MouseJack is very dangerous tool because with this tool you can hijack the wireless mouse or keyboard and do something horrible in target computer. Especially now many people use wireless mouse or keyboard. The attacker can take control target computer from a distance. Learn the hacker ways and protect yourself from that.
What Is MouseJack ??
MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.
An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.
The MouseJack exploit centers around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer’s operating system as if the victim had legitimately typed them.
For more information on the MouseJack vulnerability, you can watch the video, read the MouseJack technical white paper, and view the list of affected devices.
The public advisories can be found here, and have been registered with CERT.
Source Code
This is code extending the mousejack tools https://github.com/RFStorm/mousejack.
Replay/transmit tools have been added to the original tools.
POC packets based on a Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse are included in the logs folder.
More details available here https://www.ckn.io/blog/2016/07/09/hijacking-wireless-mice-and-keyboards/
Install & Setup
Requirements
- SDCC (minimum version 3.1.0)
- GNU Binutils
- Python
- PyUSB
- platformio
Install dependencies on Ubuntu :
§ sudo apt-get install sdcc binutils python python-pip§ sudo pip install -U pip§ sudo pip install -U -I pyusb§ sudo pip install -U platformio
Supported Hardware
The following hardware has been tested and is known to work.
- CrazyRadio PA USB dongle
- SparkFun nRF24LU1+ breakout board
- Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)
Initialize the submodule
§ git submodule init§ git submodule update
Build the firmware
Flash over USB
nRF24LU1+ chips come with a factory programmed bootloader occupying the topmost 2KB of flash memory. The CrazyRadio firmware and RFStorm research firmware support USB commands to enter the Nordic bootloader.
Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares :
- Nordic Semiconductor Bootloader
- CrazyRadio Firmware
- RFStorm Research Firmware
To flash the firmware over USB :
Flash a Logitech Unifying dongle
The most common Unifying dongles are based on the nRF24LU1+, but some use chips from Texas Instruments. This firmware is only supported on the nRF24LU1+ variants, which have a model number of C-U0007. The flashing script will automatically detect which type of dongle is plugged in, and will only attempt to flash the nRF24LU1+ variants.
To flash the firmware over USB onto a Logitech Unifying dongle :
Flash a Logitech Unifying dongle back to the original firmware
Download and extract the Logitech firmware image, which will be named RQR_012_005_00028.hex or similar. Then, run the following command to flash the Logitech firmware onto the dongle :
Flash over SPI using a Teensy
If your dongle or breakout board is bricked, you can alternatively program it over SPI using a Teensy.
This has only been tested with a Teensy 3.1/3.2, but is likely to work with other Arduino variants as well.
Build and Upload the Teensy Flasher
Connect the Teensy to the nRF24LU1+
Flash the nRF24LU1+
Usage
scanner
Pseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets.
usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]
optional arguments:-h, --help show this help message and exit-c N [N ...], --channels N [N ...] RF channels-v, --verbose Enable verbose output-l, --lna Enable the LNA (for CrazyRadio PA dongles)-p PREFIX, --prefix PREFIX Promiscuous mode address prefix-d DWELL, --dwell DWELL Dwell time per channel, in milliseconds
Scan for devices on channels 1-5
Scan for devices with an address starting in 0xA9 on all channels
sniffer
Device following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. This version has also been modified to log the packets to a log file
usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES]optional arguments:-h, --help show this help message and exit-c N [N ...], --channels N [N ...] RF channels-v, --verbose Enable verbose output-l, --lna Enable the LNA (for CrazyRadio PA dongles)-a ADDRESS, --address ADDRESS Address to sniff, following as it changes channels-o OUTPUT, --output OUTPUT Output file to log the packets-t TIMEOUT, --timeout TIMEOUT Channel timeout, in milliseconds-k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250-r RETRIES, --retries RETRIES Auto retry limit, accepts [0,15]
Sniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log
replay/transmit
Replay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.
usage: ./nrf24-replay.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES]optional arguments:-h, --help show this help message and exit-c N [N ...], --channels N [N ...] RF channels-v, --verbose Enable verbose output-l, --lna Enable the LNA (for CrazyRadio PA dongles)-a ADDRESS, --address ADDRESS Address to sniff, following as it changes channels-o INPUT_FILE, --input INPUT_FILE Input file that has the packets to sned-t TIMEOUT, --timeout TIMEOUT Channel timeout, in milliseconds-k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250-r RETRIES, --retries RETRIES Auto retry limit, accepts [0,15]
Send packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel
network mapper
Star network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list.
usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]optional arguments:-h, --help show this help message and exit-c N [N ...], --channels N [N ...] RF channels-v, --verbose Enable verbose output-l, --lna Enable the LNA (for CrazyRadio PA dongles)-a ADDRESS, --address ADDRESS Known address-p PASSES, --passes PASSES Number of passes (default 2)-k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250-r RETRIES, --retries RETRIES Auto retry limit, accepts [0,15]
Map the star network that address 61:49:66:82:03 belongs to
continuous tone test
The nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.
This script will cause the transceiver to transmit a tone on the first channel that is passed in.
usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]optional arguments:-h, --help show this help message and exit-c N [N ...], --channels N [N ...] RF channels-v, --verbose Enable verbose output-l, --lna Enable the LNA (for CrazyRadio PA dongles)
Transmit a continuous tone at 2405MHz
packet generator script
This uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log. It will accept input until Ctrl+C is pressed.
Log files
The folder logs contains various pre-saved packets for various keyboard operations.
Shell.log is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.
The file keys.log serves as a reference where various key presses and combinations are mapped to their equivalent packets.
Demo
A demo of exploiting a Windows machine can be found here :
