Mousejack and Crazy Radio 2 are a key combination for testing keyboards and mice vulnerabilities on most common manufactures. Bastille found different kind of vulnerabilities against these wireless devices, it is possible to execute different types of attacks.

Type of Attacks

Keystroke Injection

Force Pairing
Fake Mouse
Denial-of-Service

Manufactures Affected

Amazon Basics Keyboards
Microsoft Keyboards
Dell

Lenovo
Contact Me on Discord for More

Hardware

CrazyRadio USB Dongle

CrazyRadio Firmware
nRF24LU1+ Chips

Crazy Radio Keyboard and Mices under Attack

Flashing USB Dongle to support promiscuous mode

First we will change our crazyradio-firmware from our device allowing us to sniff and inject keystrokes into keyboards devices. The crazyflie-firmware is courtesy of Bastille Research and can allow the USB dongle to promiscuous mode.

Install Dependencies

Wse need a few packages in order to effectively use the USB dongle.

sudo apt-get install sdcc binutils python python-pip git

Install Pip

Pip is a package manager for Python language it is necessary to install it to manage all dependencies related to USB stack.

sudo pip install -U pip

Install PyUSB

Here we need to pay attention to pyusb version used, some versions are incompatible with most attacking tools.

sudo pip install -U -I pyusb

Install Platformio

sudo pip install -U platformio

How to Install MouseJack

Mousejack have a pack of research tools created in Python by Bastille to test the USB dongle functionality, it is possible to flash the firmware and sniff raw data or even send raw tons. First we will flash our usb dongle and test if ready to sniff data.

Mousejack is avaiable at GitHub

Clone The Repo

kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/mousejack.git

kali@rpi3:~$ git submodule init

Flash Radio Dongle

Now lets compile our firmware and update crazyradio firmware with the new one.

Dongles and breakout boards can be programmed over USB if they are running one of the following firmwares:

Nordic Semiconductor Bootloader
CrazyRadio Firmware
RFStorm Research Firmware

kali@rpi3:~$ cd nrf-research-firmware
kali@rpi3:~$ make

Flash the firmware over USB

kali@rpi3:~$ sudo make install

NRF24 Scanner

usage: ./nrf24-scanner.py [-h] [-c N [N ...]] [-v] [-l] [-p PREFIX] [-d DWELL]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA (for CrazyRadio PA dongles)
  -p PREFIX, --prefix PREFIX          Promiscuous mode address prefix
  -d DWELL, --dwell DWELL             Dwell time per channel, in milliseconds

NRF24 Sniffer

usage: ./nrf24-sniffer.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA 
  -a ADDRESS, --address ADDRESS              Address to sniff, following as it changes channels
  -t TIMEOUT, --timeout TIMEOUT              Channel timeout, in milliseconds
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

NRF24 Network Mapper

usage: ./nrf24-network-mapper.py [-h] [-c N [N ...]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]

optional arguments:
  -h, --help                                 show this help message and exit
  -c N [N ...], --channels N [N ...]         RF channels
  -v, --verbose                              Enable verbose output
  -l, --lna                                  Enable the LNA 
  -a ADDRESS, --address ADDRESS              Known address
  -p PASSES, --passes PASSES                 Number of passes (default 2)
  -k ACK_TIMEOUT, --ack_timeout ACK_TIMEOUT  ACK timeout in microseconds, accepts [250,4000], step 250
  -r RETRIES, --retries RETRIES              Auto retry limit, accepts [0,15]

NRF24 Continuous Tone Test

usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N ...]] [-v] [-l]

optional arguments:
  -h, --help                          show this help message and exit
  -c N [N ...], --channels N [N ...]  RF channels
  -v, --verbose                       Enable verbose output
  -l, --lna                           Enable the LNA

How to Install JackIt

kali@rpi3:~$ git clone https://github.com/Offensive-Wireless/jackit.git

kali@rpi3:~$ cd jackit

kali@rpi3:~$ sudo pip install -e .

Sniff Wireless Keyboards using JackIt

kali@rpi3:~$ sudo jackit

CVEs List

MouseJack Announced by Bastille in 2016

How To install rtl_433

Categorized in:

Wireless Hacking,

Tagged in:

nRF24LU1+

MouseJack: How to easy Execute Keyboard Injection Attacks

Table of Contents

Type of Attacks

Manufactures Affected

Hardware

How to Install MouseJack

Install rtl_433 On Kali Linux – Step-by-Step Guide

How to Install Wifipumpkin3: Free Introduction

Press ESC to close

MouseJack: How to easy Execute Keyboard Injection Attacks

Table of Contents

Type of Attacks

Manufactures Affected

Hardware

How to Install MouseJack

Share Article:

Install rtl_433 On Kali Linux – Step-by-Step Guide

How to Install Wifipumpkin3: Free Introduction

More in this CategoryWireless Hacking

Wireless WPA3 Attacks Explained: Safeguarding Your Network with Best Practices for Wireless Security

Top 5 Wi-Fi Attacks

How to install Pyrit in Kali Linux (Free Guide)

How to Install Wifite2: Free Introduction