Mousejack and Crazy Radio 2 are a key combination for testing keyboards and mice vulnerabilities on most common manufactures. Bastille found different kind of vulnerabilities against these wireless devices, it is possible to execute different types of attacks.
Type of Attacks
- Keystroke Injection
- Force Pairing
- Fake Mouse
- Denial-of-Service
Manufactures Affected
- Amazon Basics Keyboards
- Microsoft Keyboards
- Dell
- Lenovo
- Contact Me on Discord for More
Hardware
- CrazyRadio USB Dongle
- CrazyRadio Firmware
- nRF24LU1+ Chips
Crazy Radio Keyboard and Mices under Attack
Flashing USB Dongle to support promiscuous mode
First we will change our crazyradio-firmware from our device allowing us to sniff and inject keystrokes into keyboards devices. The crazyflie-firmware is courtesy of Bastille Research and can allow the USB dongle to promiscuous mode.
Install Dependencies
Wse need a few packages in order to effectively use the USB dongle.
sudo apt-get install sdcc binutils python python-pip gitInstall Pip
Pip is a package manager for Python language it is necessary to install it to manage all dependencies related to USB stack.
sudo pip install -U pipInstall PyUSB
Here we need to pay attention to pyusb version used, some versions are incompatible with most attacking tools.
sudo pip install -U -I pyusbInstall Platformio
sudo pip install -U platformioHow to Install MouseJack
Mousejack have a pack of research tools created in Python by Bastille to test the USB dongle functionality, it is possible to flash the firmware and sniff raw data or even send raw tons. First we will flash our usb dongle and test if ready to sniff data.
Mousejack is avaiable at GitHub
Clone The Repo
kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/mousejack.gitkali@rpi3:~$ git submodule initFlash Radio Dongle
Now lets compile our firmware and update crazyradio firmware with the new one.
Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares:
- Nordic Semiconductor Bootloader
- CrazyRadio Firmware
- RFStorm Research Firmware
kali@rpi3:~$ cd nrf-research-firmware
kali@rpi3:~$ makeFlash the firmware over USB
kali@rpi3:~$ sudo make installNRF24 Scanner
usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]
optional arguments:
-h, --help show this help message and exit
-c N [N ...], --channels N [N ...] RF channels
-v, --verbose Enable verbose output
-l, --lna Enable the LNA (for CrazyRadio PA dongles)
-p PREFIX, --prefix PREFIX Promiscuous mode address prefix
-d DWELL, --dwell DWELL Dwell time per channel, in millisecondsNRF24 Sniffer
usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES]
optional arguments:
-h, --help show this help message and exit
-c N [N ...], --channels N [N ...] RF channels
-v, --verbose Enable verbose output
-l, --lna Enable the LNA
-a ADDRESS, --address ADDRESS Address to sniff, following as it changes channels
-t TIMEOUT, --timeout TIMEOUT Channel timeout, in milliseconds
-k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250
-r RETRIES, --retries RETRIES Auto retry limit, accepts [0,15]NRF24 Network Mapper
usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]
optional arguments:
-h, --help show this help message and exit
-c N [N ...], --channels N [N ...] RF channels
-v, --verbose Enable verbose output
-l, --lna Enable the LNA
-a ADDRESS, --address ADDRESS Known address
-p PASSES, --passes PASSES Number of passes (default 2)
-k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250
-r RETRIES, --retries RETRIES Auto retry limit, accepts [0,15]NRF24 Continuous Tone Test
usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]
optional arguments:
-h, --help show this help message and exit
-c N [N ...], --channels N [N ...] RF channels
-v, --verbose Enable verbose output
-l, --lna Enable the LNA How to Install JackIt
kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/jackit.gitkali@rpi3:~$ cd jackitkali@rpi3:~$ sudo pip install -e .Sniff Wireless Keyboards using JackIt
kali@rpi3:~$ sudo jackitCVEs List
MouseJack Announced by Bastille in 2016
How To install rtl_433
