\x0a\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00\x00\x00\x80\x02\x00\x00\x68\x01\x00\x00\x01\x00\x18\x00'
>>> struct.unpack('<ccIIIIIIHH',bmp)
('B', 'M', 691256, 0, 54, 40, 640, 360, 1, 24)

bytearray bytearray¶

read the file as a binary array

data = bytearray(open('challenge.png', 'rb').read())

Byte arrays are mutable versions of bytes

data[0] = '\x89'

NTFS Steganography

ADS exchange data flow

It is a feature of the NTFS disk format. Under the NTFS file system, each file can have multiple data streams, that is to say, in addition to the main file stream, there can be many non-main file streams hosted in the main file stream. It uses resource forks to maintain information related to the file, although we can't see the data flow file, but it actually exists in our system. The method of creating a data exchange flow file is very simple, the command is "host file: prepare a data flow file associated with the host file".

Image analysis

Image files come in a variety of complex formats and can be used for analysis and decryption involving metadata, information loss, and lossless compression, verification, steganography, or encoding of visual data

metadata

Metadata, also known as intermediary data and relay data, is the data describing data (Data about data), mainly describing the information of data attributes (property), used to support such as indicating storage location, historical data, resource search , file recording and other functions.
Hiding information in metadata is the most basic method in competitions, and it is usually used to hide some key Hintinformation or some important passwordinformation such as .

You can 右键 --> 属性view , or you can use stringsthe command to view it. Generally speaking, some hidden information (strange strings) often appear at the head or tail.

identifycommand, this command is used to get the format and characteristics of one or more image files.

-formatIt is used to specify the displayed information, and using its -formatparameters can bring a lot of convenience to problem solving. The specific meaning of each parameter of format

PNG

file format
- The file header is always described by fixed-bit bytes, and the rest is composed of more than 3 data blocks (Chunk) in a specific order
- File header 89 50 4E 47 0D 0A 1A 0A+ data block + data block + data block...

data block

PNG defines two types of data blocks, one is called critical chunk, which is a standard data block, and the other is called ancillary chunks, which is an optional data block
. Key data blocks define 4 standard data blocks, each PNG file must contain them, PNG
reading and writing software must also support these data blocks.

data block notation	data block name	multi-block	optional no	location restrictions
IHDR	file header block	no	no	first piece
cHRM	Base color and white point data blocks	no	yes	Before PLTE and IDAT
gAMA	Image \| DataBlock	no	yes	Before PLTE and IDAT
sBIT	Sample Significance Data Block	no	yes	Before PLTE and IDAT
PLTE	palette data block	no	yes	Before IDAT
bKGD	background color data block	no	yes	After PLTE and before IDAT
hIST	Image histogram data block	no	yes	After PLTE and before IDAT
tRNS	image transparency data block	no	yes	After PLTE and before IDAT
oFFs	(private public data block)	no	yes	Before IDAT
pHYs	Physical pixel size data block	no	yes	Before IDAT
sCAL	(private public data block)	no	yes	Before IDAT
IDAT	image data block	yes	no	Consecutive with other IDAT
tIME	Image last modification time data block	no	yes	unlimited
tEXt	text message data block	yes	yes	unlimited
zTXt	compressed text data block	yes	yes	unlimited
fRAc	(private public data block)	yes	yes	unlimited
gIFg	(private public data block)	yes	yes	unlimited
gIFt	(private public data block)	yes	yes	unlimited
gIFx	(private public data block)	yes	yes	unlimited
IEND	Image end data	no	no	last data block

Each data block consists of 4 parts

name	Bytes	illustrate
Length	4 bytes	Specifies the length of the data field in the data block, and its length does not exceed (231-1) bytes
Chunk Type Code (data block type code)	4 bytes	Data block type codes consist of ASCII letters (A - Z and a - z)
Chunk Data	variable length	Store data specified by Chunk Type Code
CRC (Cyclic Redundancy Check)	4 bytes	Stores the cyclic redundancy code used to detect whether there is an error

IHDR (file header data block)

Contains the basic information of the image data stored in the PNG file, consists of 13 bytes , and should appear in the PNG data stream as the first data block, and there can only be one file header data block in a PNG data stream

Focus on the first 8 bytes

domain name	Bytes	illustrate
Width	4 bytes	Image width, in pixels
Height	4 bytes	image height in pixels

PLTE
- Palette data block PLTE (palette chunk): It contains the color transformation data related to the indexed-color image (indexed-color image), it is only related to the indexed color image, and it should be placed in the image data block (image data chunk
  ) Before. The true color PNG data stream can also have a palette data block, the purpose is to facilitate the non-true color display program to use it to quantize the image data, so as to display the image.
IDAT
- Image data block IDAT (image data chunk): It stores actual data, and can contain multiple sequential image data blocks in the data stream
  - Store image pixel data
  - Can contain multiple consecutive sequential image data blocks in the data stream
  - Compression using a derivative of the LZ77 algorithm
  - Can be decompressed with zlib
IEND
Image end data IEND (image trailer chunk): It is used to mark the end of the PNG file or data stream, and must be placed at the end of the file
Other auxiliary modules
- Background color data block bKGD (background color)
- Primary color and whiteness data block cHRM (primary chromaticities and white point), the so-called whiteness refers to the whiteness produced on the display at that R＝G＝B＝最大值time
- image | data block gAMA (image gamma)
- Image histogram data block hIST (image histogram)
- Physical pixel size data block pHYs (physical pixel dimensions)
- Sample effective bit data block sBIT (significant bits)
- Text information data block tEXt (textual data)
- Image last modification time data block tIME (image last-modification time)
- Image transparent data block tRNS (transparency)
- Compressed text data block zTXt (compressed textual data)
LSB
- The full name is Least Significant Bit, the least significant bit. The number of image images in a PNG file is generally composed of RGB three primary colors (red, green and blue), each color occupies 8 bits, and the value range is from 0x00to 0xFFthere are 256 colors, including a total of 256 colors to the power of 3
- LSB steganography is to modify the lowest binary bit (LSB) of RGB color components, each color will have 8 bits, LSB steganography is to modify the lowest 1 bit in the image number, and human eyes will not notice the difference before and after Variation, each pixel can carry 3 bits of information.

JPG

JPEG is a lossy compression format. The pixel information is saved into a file with JPEG and then read out, and some pixel values will change slightly. When saving, there is a quality parameter that can be selected between 0 and 100. The larger the parameter, the more fidelity the image will be, but the larger the image size will be. Generally, it is enough to choose 70 or 80
JPEG has no transparency information, the file header is FF D8 FF E1, and the end is 03 FF D9

The basic data structure of JPG is divided into two types: "segment" and compressed image data.

name	Bytes	data	illustrate
segment identifier	1	FF	start identifier for each new segment
segment type	1		type encoding (called tag code)
segment length	2		Includes segment content and segment length itself, excluding segment ID and segment type
Column content	2		≤65533 bytes

Some segments have no length description and no content, only segment identifier and segment type. Both the file header and the file trailer belong to this segment.
No matter how many between segments FFare legal, these FFare called "padding bytes" and must be ignored
common segment, and0xffd8 marks the beginning and end of a JPG file.0xffd9

$[External link picture transfer failed, the source site may have an anti-leeching mechanism, it is recommended to save the picture and upload it directly (img-WMgO3Ct1-1646818112878)( MISC.assets\jpgformat.png)]$

GIF

file structure
- file header
  - GIF file signature (Signature)
  - Version number (Version)
- data flow
  - control identifier
  - Image Block
  - some other extension blocks
- file terminator

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-v7f09xIG-1646818112878)( MISC.assets\gif.png)]$

file header
GIF 署名（Signature）和版本号（Version）。GIF 署名用来确认一个文件是否是 GIF 格式的文件，这一部分由三个字符组成：GIF；文件版本号也是由三个字节组成，可以为 87a 或 89a。
逻辑屏幕标识符
紧跟在 header 后面。这个块告诉 decoder（解码器）图片需要占用的空间。它的大小固定为 7 个字节，以 canvas width（画布宽度）和 canvas height（画布高度）开始。
全局颜色列表
- 或用于针对每个子图片集，提供 local color table。每个 color
  table 由一个 RGB列表组成。
图像标识符
- 一个 GIF 文件一般包含多个图片。之前的图片渲染模式一般是将多个图片绘制到一个大的（virtual canvas）虚拟画布上，而现在一般将这些图片集用于实现动画。
  
  每个 image 都以一个 image descriptor block（图像描述块）作为开头，这个块固定为 10 字节。
  
  $[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-ER6UFJ43-1646818112879)( MISC.assets\imagesdescription.png)]$
图像数据
由一系列的输出编码（output codes）构成，它们告诉 decoder（解码器）需要绘制在画布上的每个颜色信息。这些编码以字节码的形式组织在这个块中。
文件终结器
该块为一个单字段块，用来指示该数据流的结束。取固定值 0x3b.
更多参见 gif 格式图片详细解析
空间轴
由于 GIF 的动态特性，由一帧帧的图片构成，所以每一帧的图片，多帧图片间的结合，都成了隐藏信息的一种载体。
时间轴
- GIF 文件每一帧间的时间间隔也可以作为信息隐藏的载体。

流量包分析

PCAP文件
流量包修复
协议分析
数据提取

步骤

总体把握
- 协议分级
- 端点统计
过滤赛选
- 过滤语法
- Host，Protocol，contains，特征值
发现异常
- 特殊字符串
- 协议某字段
- flag 位于服务器中
数据提取
- 字符串取
- 文件提取

PCAP文件修复

一般文件结构

 0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Block Type                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Block Total Length                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   /                          Block Body                           /
   /          /* variable length, aligned to 32 bits */            /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                      Block Total Length                       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

常见块

Section Header BlocK(文件头)

文件的开始

 0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                Byte-Order Magic (0x1A2B3C4D)                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Major Version(主版本号)   |    Minor Version(次版本号)        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                          Section Length                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   /                                                               /
   /                      Options (variable)                       /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Interface Description Block(接口描述)

描述接口特性

 0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           LinkType            |           Reserved            |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                  SnapLen(每个数据包最大字节数)                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   /                                                               /
   /                      Options (variable)                       /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Packet Block（数据块）

 0                   1                   2                   3   
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Interface ID          |          Drops Count          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                     Timestamp (High)   标准的Unix格式          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                        Timestamp (Low)                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                         Captured Len                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Packet Len                           |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   /                          Packet Data                          /
   /          /* variable length, aligned to 32 bits */            /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   /                      Options (variable)                       /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

协议分析

wireshark

链接

需要注意的协议

HTTP
- HTTP ( Hyper Text Transfer Protocol ，也称为超文本传输协议) 是一种用于分布式、协作式和超媒体信息系统的应用层协议。 HTTP 是万维网的数据通信的基础。
HTTPS
- HTTPs = HTTP + SSL / TLS. 服务端和客户端的信息传输都会通过 TLS 进行加密，所以传输的数据都是加密后的数据
FTP
- FTP ( File Transfer Protocol ，即文件传输协议) 是 TCP/IP 协议组中的协议之一。 FTP 协议包括两个组成部分，其一为 FTP 服务器，其二为 FTP 客户端。其中 FTP 服务器用来存储文件，用户可以使用 FTP 客户端通过 FTP 协议访问位于 FTP 服务器上的资源。在开发网站的时候，通常利用 FTP 协议把网页或程序传到 Web 服务器上。此外，由于 FTP 传输效率非常高，在网络上传输大的文件时，一般也采用该协议。
  
  默认情况下 FTP 协议使用 TCP 端口中的 20 和 21 这两个端口，其中 20 用于传输数据， 21 用于传输控制信息。但是，是否使用 20 作为传输数据的端口与 FTP 使用的传输模式有关，如果采用主动模式，那么数据传输端口就是 20 ；如果采用被动模式，则具体最终使用哪个端口要服务器端和客户端协商决定。

DNS

DNS 通常为 UDP 协议, 报文格式

+-------------------------------+
| 报文头                         |
+-------------------------------+
| 问题 (向服务器提出的查询部分)    |
+-------------------------------+
| 回答 (服务器回复的资源记录)      |
+-------------------------------+
| 授权 (权威的资源记录)           |
+-------------------------------+
| 格外的 (格外的资源记录)         |
+-------------------------------+

查询包只有头部和问题两个部分， DNS 收到查询包后，根据查询到的信息追加回答信息、授权机构、额外资源记录，并且修改了包头的相关标识再返回给客户端。

每个 question 部分
```
   0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
 |                                               |
 /                     QNAME                     /
 /                                               /
 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
 |                     QTYPE                     |
 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
 |                     QCLASS                    |
 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
```
- QNAME ：为查询的域名，是可变长的，编码格式为：将域名用. 号划分为多个部分，每个部分前面加上一个字节表示该部分的长度，最后加一个 0 字节表示结束
- QTYPE ：占 16 位，表示查询类型，共有 16 种，常用值有：1 ( A 记录，请求主机 IP 地址)、2 ( NS ，请求授权 DNS 服务器)、5 ( CNAME 别名查询）

WIFI
- 802.11 是现今无线局域网通用的标准, 常见认证方式
  - 不启用安全‍‍
  - WEP‍‍
  - WPA/WPA2-PSK（预共享密钥）‍‍
  - PA/WPA2 802.1X （radius 认证）
- WPA-PSK
  
  $[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GKA8vdIp-1646818112879)( MISC.assets\wpa-psk.png)]$
$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-7ccKIZdQ-1646818112879)( MISC.assets\eapol.png)]$
- 4 次握手开始于验证器 (AP)，它产生一个随机的值(ANonce) 发送给请求者
- 请求者也产生了它自己的随机 SNonce，然后用这两个 Nonces 以及 PMK 生成了 PTK。请求者回复消息 2 给验证器, 还有一个 MIC（message integrity code，消息验证码）作为 PMK 的验证
- 它先要验证请求者在消息 2 中发来的 MIC 等信息，验证成功后，如果需要就生成 GTK。然后发送消息 3
- 请求者收到消息 3，验证 MIC，安装密钥，发送消息 4，一个确认信息。验证器收到消息 4，验证 MIC，安装相同的密钥
USB
- 鼠标协议
鼠标移动时表现为连续性，与键盘击键的离散性不一样，不过实际上鼠标动作所产生的数据包也是离散的，毕竟计算机表现的连续性信息都是由大量离散信息构成的

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-oBvxQ6zh-1646818112879)( MISC.assets\mouse.png)]$

每一个数据包的数据区有四个字节，第一个字节代表按键，当取 0x00 时，代表没有按键、为 0x01 时，代表按左键，为 0x02 时，代表当前按键为右键。第二个字节可以看成是一个 signed byte 类型，其最高位为符号位，当这个值为正时，代表鼠标水平右移多少像素，为负时，代表水平左移多少像素。第三个字节与第二字节类似，代表垂直上下移动的偏移。

得到这些点的信息后, 即可恢复出鼠标移动轨迹

Tools
UsbMiceDataHacker
键盘协议

键盘数据包的数据长度为 8 个字节，击键信息集中在第 3 个字节

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-AKbeAeRb-1646818112880)( MISC.assets\keyboard.png)]$

$[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-GCOkmHJY-1646818112881)( MISC.assets\keyboard_pro.png)]$

一些工具和使用方法

16进制查看

010Editor： 16进制查看分析器
winhex：

解压密码

ARCHPR：爆破rar文件解压密码
小技巧：假如密码为abc+三位数字，破解时选择掩码类型，掩码为abc???，再把暴力范围设置为数字即可
ziperello ：爆破zip文件解压密码

隐写

Stegsolve：图片隐写分析
Stegdetect：识别加密方式，主要是jpeg的隐写查看
pngcheck： png图像隐写查看
TweakPNG ：查看和修改PNG文件的元信息（适用于文件头无法正常打开）
zsteg（kali） LSB隐写分析：把所有的最低位信息显示出来
wbstego： bmp，pdf等其他文件解密隐写
MP3Steno：音频隐写读取
ntfsstreamseditor NTF：数据流检测和提取

加解密

Bftools：

bftools.exe decode braincopter 要解密的图片名称 -o 要输出的文件名
bftools.exe run 上一步输出的文件
jphs ：jpeg图像的隐写，jphide的加密方式
outguess(kali): jpg 图像的隐写解密
使用格式：outguess -r 需要揭秘的文件名输出结果文件名
F5 ：一般用于解密文件信息
方法是cd到F5-steganography里面，然后调用
java Extract /root/Desktop/123456.jpg -p 123456
找到输出文件cat即可

其他

Bcompare：综合对比工具，包括文档，zip等
Cool-edit：音频文件查看编辑
jd-gui jar：文件反编译
Opanda：图片信息查看器，元数据
Q-research：二维码查看器，可反色
fireworks ：编辑图像，比ps差一点
RouterPassView：路由文件查看
file命令：识别文件类型
binwalk ：固件扫描分析：自动发掘文件中的隐藏文件

常用的命令
binwalk 文件名（可以用file查看）
提取文件 -e

Foremost：文件还原工具：基于文件文件头和尾部信息以及文件的内建数据结构恢复文件的命令行工具
crunch 创建字典

格式
crunch <min-len> <max-len> [<charset string>] [options]
-b 指定输出文件的大小 类型有效值为KB、MB、GB、KIB，MIB，和GIB。前三种类型是基于1000，而最后三种类型是基于1024，注意数字与类型之间没有空格
-c 指定输出文件的行数，即包含密码的个数
-d 限制出现相同元素的个数(至少出现元素个数)(“@”代表小写字母，“,”代表大写字符，“%”代表数字，“^”代表特殊字符)
-e 定义停止生产密码
-f 从某文件指定字符集，调用密码库文件
-i 改变输出格式 
-o 输出文件名称
-q 读取某文件
-t 指定模式

aircrack-ng：无线渗透工具破解wep，wpa-psk等加密

一些常见的套路

文件套路

文件类型不同
文件头错误
文件合并

压缩文件的处理

zip伪加密：文件里有一位专门标识了文件是否加密
压缩源文件数据区：50 4B 03 04：这是头文件标记
压缩源文件目录区：
50 4B 01 02：目录中文件文件头标记
3F 00：压缩使用的 pkware 版本
14 00：解压文件所需 pkware 版本
00 00：全局方式位标记（有无加密，这个更改这里进行伪加密，改为09 00打开就会提示有密码了）
操作方法就是搜索504B0102，从50开始第九个，奇数表示加密，偶数表示不加密
rar伪加密：由于头部有校验，使用伪加密打开文件会报错，这时可以尝试伪加密，16进制打开找到第24个字节（一般是7下第二个）尾数为4表示加密，0表示未加密
压缩源文件目录结束标志：50 4B 05 06：目录结束标记

图片隐写

颜色差别
GIF多帧隐藏：颜色通道，对比隐写
Exif信息隐藏
图片修复：图片头，尾，CRC校验，长宽高修复
最低有效位LSB隐写
图片加密

附加式图片隐写

通常是用某种程序或者某种方法在载体文件中直接附加上需要被隐写的目标，然后将载体文件直接传输给接受者或者发布到网站上，然后接受者者根据方法提取出被隐写的消息，大致有两种经典方式，一是直接附加字符串，二是图种的形式出现。

附加字符串

大致操作
1. 打开图片确认图片是否异常
2. 使用strings检查图片
  
  附上strings的使用大致方法
  
  strings命令在对象文件或二进制文件中查找可打印的字符串。字符串是4个或更多可打印字符的任意序列，以换行符或空字符结束。 strings命令对识别随机对象文件很有用。
  
  选项：
  - -a --all：扫描整个文件而不是只扫描目标文件初始化和装载段
  - -f –print-file-name：在显示字符串前先显示文件名
  - -t --radix={o,d,x} ：输出字符的位置，基于八进制，十进制或者十六进制
  - -e --encoding={s,S,b,l,B,L} ：选择字符大小和排列顺序:s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
3. 当然可以直接使用如winhex，010editor直接打开图片查看 ps：这个好像更简单！
图种

一种采用特殊方式将图片文件（如jpg格式）与rar文件结合起来的文件。该文件一般保存为jpg格式，可以正常显示图片，当有人获取该图片后，可以修改文件的后缀名，将图片改为rar压缩文件，并得到其中的数据。
图种这是一种以图片文件为载体，通常为jpg格式的图片，然后将zip等压缩包文件附加在图片文件后面。因为操作系统识别的过程中是，从文件头标志，到文件的结束标志位，当系统识别到图片的结束标志位后，默认是不再继续识别的，所以我们在通常情况下只能看到它是只是一张图片。

方法就是

先用file命令或者binwalk查看一波图片是不是纯图片

然后可以用binwalk -e或者foremost 来分离图种，也可以直接修改后缀

来个可能没怎么用到的方法 winhex

补充一个zip文件头 50 4B 03 04

先用它打开图片，然后找到这个文件头，从它开始到结尾的数据复制下来，到一个新文件，然后命名为zip格式即可！

基于文件结构的隐写

文件结构特指的是图片文件的文件结构，这里特别提一下PNG，尤其要掌握的是文件头数据块即IHDR块：包含宽，高，深度，颜色类型，压缩方法等，还有IDAT数据块，存储实际的数据，转义他可以存在多个，多以个对图片影响不大

宽度高度的修改的隐写

修改高度或者宽度

计算crc校验
隐写信息以IDAT块加入图片

利用pngcheck检查

pngcheck -v

LSB隐写

LSB，最低有效位，英文是Least Significant Bit
。我们知道图像像素一般是由RGB三原色（即红绿蓝）组成的，每一种颜色占用8位，0x00~0xFF，即一共有256种颜色，一共包含了256的3次方的颜色，颜色太多，而人的肉眼能区分的只有其中一小部分，这导致了当我们修改RGB颜色分量种最低的二进制位的时候，我们的肉眼是区分不出来的。

法宝就是stegsolve，zsteg！！！

简单一点儿的，直接切换通道就可以看到，复杂的需要提取

DCT域的JPG图片隐写

JPEG图像格式使用离散余弦变换（Discrete Cosine
Transform，DCT）函数来压缩图像，而这个图像压缩方法的核心是：通过识别每个8×8像素块中相邻像素中的重复像素来减少显示图像所需的位数，并使用近似估算法降低其冗余度。因此，我们可以把DCT看作一个用于执行压缩的近似计算方法。因为丢失了部分数据，所以DCT是一种有损压缩（Loss
Compression）技术，但一般不会影响图像的视觉效果。

常见的隐写方法有JSteg、JPHide、Outguess、F5

敲黑板！！！重点工具来了

Stegdetect

通过统计分析技术评估JPEG文件的DCT频率系数

-q 仅显示可能包含隐藏内容的图像。
-n 启用检查JPEG文件头功能，以降低误报率。如果启用，所有带有批注区域的文件将被视为没有被嵌入信息。如果JPEG文件的JFIF标识符中的版本号不是1.1，则禁用OutGuess检测。
-s 修改检测算法的敏感度，该值的默认值为1。检测结果的匹配度与检测算法的敏感度成正比，算法敏感度的值越大，检测出的可疑文件包含敏感信息的可能性越大。
-d 打印带行号的调试信息。
-t 设置要检测哪些隐写工具（默认检测jopi），可设置的选项如下：
j 检测图像中的信息是否是用jsteg嵌入的。
o 检测图像中的信息是否是用outguess嵌入的。
p 检测图像中的信息是否是用jphide嵌入的。
i 检测图像中的信息是否是用invisible secrets嵌入的。
-V 显示软件版本号。
如果检测结果显示该文件可能包含隐藏信息，那么Stegdetect会在检测结果后面使用1～3颗星来标识
隐藏信息存在的可能性大小，3颗星表示隐藏信息存在的可能性最大。

数字水印隐写

数字水印（digital watermark）技术，是指在数字化的数据内容中嵌入不明显的记号。
特征是，被嵌入的记号通常是不可见或不可察的，但是可以通过计算操作检测或者提取。

图片容差隐写

The core of the compression method is to reduce the number of bits required to display an image by identifying repeated pixels among adjacent pixels in each 8×8 pixel block, and use an approximate estimation method to reduce its redundancy. Therefore, we can think of DCT as an approximate computation method for performing compression. Because part of the data is lost, DCT is a lossy compression (Loss
Compression) technology, but it generally does not affect the visual effect of the image.

Common steganographic methods include JSteg, JPHide, Outguess, F5

Knock on the blackboard! ! ! The key tool is here

Bar detect

Evaluation of DCT frequency coefficients of JPEG files by statistical analysis techniques

-q 仅显示可能包含隐藏内容的图像。
-n 启用检查JPEG文件头功能，以降低误报率。如果启用，所有带有批注区域的文件将被视为没有被嵌入信息。如果JPEG文件的JFIF标识符中的版本号不是1.1，则禁用OutGuess检测。
-s 修改检测算法的敏感度，该值的默认值为1。检测结果的匹配度与检测算法的敏感度成正比，算法敏感度的值越大，检测出的可疑文件包含敏感信息的可能性越大。
-d 打印带行号的调试信息。
-t 设置要检测哪些隐写工具（默认检测jopi），可设置的选项如下：
j 检测图像中的信息是否是用jsteg嵌入的。
o 检测图像中的信息是否是用outguess嵌入的。
p 检测图像中的信息是否是用jphide嵌入的。
i 检测图像中的信息是否是用invisible secrets嵌入的。
-V 显示软件版本号。
如果检测结果显示该文件可能包含隐藏信息，那么Stegdetect会在检测结果后面使用1～3颗星来标识
隐藏信息存在的可能性大小，3颗星表示隐藏信息存在的可能性最大。

digital watermark steganography

Digital watermark (digital watermark) technology refers to embedding inconspicuous marks in digital data content.
Characteristically, embedded tokens are usually invisible or imperceptible, but can be detected or extracted through computational operations.

image tolerance steganography

Tolerance, the selection range set when selecting a color, the larger the tolerance, the larger the selection range, and its value is between 0-255.

Summary of simple miscellaneous items in CTF